Skip to content

Azure Active Directory for SSO#

Using the Azure AD SAML Toolkit, you can set up single sign-on (SSO) in Privacera Manager for Azure AD users. After setting up the SSO, you will be provided with an SSO button, Azure AD Login, on the login page of Privacera Portal.

Prerequisites

To configure SSO with Azure Active Directory, you need to configure and enable SSL for the Privacera Portal.

Configuring SSO with Azure AD in the Azure portal

  1. Log in to Azure portal.

  2. On the left navigation pane, select the Azure Active Directory service.

  3. Navigate to Enterprise Applications and then select All Applications.

  4. Do the following:

    To add a new application, select New application.

    Or

    If you have an existing Azure AD SAML Toolkit application, select it, and then go to step 8 to continue with the rest of the configuration.

  5. In the Add from the gallery section, type Azure AD SAML Toolkit in the search box.

  6. Select Azure AD SAML Toolkit from the results panel and then add the app.

  7. On the Azure AD SAML Toolkit application integration page, in the Manage section and select single sign-on.

  8. On the Select a single sign-on method page, select SAML.

  9. Click the pen icon for Basic SAML Configuration to edit the settings.

  10. On the Basic SAML Configuration page, enter the values for the following fields, and then click Save. You can assign a unique name for the Entity ID.

    • Entity ID = privacera-portal
    • Reply URL = https://${APP_HOSTNAME}:6868/saml/SSO
    • Sign-on URL = https://${APP_HOSTNAME}:6868/login.html
  11. In the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your virtual machine.

  12. In the Manage section and select Users and groups.

  13. In the Users and groups dialog, select the user or user group who should be allowed to log in with SSO, then click the Select.

Configuring SSO in Privacera Manager

  1. In the command line terminal, run the following commands. It will copy the vars.portal.saml.aad.yml file from the sample-vars folder to the custom-vars folder.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
    
  2. Open and modify the vars.portal.saml.aad.yml file.

    vi config/custom-vars/vars.portal.saml.aad.yml
    

    Modify the SAML_ENTITY_ID. You need to assign the value of the entity ID the same as in step 10 of the above section. For property details and description, click here.

    #This variables are configure SSO with Azure AD
    #Note: Please update all mandatory fields. Search for <PLEASE_CHANGE>
    
    SAML_ENTITY_ID: "privacera-portal"
    
    SAML_BASE_URL: "https://{{app_hostname}}:6868"
    PORTAL_UI_SSO_ENABLE: "true"
    PORTAL_UI_SSO_URL: "saml/login"
    PORTAL_UI_SSO_BUTTON_LABEL: "Azure AD Login"
    AAD_SSO_ENABLE: "true"
    
  3. Rename the downloaded Federation Metadata XML file as privacera-portal-aad-saml.xml. Copy this file to the ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/custom folder.

  4. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    
  5. If you are configuring the SSL in an Azure Kubernetes environment, then run the following command.

     ./privacera-manager.sh restart portal
    

Validation

Go to the login page of the Privacera Portal. You will see the Azure AD Login button.

Configure SAML Assertion Attributes#

By default, the following assertion attributes are configured with pre-defined values:

  • Email
  • Username
  • Firstname
  • Lastname

You can customize the values for the assertion attributes. To do that, do the following:

  1. Run the following commands.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.yml config/custom-vars/
    vi config/custom-vars/vars.portal.yml
    
  2. Add the following properties and assign your values. For more information on custom properties and its values, click here.

    SAML_EMAIL_ATTRIBUTE: ""
    SAML_USERNAME_ATTRIBUTE: ""
    SAML_LASTNAME_ATTRIBUTE: ""
    SAML_FIRSTNAME_ATTRIBUTE: ""
    
  3. Add the properties in the YAML file configured in the Configuration above.

     cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

Last update: July 23, 2021