Step 1: Add a new External Federation for Azure in SPP and Create an Enterprise App in Azure AD
1. From Settings | Identity and Authentication, add a new External Federation. Enter name, description, and the realm (the realm should be the email or UPN suffix that users use to logon to Azure such as yourdomain.com). Click Download Safeguard Federation MetaData and leave the window open without clicking OK.
2. Open the Safeguard Federation file downloaded into a text editor.
Copy the entityID attribute of the element (including the http:// part)
3. Login to Azure as a tenant admin, browse to the AAD admin portal, click on Enterprise Applications and hit the + to add a new application.
Click Create your own application, then enter a name and select Integrate any other application you don’t find in the gallery. Click Set up single sign on, then choose SAML, then edit the Basic SAML Configuration
4. Enter the EntityID from step 2 in the Identifier (EntityID) field. In the Reply URL field, enter all the possible reply URLs (that is, all the possible endpoints you can logon to Safeguard at). These are constructed as follows:
Where is the appliance FQDN(s), the VIP name, and the appliance IP address(es).
5. Scroll down and download the Federation Metadata XML.
6. Assign the required users to Enterprise Application
7. Back to Safeguard, click Browse and select the Federation Metadata downloaded from Azure and then click OK to save.
8. Ensure the users you want to login via Azure Federation, are set to the this new authentication provider and have the correct claim set.
Step 2: Modify the Attributes & Claims for this Enterprise App in Azure AD
Edit the Attributes & Claims to use only one claim that will be sent to SPP:
In Azure AD > Click on Enterprise Application > Click on the App name > select Single Sign-On
- Click edit next to Attributes & Claims
- Click on the claim listed under Required Claim as Unique User Identifier (Name ID)
- Leave the Name Identifier format set as: Email Address
- Modify the source attribute value to either: user.userprincipalname OR user.mail (based on your preference)
- Remove all other claims listed under "Additional Claims" by clicking on the three dots > Delete for each of these other claims as shown below.
Step 3: Match SPP AD attribute (External Federation Authentication) with the Required Claim configured in the Enterprise App
In SPP > under Identity and Authentication > Edit the Active Directory provider > Attributes:
- Look for External Federation Authentication
This is set to mail by default and needs to match what is configured in the Enterprise Application Required Claim as the Unique User Identifier (Name ID)
So if you set the Required Claim for Unique User Identifier (Name ID) as user.userprincipalname then the External Federation Authentication attribute in SPP must match it and set as: userPrincipalName
Likewise if this Required Claim for Unique User Identifier (Name ID) was set as user.mail then the External Federation Authentication attribute in SPP must be set to match it as: mail