Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This document covers configuring the Microsoft Entra ID SAML Identity Provider with Zitadel for use with your ConnectSecure login.


Microsoft Entra ID SAML IDP - Overview

You need to have access to an Entra ID Tenant.

If you do not yet have one, follow this guide from Microsoft to create one for free.

In ZITADEL, you can connect an Identity Provider (IdP) like Entra ID (formerly Azure Active Directory) to your instance and provide it as the default to all organizations. You can also register the IDP for a specific organization only. If you allow this, your organization's members can do the same in self-service.


Microsoft Entra ID SAML Configuration

  1. Login to your Azure portal.

  2. Browse to the Enterprise applications menu.

  3. Search for ‘SAML Toolkit’ and click on the “Microsoft Entra SAML Toolkit' card.

  4. Change the name if you want, and click Create.

image-20240418-150709.png

Disable required assignment

To enable users to sign in via Zitadel, we need to manually disable the required assignment feature.

  1. Navigate to Manage > Properties

  2. Set ‘Assignment required?’ to No

  3. Tap Save

image-20240418-151024.png

Setup SAML

  1. Navigate to Manage > Single Sign-On

  2. Select SAML

  3. You will be redirected to the Single Sign-On details page

  4. Copy the URL of SAML Certificates > App Federation Metadate URL to your clipboard

image-20240418-151306.png

Zitadel Configuration

  1. Login to Zitadel https://authprod.myyconnectsecure.com

  2. Tap on the Logo in top left corner, then tap to the Settings bar

image-20240418-151612.png
  1. Tap on the Identity Providers option and choose SAML SP

image-20240418-151738.png

Create New SAML Service Provider (SP)

  1. Set a name like ‘Microsoft Entra’

  2. Paste the previously copied URL into the "Metadata URL" field. After creation, the metadata will automatically be fetched from the provided URL.

  3. Select the "SAML_POST_BINDING" as binding

  4. Ensure that the "Signed Request"-box is ticked

  5. Change the options if needed. Microsoft Entra works out of the box using the pre-configured options.

  6. Click Create

Automatic creation: If this setting is enabled, the user will be created automatically within ZITADEL if it doesn't exist.

Automatic update: If this setting is enabled, the user will be updated within ZITADEL if some user data is changed within the provider. E.g if the lastname changes on the Microsoft account, the information will be changed on the ZITADEL account on the next login.

Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.

Account linking allowed: This setting determines whether account linking is allowed. When logging in with a Microsoft account, a linkable ZITADEL account must already exist.

Either account creation or account linking has to be enabled. Otherwise, the provider can't be used.

image-20240418-152133.png

Basic SAML Configuration

  1. After you create the SAML SP in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.

image-20240418-152248.png
  1. Go to Microsoft Entra > Manage > Single sign-on

  2. Edit the "Basic SAML Configuration"

  3. Identifier (Entity ID): Paste the ZITADEL Metadata URL.

  4. Reply URL (Assertion Consumer Service URL): Paste the ZITADEL ACS Login Form URL

  5. Sign-on URL: Paste the ZITADEL ACS Login Form URL

  6. Logout URL: Optionally paste the ZITADEL Single Logout URL Click Save

You can ignore the Zitadel ACS Intent API URL for now. This is relevant if you want to programmatically sign users in at ZITADEL via a SAML Service Provider.

image-20240418-152511.png

Enable the Microsoft Entra Button in the ZITADELs Login Page

  1. Go back to ZITADEL and activate the IDP.

  2. Activate IdP Once you have created the provider, it is listed in the provider's overview.

  3. Activate it by selecting the tick with the tooltip set as available. If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again. The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:

image-20240418-155400.png

Ensure your Login Policy allows External IDPs

  1. Go to the Settings

    1. To allow external IdP logins by default, go to your instance default settings at $YOUR-DOMAIN/ui/console/instance?id=general

    2. To allow external IdP logins on an organization, go to $YOUR-DOMAIN/ui/ console/org-settings?id=login and ensure you have the right org context.

  2. Modify your login policy in the menu "Login Behavior and Security"

  3. Enable the attribute "External Login allowed"

image-20240418-155524.png

Test Your Setup

  1. Open http://portal.myconnectsecure.com.

  2. Enter your domain name > Choose the external IDP option to log in.

  3. Now, click “Log in with an external user” on the next page.

image-20240418-155651.png
  1. Enter Microsoft Entra ID credentials.

image-20240418-155725.png
  1. After login, if the user exists then click on link; if the user does not exist, click on Register.

image-20240418-155836.png
  1. Once user data is added, click on Next, and If an existing user, Enter the User’s email and password and click on Next.

image-20240418-155918.png

This completes the login for the SAML SP for Microsoft Entra ID.


Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

https://cybercns.freshdesk.com/en/support/login

image-20240206-144508.png

  • No labels