Skip to content

Set Up an Azure AD SAML Application

Ensure that you have Administrator access to your Azure Account and Privacera.

Perform the following steps to create and configure an Azure AD SAML Application for Single Sign-On (SSO):

Step 1: Log in to Your Azure Console

  1. Log in using your administrator credentials.

Step 2: Create a New Application

  1. In the Admin Console, go to Enterprise Applications.
  2. Click New Application.
  3. Search for Microsoft Entra SAML Toolkit and select it.
  4. In the Create Application popup, provide a name for your application.
  5. Click Create.

The application gets created with the specified name, and a new configuration screen will appear.

Step 3: Getting Startedar.

  1. On the configuration screen, Select Set up single sign on.
  2. Choose SAML from the available options.

Step 4: Configure SAML Settings

  1. In the Base SAML Configuration section, fill in the following fields:

    Field Value Example
    Identifier (Entiry ID) privacera_portal
    Reply URL (Assertion Consumer Service URL) Self-Managed: https://PORTAL_HOST/saml/SSO
    PrivaceraCloud: https://privaceracloud.com/SingleSignOnService/receiveResponse
    Sign On URL Self-Managed: https://PORTAL_HOST/saml/SSO
    PrivaceraCloud: https://privaceracloud.com/SingleSignOnService/receiveResponse

  2. Scroll down to the Attribute & Claims section to map user attributes:

    Claim Name Type Value Optional/Required
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name SAML user.userprincipalname Required
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress SAML user.mail Required
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname SAML user.givenname Optional
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname SAML user.surname Optional

  3. Click Next to proceed.

Step 5: Obtain Federation Metadata XML and URL

  1. Go to the SAML Certificates section.
  2. Locate the Federation Metadata XML.
  3. Click Download to obtain the metadata XML file.
  4. Copy the Login URL URL for the Identity Provider Url in Privacera Portal.

Step 6: Assign Users to the Application

  1. Go to the Users and Groups menu in the left navigation panel.
  2. Click Add User/Group and select the desired users or groups from the list.
  3. After selecting the users or groups, click Assign.

Important

Ensure users are already mapped to the appropriate groups in Azure AD before assigning them to the application.

Step 7: Optional - Configure Group Attribute

  1. Go to the Single Sign-On tab and scroll down to the Attributes & Claims section.
  2. Click Add a group claim.

  3. In the Group Claim popup.

    a. For the Which groups associated with the user should be returned in the claim? option, select All groups.

    b. From the Source attribute dropdown, choose sAMAccountName.

  4. Click Save.

You have now successfully configured an Azure SAML application for SAML SSO in the Azure console. This application is ready to integrate with the Privacera Portal.

Configure Azure AD in your Privacera Account.

Perform the following steps to configure Azure Ad integration in the Privacera Self-Managed (Portal).

Step 1: SSH into Privacera Instance

SSH into the instance where Privacera is installed.

Step 2: Run the following command to navigate to Privacera Manager Directory:

Bash
1
cd ~/privacera/privacera-manager

Step 3: Copy the saml Sample Configuration File

Copy the sample saml configuration file to the custom configuration directory.

Bash
1
cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/

Step 4: Edit the Configuration File

Open the configuration file using a text editor.

Bash
1
vi config/custom-vars/vars.portal.saml.aad.yml

Uncomment and edit the following properties:

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
SAML_ENTITY_ID: "privacera_portal"
SAML_BASE_URL: "https://<your-privacera-host>:6868"
PORTAL_UI_SSO_ENABLE: "true"
PORTAL_UI_SSO_URL: "saml/login"
PORTAL_UI_SSO_BUTTON_LABEL: "Azure AD Login"
AAD_SSO_ENABLE: "true"

SAML_EMAIL_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
SAML_USERNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
SAML_LASTNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
SAML_FIRSTNAME_ATTRIBUTE: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

If you have configured Group Attribute, uncomment and edit the following properties:

YAML
1
SAML_GROUP_ATTRIBUTE: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

Step 5: Upload the Renamed Metadata XML File to Privacera

  1. Locate the metadata XML file downloaded in Step 5. It is typically saved in the Downloads folder or the location where you chose to save it.
  2. Rename the file to privacera-portal-aad-saml.xml

Step 6: Upload or Copy the File to Privacera Manager's Custom Properties Folder

Option 1: Using SCP (for Remote Servers)

  1. Open a terminal and run the following command to upload the file to the Privacera Manager’s custom properties folder:
    Bash
    1
    scp ./privacera-portal-aad-saml.xml user@<server-ip>:~/privacera/privacera-manager/config/custom-properties/
    Replace <server-ip> with your server’s IP address and user with your username.

Option 2: Copy-Paste Locally

  1. If the file is on the same server, move the privacera-portal-aad-saml.xml file to the home directory.

  2. Use the following command to copy it to the custom properties folder:

    Bash
    1
    cp ./privacera-portal-aad-saml.xml ~/privacera/privacera-manager/config/custom-properties/

Note

Ensure the privacera-portal-aad-saml.xml file is in the correct directory before running the cp command.

Step 7: Update Privacera Manager

  1. Navigate to the Privacera Manager directory:
    Bash
    1
    cd ~/privacera/privacera-manager/
  2. Run the following command to update Privacera Manager:
    Bash
    1
    ./privacera-manager.sh update

Step 8: (Optional) Restart Privacera Portal in an Azure Kubernetes Environment

If you are configuring SSL in an Azure Kubernetes environment, restart the Privacera Portal to apply the changes.

Bash
1
./privacera-manager.sh restart portal

Step 9: (Optional) Role Mapping For Azure AD

Role mapping allows you to translate roles or groups from your Azure AD Identity Provider (IdP) into specific roles within Privacera. This ensures that users have the correct permissions and access when they log into Privacera.

What is Role Name Attribute?

The Role Name Attribute in your Identity Provider (IdP) contains the user's roles or group information. This attribute is used to identify the roles or groups the user belongs to in the IdP.

What is Role Mapping?

Role Mapping configures how roles or groups from the Identity Provider map to roles within the Privacera Portal:

  • If a match is found, the mapped Privacera role is assigned to the user.
  • If no match is found, the default role specified in the PORTAL_SSO_DEFAULT_USER_ROLE property is assigned. If this property is not configured, the ROLE_USER is applied by default.

Tip

Assign roles or groups from your Azure AD Identity Provider (IdP) to corresponding roles in the Privacera Portal for effective user access management.

Perform the following steps to access the SAML Role mapping settings on Privacera portal:

  1. Go to the Settings menu.
  2. Navigate to SSO Role Mapping.
  3. Select the SAML tab.
  4. Enter the role mapping details as per your requirements.

Reference image of Role Mapping form Privacera: Role Mapping

Example:

  • Mapped Privacera Role: ROLE_SYS_ADMIN
  • Identity Provider (IdP) Role or Group: saml_admin

In this example, if a user has the saml_admin role in Azure AD, they will be automatically assigned the ROLE_SYS_ADMIN role in Privacera.

Step 10: Verify SSO Login

After completing the setup, go to the Privacera Portal login page. An SSO Login button should be visible. Click it to log in using your Azure AD credentials.

Perform the following steps to access the Single Sign-On settings:

  1. Go to the Settings menu.
  2. Select Identity.
  3. Click on Single Sign-On.

Reference image from PrivaceraCloud for better guidance: Azure Application

Display Name Description Example Value Optional/Required
Entity Id Entity ID for SAML configuration privacera_portal Required
Identity Provider Url Identity Provider URL https://login.microsoftonline.com/5axxx6xx-xxxx-xxxx-xxxx-xxxxxx33x5xe/saml2 Required
Identity Provider Metadata Metadata (XML file) sso_saml_darth.xml Required
UserId UserName attribute for SAML user http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Required
Email Email attribute for SAML user http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Required
FirstName FirstName attribute for SAML user http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Optional
LastName LastName attribute for SAML user http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Optional

Important

  • Entity ID: Used to configure the Identity Provider (IdP).
  • Identity Provider URL: The URL obtained in Step 5, where users will be redirected for SSO login.
  • Identity Provider Metadata: Use the Metadata XML file downloaded in Step 5 for seamless SSO configuration.
  • User Attributes: Ensure that the correct user attributes (UserId, Email, FirstName, LastName) are mapped from Azure AD to Privacera.

These variables ensure seamless integration between Azure AD and Privacera for SAML-SSO.

Role Mapping For Azure AD

Role mapping allows you to translate roles or groups from your Identity Provider (IdP) — such as Okta, Ping Identity, OneLogin, Azure AD etc. — into specific roles within Privacera. This is crucial for ensuring that users have the correct permissions and access when they log into Privacera.

What is Role Name Attribute?

The Role Name Attribute in your Identity Provider (IdP) contains the user's roles or group information. This attribute is used to identify the roles or groups the user belongs to in the IdP.

What is Role Mapping?

Role Mapping configures how roles or groups from the Identity Provider map to roles within the Privacera Portal:

  • If a match is found, the mapped Privacera role is assigned to the user.
  • If no match is found, the default role, ROLE_USER, is automatically assigned to the user.
Variable Name Description Example
Role Name Attribute Role name attributes for user. department
Role Mapping Role mapping for user. Identity Provider (IdP) Role: example_role → Example Role: ACCOUNT_ROLE

Reference image of Role Mapping form PrivaceraCloud: Role Mapping

Example:

  • Identity Provider (IdP) Role or Group: ad_group_admin
  • Mapped Privacera Role: ROLE_POLICY_ADMIN

In this example, if a user has the role ad_group_admin in Azure, they will automatically be assigned the ROLE_POLICY_ADMIN role in Privacera.

Important

Role mapping is applied only to users created after the mapping configuration is set up.

Properly configuring role mapping ensures that users are granted with the appropriate access levels in Privacera based on their roles or group memberships in the Identity Provider (IdP). This streamlines user management and provides seamless integration with your organization’s existing identity infrastructure.

After completing the configuration, test the setup by logging in to PrivaceraCloud using your Azure credentials. By doing so, you can verify that Single Sign-On (SSO) is functioning correctly.

Comments