Configuring SAML Single Sign-On (SSO) for Azure AD Users

Overview

You can set up SAML single sign-on (SSO) in Password Manager Pro for Azure AD users. This document also details steps to enable multi-factor authentication (MFA) in the Microsoft Azure portal. 

Prerequisite

Before setting up SAML SSO, follow the steps provided here to import Azure AD users into Password Manager Pro (PMP).

Steps to Configure SAML SSO for Azure AD Users

  1. Adding an enterprise application in the Azure portal
  2. Assigning Azure users to the enterprise application
  3. Configuring SAML SSO with Password Manager Pro

Steps to Enable MFA and Set up First Login for Azure AD Users

Note: Enabling MFA for Azure AD users in the Microsoft Azure portal is optional and is independent of the SAML SSO configuration.

  1. Enabling multi-factor authentication for Azure users
  2. Assigning Azure users to the Enterprise Application
  3. Setting up the first login for the MFA-enabled Azure users

Steps to Configure SAML SSO for Azure AD Users

Detailed below are the steps to configure SAML SSO in Password Manager Pro for Azure AD users in the Microsoft Azure portal.

1. Adding an Enterprise Application in the Azure Portal

  1. Login to the Microsoft Azure portal through the URL https://portal.azure.com.


  2. Click Azure Active Directory from the left most pane. Under Manage tab select Enterprise Applications.

  3. Click New Application available at the top of the Enterprise Applications page.


  4. You will be taken to the All Applications page which lists the applications from which you can choose and add. In the search bar, type "SAML" and press enter.


  5. From the search results, click SAML 1.1 Token enabled LOB App. The application will open in a minimized window on the right pane.

  6. Click the square icon at the right top corner to maximize the app window. Edit the name as PMP SAML 1.1 SSO and click Add.



  1. PMP SAML 1.1 SSO will be added as the Enterprise Application successfully.

2. Assigning Azure Users to the Enterprise Application

  1. Under Manage on the left pane, select Users and Groups and click Add User at the top.


  2. In the Add Assignment pane, click None Selected to open up a list of users. Select the required users and then click the Select option at the bottom.



  3. After the required users have been selected, click Assign to assign them to the enterprise application.


3. Configuring SAML SSO with Password Manager Pro

  1. Under Manage tab on the left pane, click Single sign-on. In the Select a single sign-on method window, select SAML.


  2. To set up single sign-on with SAML, you need to provide basic SAML configuration details here such as Identifier (entity ID) and Sign on URL.


  3. You can get the Entity ID and Sign on URL from the Password Manager Pro interface.

    3.1 Once logged into Password Manager Pro, navigate to Admin >> Authentication >> SAML Single Sign On.

    3.2 Under 1. Service Provider Details, you will find Entity Id and Assertion Consumer URL; copy both the values.



  4. Go back to the Azure portal, click the edit icon to edit the Basic SAML Configuration details.
    Enter the Entity Id from Password Manager Pro under Identifier (Entity ID) and enter the Assertion Consumer URL under the Sign on URL. Click Save.

  1. Now the SAML configuration details taken from Password Manager Pro will be saved in the Azure portal.
  2. In the SAML configuration settings window, scroll down and go to the SAML Signing Certificate section and download the XML file named Federation Metadata XML.



  1. Go back to the Password Manager Pro interface, navigate to Admin >> Authentication >> Configure SAML Single sign-on.
  2. Under 2. Configure Identity Provider Details, select Upload idP metadata file, browse for the Federation Metadata XML file previously downloaded from the Azure portal and click Upload. Azure SAML SSO settings will now be saved in Password Manager Pro.



  1. Refresh the current page in Password Manager Pro. Now, under 3. Import IdP's Certificate, you will see the Current Certificate details such as Issuer, Subject, and Serial Number. Click Save.
  2. For the Azure SAML to function properly, go to the path:  <PMP_Installation_Directory\PMP\conf\system_properties.conf> and verify if the below mentioned system properties are available in the conf file. If not, append them below the existing properties.
  3. saml.redirect.idpprotocolbindingpost=true 
    saml.authcontext.comparison.exact=true 
    saml.AuthreqForceAuthn=false 
    saml.nameidFormat=unspecified 
    saml.idp.version=1.1 
    saml.authnContextClassRef=Password
     

  4. Once the properties are added, restart the PMP server for the changes to take effect.
  5. Finally, under 4. Enable/Disable SAML Single Sign On, click Enable Now to activate the SAML SSO.


  6. To validate if the single sign-on works, go to the Azure portal, click Validate under Validate single sign on with PMP SAML 1.1 SSO.


Steps to Enable MFA and Set up First Login for Azure AD Users

Below are detailed steps to activate MFA for Azure AD users in the Microsoft portal and to set up their first login.

1. Enabling Multi-factor Authentication for Azure AD Users

  1. Login to the Microsoft Azure portal through the URL https://portal.azure.com
  2. Select Azure Active Directory from the left pane.


  3. Under the Manage tab, select Users.
  4. Here, click the Multi-Factor Authentication option at the top. Now you will see the list of users populating in a new browser window.

  5. Select the user(s) for whom you want to enable MFA and click the Enable option on the right pane.

  6. In the pop-up box, click the enable multi-factor auth button to complete the set up.

2. Assigning Azure Users to the Enterprise Application

  1. Select Azure Active Directory from the left pane and under the Manage tab, select Enterprise applications.


  2. Search for your enterprise SAML application and select it.
  3. Select Users and groups from the left pane and click the Add User option at the top.


  4. In the Add Assignment pane, click None Selected to open up a list of users. Select the required users and then click the Select option at the bottom.


  5. After the required users have been selected, click Assign in the left pane to assign them to the enterprise application.

3. Setting Up First Login for the MFA-enabled Azure Users

3.1 Prerequisite

You need to have the Microsoft Authenticator app installed in your phone for additional security verification.

3.2 Steps Required

Below steps are for users to set up their first login and multi-factor authentication using the Microsoft Authenticator app.

  1. Login to the Microsoft Azure portal - https://portal.azure.com
  2. Once you login, you will be redirected to the Additional security verification screen. Here, select Mobile app from the drop-down menu and select Receive notifications for verification. Click Next.


  3. Open up the Microsoft Authenticator app on your phone and scan the QR code shown; click Next.
  4. Select your country and enter the mobile number. Click Next.


  5. You will get a password for your first login in this window. Copy and save the password securely and click Done.
  6. The first login set up is complete. Now when you try to log into your Azure account for the first time, you will get a notification to your mobile device to verify the authenticity of your login attempt.

©2014, ZOHO Corp. All Rights Reserved.

Top