/
Azure AD SSO

Azure AD SSO

Owned by Space Sync for Confluence
Last updated: Nov 18, 2024
6 min read

The platform supports Azure AD single sign-on capabilities. This has been included to assist those clients that wish to centrally manage users access to platforms they operate in. The platform can now be added to that list.

Introduction

Inside the Connected Accounts for a tenant, we can add SSO settings for Azure. This requires the following details:

  1. Client ID

  2. Client Secret

  3. Tenant ID

General

When signing up a new user, they will need to login first with their email/password to setup their 2FA for the platform. Without the 2FA set up, they won’t be able to use the SSO login.

Adding SSO for a tenant will setup that specific tenant with SSO. So any users in that tenant can now sign in with SSO, depending on how they are setup in your specific SSO Client.

Setting up Azure AD SSO

  • Log into Azure Portal and go to the “App Registrations” page.  

  • Click on “+ New Registration” in the top left of the “App Registrations” page

  • Under “Name” give the new application a unique name

  • Under “Supported account types” select an account type (choose “Accounts in this organisational directory only”). 

  • Under “Redirect URI (optional)”, choose “Web” in the drop-down and enter the following URL:

    https://{tenant_name}.{tenant_region}.vulnerability-platform.com/login/azure/callback

  • Click “Register” 

  • You’ll be redirected to the “Overview” page of the new application

  • Within the “Overview” page, under the “Essentials” section, there will be an Application (client) ID which can be copied into the Client ID field in the platform, under the the Azure within the platform’s Connected Account section in the platform.  

Platform Azure SSO Configuration

  • Within the “Overview” page, under the “Essentials” section, there will be an Directory (tenant) ID which can be copied into the Tenant ID field in the platform, under the the Azure within the platform’s Connected Account section in the platform.  

Platform Azure SSO Configuration

  • Within the “Overview” page, under the “Essentials” section, click on “Redirect URIs”

  • The “Platform Configurations” section will appear

  • If not already populated from earlier step, enter the following for the “Redirect URIs”:

    1. https://{tenant_name}.{tenant_region}.vulnerability-platform.com/login/azure/callback

  • Under “Front-channel logout” section, enter the following URL for the “Front-channel logout URL”:

    https://{tenant_name}.{tenant_region}.vulnerability-platform.com/logout

  • Under “Implicit grant and hybrid flows”, select the checkbox for “ID tokens (used for implicit and hybrid flows)”

  • Click “Save” and then return to the “Overview” page

  • Select the “Certificates & secrets” page from the left-hand side bar

  • Within the “Certificates & secrets” page, under “Client secrets”:

    1. Choose “+ New client secret”

    2. Within the “Add a client secret” section provide a Description and set your Expires timeframe

    3. Click “Add”

  • Within the “Certificates & secrets” page, under “Client secrets”, a new entry for the client secret will appear.

  • Next to this new secret entry, copy the string of characters under Value. The string of characters should be copied in the Client Secret field in the platform, under the the Azure within the platform's Connected Account section in the platform.

NOTE: Do not copy the string of characters under Secret ID

Platform Azure SSO Configuration

  • Under the platform, click “Save Changes” to commit the configuration to the platform tenant. This will assign this Azure configuration to the tenant:

  • Within Azure, choose “API permissions” page from the left-hand side bar

  • Under the “Configured permissions” section. There should be a “User.Read” entry within the “Microsoft Graph” permission.

  • This “User.Read” permission requires admin rights. Click on “Grant admin consent for {Company}“. This is so the application is allowed to the read the user's details for signing into the platform. If this isn’t selected then the application won’t be able to sign into the platform.

Restricting Azure to specific users

The above setup will allow anyone in your organisation to login with Azure. If we want to lock it down to a specific group of users, then we can do the following:

  1. Go to the overview page 

  2. Find “Manage application in local directory” and click on your application name, this will take us through to the application properties page. 

  3. On the left hand bar, under Manage, click on Properties.  

  4. Scroll down and there is a property called “Assignment required?” change this to “Yes”. 

  5. Click Save 

  6. Click on Users and Groups on the side panel. Here we will assign the users we want to allow access to this SSO login.  

    1. Click “Add user/Group” and select the users we want to allow.  

    2. Select the users you want to allow and press “Select” at the bottom. 

    3. This should update the page with the users selected, click “Assign” at the bottom. 

    4. You should now see the list of users allowed to use the application. 

  7. Any user not assigned to this list will not be allowed access to the SSO login, the platform will redirect them to Azure, but they will hit an error page and will have to return to the platform.

Logging into Platform

After setting up SSO, you will be able to sign in from the login page using SSO.

When clicking the “Login with SSO” button, the user will then need to supply their email address, this will now be case sensitive and needs to match the case of the email address in the users profile. Clicking next will take us to the the platform 2FA page. When completing 2FA, the user will be presented with SSO options, depending on the SSO that has been setup for the tenants that they are associated with.

Clicking on Azure will take the user to the respective directories. If they are successful then they will redirected and logged into the platform. If not, they will see a screen letting them know what happened, or will be redirected back to the platform.

Restricting Users using SSO in Platform

Within the platform, under the “Users” section, we can assign a flag on a user to only allow them access to a tenant when they sign in with SSO. This means that if a user signs into the platform using a traditional email/password then they won’t be able to access the tenant that they are setup on with “SSO Only”.

If a user signs in with email/password and the user is assigned to one tenant with “SSO Only”, then they won’t be able to sign into the platform, and will be shown a message on the login screen.

If the user is assigned to more than one tenant, and one of the tenants isn’t setup with “SSO Only” then they will be be allowed to sign in, but they will be restricted from accessing the tenant with the “SSO Only” rule applied.

Signing in with SSO allows access to all tenants the user is associated with.

Troubleshooting

When signing into Azure, if a user hits a page that says that the application needs admin permission to sign in then Azure doesn’t have the correct permissions. Sign into Azure and go to “API permissions” on the side bar and Click on “Grant admin consent to {Company}“. This allows the app to read the user details and send them to the platform to read their email.

Related content