Microsoft Entra ID SAML IDP

This document covers configuring the Microsoft Entra ID SAML Identity Provider with Zitadel for use with your ConnectSecure login.


Microsoft Entra ID SAML IDP - Overview

You need to have access to an Entra ID Tenant.

If you do not yet have one, follow this guide from Microsoft to create one for free.

In ZITADEL, you can connect an Identity Provider (IdP) like Entra ID (formerly Azure Active Directory) to your instance and provide it as the default to all organizations. You can also register the IDP for a specific organization only. If you allow this, your organization's members can do the same in self-service.


Microsoft Entra ID SAML Configuration

  1. Login to your Azure portal.

  2. Browse to the Enterprise applications menu.

  3. Search for ‘SAML Toolkit’ and click on the “Microsoft Entra SAML Toolkit' card.

  4. Change the name if you want, and click Create.

image-20240418-150709.png

Disable required assignment

To enable users to sign in via Zitadel, we need to manually disable the required assignment feature.

  1. Navigate to Manage > Properties

  2. Set ‘Assignment required?’ to No

  3. Tap Save

image-20240418-151024.png

Setup SAML

  1. Navigate to Manage > Single Sign-On

  2. Select SAML

  3. You will be redirected to the Single Sign-On details page

  4. Copy the URL of SAML Certificates > App Federation Metadate URL to your clipboard

Zitadel Configuration

  1. Login to Zitadel https://authprod.myyconnectsecure.com

  2. Tap on the Logo in top left corner, then tap to the Settings bar

  1. Tap on the Identity Providers option and choose SAML SP

Create New SAML Service Provider (SP)

  1. Set a name like ‘Microsoft Entra’

  2. Paste the previously copied URL into the "Metadata URL" field. After creation, the metadata will automatically be fetched from the provided URL.

  3. Select the "SAML_POST_BINDING" as binding

  4. Ensure that the "Signed Request"-box is ticked

  5. Change the options if needed. Microsoft Entra works out of the box using the pre-configured options.

  6. Click Create

Basic SAML Configuration

  1. After you create the SAML SP in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.

  1. Go to Microsoft Entra > Manage > Single sign-on

  2. Edit the "Basic SAML Configuration"

  3. Identifier (Entity ID): Paste the ZITADEL Metadata URL.

  4. Reply URL (Assertion Consumer Service URL): Paste the ZITADEL ACS Login Form URL

  5. Sign-on URL: Paste the ZITADEL ACS Login Form URL

  6. Logout URL: Optionally paste the ZITADEL Single Logout URL Click Save

Enable the Microsoft Entra Button in the ZITADELs Login Page

  1. Go back to ZITADEL and activate the IDP.

  2. Activate IdP Once you have created the provider, it is listed in the provider's overview.

  3. Activate it by selecting the tick with the tooltip set as available. If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again. The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:

Ensure your Login Policy allows External IDPs

  1. Go to the Settings

    1. To allow external IdP logins by default, go to your instance default settings at $YOUR-DOMAIN/ui/console/instance?id=general

    2. To allow external IdP logins on an organization, go to $YOUR-DOMAIN/ui/ console/org-settings?id=login and ensure you have the right org context.

  2. Modify your login policy in the menu "Login Behavior and Security"

  3. Enable the attribute "External Login allowed"


Test Your Setup

  1. Open https://portal.myconnectsecure.com/.

  2. Enter your domain name > Choose the external IDP option to log in.

  3. Now, click “Log in with an external user” on the next page.

  1. Enter Microsoft Entra ID credentials.

  1. After login, if the user exists then click on link; if the user does not exist, click on Register.

  1. Once user data is added, click on Next, and If an existing user, Enter the User’s email and password and click on Next.

This completes the login for the SAML SP for Microsoft Entra ID.


Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login