Integrating Microsoft Azure(Microsoft Entra ID) as an Identity Provider with SOTI Connect for Single Sign On

By using Microsoft Azure as your Identity Access Management tool, you can simplify access management for the SOTI Connect application by taking advantage of SOTI's SAML 2.0 IDP integration feature.

This applies to SOTI Connect 2.3.0 and above. 

Requirements:

- You must be an Azure Tenant Administrator. 

 - A Premium P1 or higher license is required to assign groups to the application within Azure:

 

Steps:
To integrate Azure as an IDP, there are four stages involved:

- Setting up the SAML Configuration in the Azure portal.
- Assigning the SOTI Connect Application to Groups in the Azure portal.
- Adding the IDP connection in SOTI Connect.
- Importing groups onto the SOTI Connect console and granting them access roles.


Setting up the SAML Configuration in the Azure portal

1. On the Azure Portal, navigate to the Enterprise Applications page:

2. Select New application:



3. Search and select the Microsoft Entra SAML Toolkit application:


4. Upon clicking the Microsoft Entra SAML Toolkit application, a sidebar will appear. Give the application a relevant name and select Create:


5. Once the application is created, select Set up single sign-on:

6. Select SAML:



7. Edit the Basic SAML Configuration section:



8. A sidebar will appear upon editing the Basic SAML Configuration. Here, modify the following fields:

Identifier (Entity ID): https://xxx.soticonnect.com/Connect/Connect_entity
Reply URL (Assertion Consumer Service URL): https://xxx.soticonnect.com/Connect/api/identitylogin
Sign on URL: https://xxx.soticonnect.com/Connect/login
Relay State (Optional): N/A

Note: Replace xxx.soticonnect.com with the DNS value of your Connect server.

9. Additionally, enter the following value for the Logout URL field and save the basic SAML Configuration:
 

Logout Url (Optional): https://xxx.soticonnect.com/Connect/api/samllogout


Note: Replace xxx.soticonnect.com with the DNS value of your Connect server.

10. Edit the Attributes and Claims section:



11. Modify the following claim names according to the existing source attributes:

Note: All Values are case-sensitive.

a. Rename the claim name of the user.givenname source attribute as FirstName and remove the namespace value:



b. Rename the claim name of the user.mail source attribute as Email and remove the namespace value : 



c. Rename the claim name of the user.surname source attribute as LastName and remove the namespace value:



d. Rename the claim name of the user.userprincipalname source attribute as UserName and remove the namespace value:

12. Select Add a new claim:



13. Give it a claim name of UserIdRef and select user.objectid as the source attribute:



14. Add a group claim and select groups assigned to the application as the group claim type. Additionally, set sAMAccountName as its source attribute and select Emit group name for Cloud-only groups:

15. Select Advanced options for the group claim and customize the name of the group claim by setting it as MemberOf and save:



16. Edit the advanced SAML claim options:



17. A sidebar will appear upon editing the Advanced SAML Claims options. Here, Enable the Include attribute name format and save:



18. Once the changes mentioned above have been made to the SAML Configuration, download the Federation Metadata XML file:







Assigning the SOTI Connect Application to Users/Groups in the Azure portal

1. Navigate back to the enterprise application overview page and select Assign users and groups:



2. Add the Users/ Group required:



3. Select and assign the groups/ users you wish to grant access to the application:




Adding the IDP connection

1. On the SOTI Connect web console, navigate to Global Settings > Console Settings > Authentication Options to select Identity Providers as the authentication type:
 

2. Select Manage Providers:



3. Add a new Identity Provider:

4. Give the IDP a relevant name and Import the Federation Metadata XML file downloaded earlier to save the IDP Connection:

Note: The Add Group may not be available if the Identity Provider is not set as the authentication type. Doing this will not log the user out of the current session even though it is of a different authentication type.

Importing groups onto the SOTI web console and granting them access roles

1. Navigate to the System Administration > Users and Permissions page to select the Groups tab:



2. Select Add user group:

Note: If the option to add a group is not available, verify what is set as the authentication type for authentication options under global settings. If it is not the Identity Provider, please update the authentication option and set it to the Identity Provider. You should now see the option to add a group.

3. Type in the name of the group you wish to add and save:

Note: Alternatively, you can also add groups using their Object IDs. To do this, navigate to the Overview page for the group on the Azure Portal and copy its Object ID:

Note: To enable access through object ID, select the enterprise application, choose setup single sign-on, and edit attributes & claims. Edit the group claim to uncheck Emit group name for cloud-only groups selected earlier and save:

Next, Return to the New Group dialogue box and enter the copied Object-ID.


Note: Object IDs are case-sensitive.

4. Select the added group to assign a permission-based role:

5. Select the desired role and save:



Note: Not assigning a role will give the user a default Global Viewer role when logging in.

Note: Instead of manual group assignment, you can also enable the Auto Create Groups option in the Identity Provider's configuration settings in SOTI Connect. This option parses all the groups out of the SAML message (that is, IDP login), adds these groups to SOTI Connect as groups, and then assigns them to the user. You can then assign the desired roles to the groups added to SOTI Connect.