Configuring SAML SSO for Active Directory Users

Typically, user accounts imported from Active Directory (AD) into PAM360 will have their login names stored in the following format: Loginname. Therefore, when you set up SAML Single Sign-on (SSO) for AD users, you can set the Windows account name as the incoming claim type to match the default login format.

This method will work for all types of SAML SSO identity providers. As an example, we have provided the steps to configure this in the Microsoft Entra ID portal.

Consider the following scenario:
Let's assume you need to configure Microsoft Entra ID SAML SSO for users imported from Active Directory. In this case, the default login name of the AD users will be in the format Loginname. During an Azure SAML response, PAM360 retrieves a user's email address as their login name. This login name format mismatch creates a conflict during the Microsoft Entra ID SAML SSO process, preventing the authentication process from being complete. Furthermore, this makes it difficult for administrators to implement Microsoft Entra ID SAML SSO as a viable SAML authentication method for AD users. To overcome this challenge, create a custom attribute in your AD and add the 'Loginname' value in the custom attribute section to sync it with the Microsoft Entra ID portal. This can be achieved in three simple steps:

  1. Set up a custom attribute
  2. Set up a claim in the Azure portal
  3. Edit the system properties file and complete the configuration

1. Set up a Custom Attribute

  1. In your Active Directory portal, go to the OU which the required users are a part of and go to Properties.
  2. Here, under Attribute Editor, find the custom attribute that will be in the format: Loginname. If it is not already available, then create a new entry. This attribute must be added as a parameter in the Azure portal.
  3. Save and apply changes.

2. Set up a Claim in the Azure Portal

Once you have added the custom attribute, proceed with the below steps to set up a claim for the NameID in the Microsoft Entra ID Portal.

  1. Login to the Microsoft Microsoft Entra ID portal and navigate to the PAM360 Enterprise Application.
  2. Navigate to the Single sign-on under Manage and click the edit icon in the Attribute & Claims section to create a new user attribute to match the username in PAM360.
  3. In the window that open, click Add new claim.
  4. In the Manage claim window, enter the following attributes:
    1. In the Name field, enter the name that needs to be customized - AzureNameId. This same name must be added as the SAML attribute in the system properties in this step.
    2. Under Manage transformation, enter Transformation value, and enter the domain name as Parameter 1 and the custom attribute you set up in this step as Parameter 2. Save your changes.

3. Edit the System Properties File and Complete the Configuration

Once you create the new user attribute in the Microsoft Entra ID portal for the PAM360 Enterprise application, follow the below steps for the custom attribute configuration to be complete:

  1. Stop the PAM360 service.
  2. Rename the logs file as 'logs.old'.
  3. Open system_properties.conf file found in the <PAM360_installation_directory>\conf folder. Scroll down to the bottom and add a new entry saml.attribute.nameId=AzureNameId. The nameId mentioned here must be the same as the one added in the Manage claim window. Save the file.

Now, the custom attribute configuration is complete. Start the PAM360 service and configure Microsoft Entra ID SAML SSO as usual.
Top