Guides → Azure AD as SAML2 SSO IdP Configuration
Overview
Incorta has Azure Active Directory (AD) as an authentication type. However, it has a different login experience. If you select "Azure AD" as an authentication type, users will always have to enter their tenant, username, and password when logging into Incorta. Meanwhile, if you configure Azure AD as a SAML2 IdP, users will login directly to Incorta if they are logged in to their IdP.
To configure Azure Active Directory as a SAML2 SSO identity provider (IdP) and enabling SSO settings in Incorta, you must apply the following steps:
Azure AD configurations
- Log in to the Azure portal Home - Microsoft Azure and make sure you have the (Global Administrator, or Application Administrator) permissions to access the Azure active directory and create and configure enterprise applications.
- Select Azure Active Directory and from the right pane, select Enterprise applications.
- Select + New application.
- In the Gallery, search for "Saml toolkit", and then select Azure AD SAML Toolkit.
- Enter a name for your application.
- Azure AD creates the application successfully.
- Select the "Get started" link on the 2. Setup Single sign on card, and choose SAML.
- Edit the "Basic SAML configuration" section by adding the proper URLs. The URLs are your Incorta instance including the tenant’s name.
- Edit the "Attributes & Claims" section to add a custom claim called "loginName". Make sure that the "Source attribute" matches the login name field for the Incorta user.
- Download the certificate (the Base64) and save it. You will need it when we apply the configuration on Incorta’s side.
This is how a certificate would look like in a text editor:
cat Incorta_Sample_Integration_base64.cer-----BEGIN CERTIFICATE-----Omiitted......EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MTIxOTU0MTNaFw0yNjA2MTIxOTU0MTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp31KAYgKnbyxf4K2cweRbu4eQwnTW7ntut0SRtX9NHmqtY1gC/mRAPc1raus9s1FclyPyaTo2iBu6WB42fQrNjB5ItVivEYOcS4tSVzuQ/WplrXcz8NkT2Zi87v+6WVm9e+R1wPSMDwIbPOoNuAKhUFTh6zEVvxwsIkk.....Omitted...-----END CERTIFICATE-----
- Copy the following URLs, as we are going to need them when configuring Incorta as well.
Configuring Incorta
- Prepare the value of the
onelogin.saml2.idp.x509cert
by copying the content of the downloaded certificate without the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. Also, make sure that the certificate text is on a single line.
The following is a sample configuration:
onelogin.saml2.strict = falseonelogin.saml2.sp.entityid = https://<incorta-instance>/incorta/!demo/onelogin.saml2.sp.assertion_consumer_service.url = http://<incorta-instance>/incorta/!demo/onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectonelogin.saml2.sp.single_logout_service.url = http://<incorta-instance>/incorta/!demo/onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectonelogin.saml2.idp.entityid = https://sts.windows.net/a232729b-8cb8-4828-9941-72bbea9749d3/onelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/a232729b-8cb8-4828-9941-72bbea9749d3/saml2onelogin.saml2.security.want_nameid = falseonelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectonelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/a232729b-8cb8-4828-9941-72bbea9749d3/saml2onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirectonelogin.saml2.idp.x509cert = MIIC8DCCAdigAwIBAgIQXvNUiAiIdJBPHFbu6+AZeDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA1MTAwNzM0MDFaFw0yNjA1MTAwNzM0MDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqfyiQA/Ki3A5Rgw2IHeN8HfHYRxnTNk94Ms4qP3Hq9oAmO/Cr9vlWZ/OmnuPDW7CS3xwJI3IYnIfVo7GAIZb/4G9vDyc6ZzzMOGptEayQIXVUe9xC59RzIJRp5otFYvSvICzKgeTmph+1W0ekTK4Q8qsMpapdGEoYdvGujpyRL7uF/zFoqjq7M5+UngimuuSTNukYGsnto+5juXQBV2diV0MzjPkcCXqaoEobg7oGN2EPlMyXWrG9cA+yeLTNCIB/AOAvfzMmvE0gRqrtuAWvKw0UK+DNKQUtlxxX9vJpIu02bcs3iuMNLSb0KVFajD0rNCZpGkOuvtrLEM4Az8TeQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJWbE/FXYNOh2uEbnkL+k2EcNw1kxUMlv8V4b6VaXT1pRGEOgw+oTMVcVTDvfGFwntrGLoqHoEjHCRR7/DlbmZJpMFHT/MI0/F6ki39cWzUOR+9U+pEUcrm01wwjS2H04Dn37OZOFfVrT00thoqEiWpPd8fYRCt2+wgaBcgBcOvXw6rA3NHufAKXhziDt2LEMgoQev7XHJ15egp+z92LmvxGF/HjdsHH8wzhA3SRfxTwPvPCNze9xcXCmzHm4hlE9+qUVnrFtxgkiKNldQk9i3Xrv6DLAW5WAKXflSBqRvtDyIjuot23HKomr5tEkftpbC/x/vzeO2DG+Gb6GWtOVP
In releases before 2024.1.5, set the onelogin.saml2.sp.single_logout_service.url
to Incorta's logout URL, for example, https://<incorta-instance>/incorta/logout.jsp?redirectUrl=
.
- Login to CMC, select the tenant you need to configure, select Configure.
- In Security, select the Authentication type as "SSO" and the "Provider Type" as "SAML2".
- Paste the configurations into the "Provider configurations" field.
Additional configurations (Optional)
- You can enable "Auto provision SSO users" and select the "Auto provisioned SSO users group" if you want users logging in from SSO to be automatically added to Incorta.
- If "Auto provision SSO users" is disabled, you must create users manually in Incorta so they can sign in.