Configure Azure Active Directory as a SAML Identity Provider

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how to set up Azure Active Directory (AD) as your identity provider by configuring SAML integration in both Pivotal Web Services (PWS) and Azure AD.

Set Up SAML in PWS

  1. Log in to the Single Sign-On (SSO) dashboard at https://p-identity.run.pivotal.io as a Plan Administrator.

  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    Azure manage id providers

  3. Click Configure SAML Service Provider.

    Azure config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set Up SAML in Azure Active Directory (AD)

  1. Log in to Azure AD as a Global Administrator at https://portal.azure.com/.

  2. Navigate to Azure Active Directory tab > Enterprise application.

    Azure create ent app

  3. Select Non-gallery application. Provide a name and click Add.

    Azure nongallery app

  4. Navigate to Azure Active Directory > Enterprise applications.

    Azure manage ent app

  5. Click your application and then click the Single sign-on tab.

  6. Select SAML-based Sign-on from the dropdown and then click Upload metadata file to upload the metadata file you downloaded from step 6 of Set Up SAML in PWS.

    Azure samlbased signon

  7. Record the App Federation Metadata Url. You need this for setting up the SSO identity provider configurations. For more infomation, see Setting up SAML.

  8. Provide a Notification Email and click Save.

    Azure app fed metadata url

  9. Navigate to Users and groups tab and then click Add User .

    Azure users groups

  10. Select users or group names from the dropdown. For example, you can add a group that includes all users that should be able to login to the SSO plan.

    Azure add user

Set Up Claims Mapping

  1. Navigate to Azure Active Directory > App registration. Click your application.

    Azure app registration

  2. To enable user attribute mappings, do the following:

    1. Select the View and edit all other user attributes checkbox under the User Attributes header.
    2. Modify the attributes.

    For more information, see How to: Customize claims issued in the SAML token for enterprise applications.

    Azure user attributes

  3. To pass group membership claims to the application, do the following:

    1. Click Manifest.
    2. Locate groupMembershipClaims and set the value to one of the following:
      • SecurityGroup. Groups claim will contain identifiers of all security groups of which the user is a member.
      • All. Groups claim will contain the identifiers of all security groups and distribution lists of which the user is a member.
    3. Save the change.

    For more information, see How to: Customize claims issued in the SAML token for enterprise applications.

    Azure edit manifest

  4. Navigate to Azure Active Directory > Groups.

  5. For each group that is used by the SSO plan, record the Object ID. Azure AD will pass the Object ID of these groups to the SSO plan. For more information, see Configure Group Permissions.

    Azure object id