Configuring Microsoft’s Azure AD Federation with Safeguard (4360719)

Step 1: Add a new External Federation for Azure in SPP and Create an Enterprise App in Azure AD

1.  From Settings | Identity and Authentication, add a new External Federation. Enter name, description, and the realm (the realm should be the email or UPN suffix that users use to logon to Azure such as yourdomain.com). Click Download Safeguard Federation MetaData and leave the window open without clicking OK.

2. Open the Safeguard Federation file downloaded into a text editor.
Copy the entityID attribute of the element (including the http:// part)

3. Login to Azure as a tenant admin, browse to the AAD admin portal, click on Enterprise Applications and hit the + to add a new application.
Click Create your own application, then enter a name and select Integrate any other application you don’t find in the gallery. Click Set up single sign on, then choose SAML, then edit the Basic SAML Configuration

4. Enter the EntityID from step 2 in the Identifier (EntityID) field. In the Reply URL field, enter all the possible reply URLs (that is, all the possible endpoints you can logon to Safeguard at). These are constructed as follows:

https://name/RSTS/Login

Where is the appliance FQDN(s), the VIP name, and the appliance IP address(es). 

5. Scroll down and download the Federation Metadata XML.

6. Assign the required users to Enterprise Application

7. Back to Safeguard, click Browse and select the Federation Metadata downloaded from Azure and then click OK to save.

8. Ensure the users you want to login via Azure Federation, are set to the this new authentication provider and have the correct claim set.

Step 2: Modify the Attributes & Claims for this Enterprise App in Azure AD

Edit the Attributes & Claims to use only one claim that will be sent to SPP:

- Click edit next to Attributes & Claims

- Click on the claim listed under Required Claim as Unique User Identifier (Name ID)

- Leave the Name Identifier format set as: Email Address 

- Modify the source attribute value to either: user.userprincipalname OR user.mail (based on your preference)

- Remove all other claims listed under "Additional Claims" by clicking on the three dots > Delete for each of these other claims as shown below.

Step 3: Match SPP AD attribute (External Federation Authentication) with the Required Claim configured in the Enterprise App

In SPP > under Identity and Authentication > Edit the Active Directory provider > Attributes:

- Look for External Federation Authentication

This is set to mail by default and needs to match what is configured in the Enterprise Application Required Claim as the Unique User Identifier (Name ID)