The platform supports Azure AD single sign-on capabilities. This has been included to assist those clients that wish to centrally manage users access to platforms they operate in. The platform can now be added to that list.
Inside the Connected Accounts for a tenant, we can add SSO settings for Azure. This requires the following details:
Client ID
Client Secret
Tenant ID
When signing up a new user, they will need to login first with their email/password to setup their 2FA for the platform. Without the 2FA set up, they won’t be able to use the SSO login.
Adding SSO for a tenant will setup that specific tenant with SSO. So any users in that tenant can now sign in with SSO, depending on how they are setup in your specific SSO Client.
Log into Azure Portal and go to the “App Registrations” page.
Click on “+ New Registration” in the top left of the “App Registrations” page
Under “Name” give the new application a unique name
Under “Supported account types” select an account type (choose “Accounts in this organisational directory only”).
Under “Redirect URI (optional)”, choose “Web” in the drop-down and enter the following URL:
https://{tenant_name}.{tenant_region}.vulnerability-platform.com/login/azure/callback |
Click “Register”
You’ll be redirected to the “Overview” page of the new application
Within the “Overview” page, under the “Essentials” section, there will be an Application (client) ID which can be copied into the Client ID field in the platform, under the the Azure within the platform’s Connected Account section in the platform.
Within the “Overview” page, under the “Essentials” section, there will be an Directory (tenant) ID which can be copied into the Tenant ID field in the platform, under the the Azure within the platform’s Connected Account section in the platform.
Within the “Overview” page, under the “Essentials” section, click on “Redirect URIs”
The “Platform Configurations” section will appear
If not already populated from earlier step, enter the following for the “Redirect URIs”:
https://{tenant_name}.{tenant_region}.vulnerability-platform.com/login/azure/callback |
Under “Front-channel logout” section, enter the following URL for the “Front-channel logout URL”:
https://{tenant_name}.{tenant_region}.vulnerability-platform.com/logout |
Under “Implicit grant and hybrid flows”, select the checkbox for “ID tokens (used for implicit and hybrid flows)”
Click “Save” and then return to the “Overview” page
Select the “Certificates & secrets” page from the left-hand side bar
Within the “Certificates & secrets” page, under “Client secrets”:
Choose “+ New client secret”
Within the “Add a client secret” section provide a Description and set your Expires timeframe
Click “Add”
Within the “Certificates & secrets” page, under “Client secrets”, a new entry for the client secret will appear.
Next to this new secret entry, copy the string of characters under Value. The string of characters should be copied in the Client Secret field in the platform, under the the Azure within the platform's Connected Account section in the platform.
NOTE: Do not copy the string of characters under Secret ID |
Under the platform, click “Save Changes” to commit the configuration to the platform tenant. This will assign this Azure configuration to the tenant:
Within Azure, choose “API permissions” page from the left-hand side bar
Under the “Configured permissions” section. There should be a “User.Read” entry within the “Microsoft Graph” permission.
This “User.Read” permission requires admin rights. Click on “Grant admin consent for {Company}“. This is so the application is allowed to the read the user's details for signing into the platform. If this isn’t selected then the application won’t be able to sign into the platform.
The above setup will allow anyone in your organisation to login with Azure. If we want to lock it down to a specific group of users, then we can do the following: |
Go to the overview page
Find “Manage application in local directory” and click on your application name, this will take us through to the application properties page.
On the left hand bar, under Manage, click on Properties.
Scroll down and there is a property called “Assignment required?” change this to “Yes”.
Click Save
Click on Users and Groups on the side panel. Here we will assign the users we want to allow access to this SSO login.
Click “Add user/Group” and select the users we want to allow.
Select the users you want to allow and press “Select” at the bottom.
This should update the page with the users selected, click “Assign” at the bottom.
You should now see the list of users allowed to use the application.
Any user not assigned to this list will not be allowed access to the SSO login, the platform will redirect them to Azure, but they will hit an error page and will have to return to the platform.
When signing into Azure, if a user hits a page that says that the application needs admin permission to sign in then Azure doesn’t have the correct permissions. Sign into Azure and go to “API permissions” on the side bar and Click on “Grant admin consent to {Company}“. This allows the app to read the user details and send them to the platform to read their email.
Within the platform, under the “Users” section, we can assign a flag on a user to only allow them access to a tenant when they sign in with SSO. This means that if a user signs into the platform using a traditional email/password then they won’t be able to access the tenant that they are setup on with “SSO Only”.
If a user signs in with email/password and the user is assigned to one tenant with “SSO Only”, then they won’t be able to sign into the platform, and will be shown a message on the login screen.
If the user is assigned to more than one tenant, and one of the tenants isn’t setup with “SSO Only” then they will be be allowed to sign in, but they will be restricted from accessing the tenant with the “SSO Only” rule applied.
Signing in with SSO allows access to all tenants the user is associated with.