Guides → Azure AD as SAML2 SSO IdP Configuration

Overview

Incorta has Azure Active Directory (AD) as an authentication type. However, it has a different login experience. If you select "Azure AD" as an authentication type, users will always have to enter their tenant, username, and password when logging into Incorta. Meanwhile, if you configure Azure AD as a SAML2 IdP, users will login directly to Incorta if they are logged in to their IdP.

To configure Azure Active Directory as a SAML2 SSO identity provider (IdP) and enabling SSO settings in Incorta, you must apply the following steps:

Azure AD configurations

  1. Log in to the Azure portal Home - Microsoft Azure and make sure you have the (Global Administrator, or Application Administrator) permissions to access the Azure active directory and create and configure enterprise applications.
  2. Select Azure Active Directory and from the right pane, select Enterprise applications.
  3. Select + New application.
  4. In the Gallery, search for "Saml toolkit", and then select Azure AD SAML Toolkit.
  5. Enter a name for your application.
  6. Azure AD creates the application successfully.
  7. Select the "Get started" link on the 2. Setup Single sign on card, and choose SAML.
  8. Edit the "Basic SAML configuration" section by adding the proper URLs. The URLs are your Incorta instance including the tenant’s name.
  9. Edit the "Attributes & Claims" section to add a custom claim called "loginName". Make sure that the "Source attribute" matches the login name field for the Incorta user.
  10. Download the certificate (the Base64) and save it. You will need it when we apply the configuration on Incorta’s side.

This is how a certificate would look like in a text editor:

cat Incorta_Sample_Integration_base64.cer
-----BEGIN CERTIFICATE-----
Omiitted......
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MTIxOTU0
MTNaFw0yNjA2MTIxOTU0MTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp31KAYgKnbyx
f4K2cweRbu4eQwnTW7ntut0SRtX9NHmqtY1gC/mRAPc1raus9s1FclyPyaTo2iBu6WB42fQrNjB5
ItVivEYOcS4tSVzuQ/WplrXcz8NkT2Zi87v+6WVm9e+R1wPSMDwIbPOoNuAKhUFTh6zEVvxwsIkk
.....Omitted...
-----END CERTIFICATE-----
  1. Copy the following URLs, as we are going to need them when configuring Incorta as well.

Configuring Incorta

  1. Prepare the value of the onelogin.saml2.idp.x509cert by copying the content of the downloaded certificate without the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. Also, make sure that the certificate text is on a single line.

The following is a sample configuration:

onelogin.saml2.strict = false
onelogin.saml2.sp.entityid = https://<incorta-instance>/incorta/!demo/
onelogin.saml2.sp.assertion_consumer_service.url = http://<incorta-instance>/incorta/!demo/
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.sp.single_logout_service.url = http://<incorta-instance>/incorta/!demo/
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.idp.entityid = https://sts.windows.net/a232729b-8cb8-4828-9941-72bbea9749d3/
onelogin.saml2.idp.single_sign_on_service.url = https://login.microsoftonline.com/a232729b-8cb8-4828-9941-72bbea9749d3/saml2
onelogin.saml2.security.want_nameid = false
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.idp.single_logout_service.url = https://login.microsoftonline.com/a232729b-8cb8-4828-9941-72bbea9749d3/saml2
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
onelogin.saml2.idp.x509cert = MIIC8DCCAdigAwIBAgIQXvNUiAiIdJBPHFbu6+AZeDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA1MTAwNzM0MDFaFw0yNjA1MTAwNzM0MDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqfyiQA/Ki3A5Rgw2IHeN8HfHYRxnTNk94Ms4qP3Hq9oAmO/Cr9vlWZ/OmnuPDW7CS3xwJI3IYnIfVo7GAIZb/4G9vDyc6ZzzMOGptEayQIXVUe9xC59RzIJRp5otFYvSvICzKgeTmph+1W0ekTK4Q8qsMpapdGEoYdvGujpyRL7uF/zFoqjq7M5+UngimuuSTNukYGsnto+5juXQBV2diV0MzjPkcCXqaoEobg7oGN2EPlMyXWrG9cA+yeLTNCIB/AOAvfzMmvE0gRqrtuAWvKw0UK+DNKQUtlxxX9vJpIu02bcs3iuMNLSb0KVFajD0rNCZpGkOuvtrLEM4Az8TeQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJWbE/FXYNOh2uEbnkL+k2EcNw1kxUMlv8V4b6VaXT1pRGEOgw+oTMVcVTDvfGFwntrGLoqHoEjHCRR7/DlbmZJpMFHT/MI0/F6ki39cWzUOR+9U+pEUcrm01wwjS2H04Dn37OZOFfVrT00thoqEiWpPd8fYRCt2+wgaBcgBcOvXw6rA3NHufAKXhziDt2LEMgoQev7XHJ15egp+z92LmvxGF/HjdsHH8wzhA3SRfxTwPvPCNze9xcXCmzHm4hlE9+qUVnrFtxgkiKNldQk9i3Xrv6DLAW5WAKXflSBqRvtDyIjuot23HKomr5tEkftpbC/x/vzeO2DG+Gb6GWtOVP
Note

In releases before 2024.1.5, set the onelogin.saml2.sp.single_logout_service.url to Incorta's logout URL, for example, https://<incorta-instance>/incorta/logout.jsp?redirectUrl=.

  1. Login to CMC, select the tenant you need to configure, select Configure.
  2. In Security, select the Authentication type as "SSO" and the "Provider Type" as "SAML2".
  3. Paste the configurations into the "Provider configurations" field.

Additional configurations (Optional)

  • You can enable "Auto provision SSO users" and select the "Auto provisioned SSO users group" if you want users logging in from SSO to be automatically added to Incorta.
  • If "Auto provision SSO users" is disabled, you must create users manually in Incorta so they can sign in.