Set up AZURE Active Directory SSO with Cloudmore
by Louise Kearney, on Aug 30, 2019 12:39:05 PM
Cloudmore supports single sign-on (SSO) with SAML Single Sign-On.
You will have one central location to manage users and their level of access to Cloudmore. Advanced password rules or multifactor authentication (MFA) will be required.
This guide will help you to set up SSO with Microsoft Azure Active Directory (Azure AD).
To get started, you need the following items:
- An Azure AD subscription
- An account in Azure that allows you to create Azure Enterprise Applications
A Cloud Service Broker is required to set up their own Azure Enterprise application within their own Azure AD. Each Azure Enterprise application will need to complete a manual step where the Azure AD Federation Metadata is sent to Cloudmore.
An Azure user account needs to have an existing account within Cloudmore to be able to use SSO. Access levels and permissions are all handled in Cloudmore.
The Cloudmore user account needs to have a username that matches the mail attribute of the SSO claim. You can either use the AD user’s user.mail property or configure another field to be sent to the mail property, as long as the name is formatted as an email address and matches the user username in Cloudmore.
If you want to prevent your users from logging into Cloudmore directly, please assign long, complex passwords that you don’t share with your users.
Setting Up an Azure Enterprise Application
Before you begin, you need to get a SAML Metadata XML file from Cloudmore. You can get the SAML Metadata XML file by emailing: firstname.lastname@example.org.
1. Sign into the Azure portal (https://portal.azure.com).
2. On the left navigation pane, select the Azure Active Directory3. Navigate to Enterprise Applications.
4. Click the New application button at the top.
5. Select the Non-gallery application option under Add your own app.
6. Enter a name for the Enterprise application, for instance Cloudmore, and click the Add button at the bottom.
7. Wait for the success message that tells you that your Enterprise application has been created.
8. Click the Users and groups option under Manage from the navigation pane.
9. Here you add the users that should already have access to this Enterprise application and use single sign-on. Add at least one user to test by clicking the Add user button at the top.
10. Click on the Users and groups option to select users.
11. Use the search tab to find the user you are looking for and add them by clicking on them. They will now show up under Selected members.
12. Click on the Select button at the bottom when you are done selecting members.
13. Click on the Assign button at the bottom to assign the selected users to the Enterprise application.
14. Click the Single sign-on option under Manage from the navigation panel.
15. Click the SAML option.
16. Click on the Upload metadata file.
17. Select the Cloudmore Metadata XML file that you received from email@example.com and click on the Add button.
18. In the Basic SAML Configuration click on Save at the top.
19. Click on the X in the top right corner to close the Basic SAML Configuration.
20. If you get a message to Test single sign-on, click on No, I’ll test later as we have a few steps left.
21. Scroll down to the 2 section named User Attributes & Claims and click on the pen.
22. Click the Add new claim button at the top.
23. In the Name field enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail and select user.mail from the Source attribute dropdown.
24. Click the Save button at the bottom.
25. Click the X at the top right corner to close the User Attributes & Claims Click No, I’ll test later again.
26. Scroll down to section 4 called Set up Cloudmore (if you selected another name for your Enterprise application (Step 6) it will say that instead) and click the copy button next to the Azure AD Identifier. We need to copy this value to Cloudmore.
27. Now use a separate tab to log into Cloudmore.
28. Navigate to the Cloud Service Broker or organization that should be enabled for SSO and go to the Security center.
29. Scroll down to the SSO section and click the checkbox named Enable saml sso.
30. In the Identity Provider entityID, enter the value you copied from the Azure AD identifier from step 26.
31. Click on the Update button to save your changes.
32. Go back to the Azure portal tab.
33. In the section 3 called SAML Signing Certificate, click on the Download text next to the Federation Metadata XML.
34. Your federation metadata XML will start to download. This file needs to be sent to firstname.lastname@example.org to get you set up in Cloudmore.
35. Once we have confirmed that your Federation Metadata XML has been set up you can proceed to testing.
Now everything should be set up and working. You have several options to test your SSO setup. You can navigate back to the Azure portal and click on the test button at the bottom.
Or, you can go to the Cloudmore login page and click on the Log in via your home company and enter your username.
Microsoft has a browser extension which allows you to quickly sign into Enterprise applications. Useful links and information on Microsoft’s browser add-ons can be found here.