Question - SAML Configuration for Azure AD

pravesh.kara · March 20, 2021, 2:09pm

If you are new to SAML but want to have single sign on working between Eramba and Azure AD, hopefully the below instructions will help you. There is an assumption that you have already installed and initialised Eramba.

Log in to Azure AD (AAD) with a user that has the ability to create Enterprise Apps (This will typically be one of: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal).
Create a new Security Group in Azure AD (e.g. GRP-Eramba-Users) so you can limit which AAD users can actually authenticate or log in to Eramba. Note, authorisation is still defined in Eramba not AAD so only one group of users is needed. (You may be able to create a dynamic group to minimise administration of adding/removing users in the future - e.g. using tags or other AAD user attribute)

2.1 If you created a static group (most likely), then Add users from AAD who you want to be able to access Eramba. (If you created a dynamic group, check the “members” of the group to verify if the right users have been dynamically added).

In AAD, go to Enterprise Applications in the menu and create a new application. It will ask you to name the app and choose “what you are going to do with your app” - for this option, select “Integrate any other application you don’t find in the gallery (Non-gallery)”

3.1 Once the App has been created, within the new App, go to “Users and Groups” in the menu, then Add/Assign the new group you created in Step 2.

3.2 Next go in to “Single sign-on” in the menu, then select the SAML button.

3.3 You will be presented with several numbered Sections. Take the following actions:

 3.3.1  In Section 1 (Basic SAML Configuration), click Edit, then add/modify as follows (replacing with values relevant to your environment):

     **Identifier (Entity ID):**  https://<FQDN of your instance of eramba>/samlConnectors/getMetadata

    **Reply URL (Assertion Consumer Service URL):** https://<FQDN of your instance of eramba>/login

   **Relay State:** https://<FQDN of your instance of eramba>/dashboard-new

   **Logout Url:** https://<FQDN of your instance of eramba>/users/logout

3.3.2  In Section 2 (User Attributes & Claims), click Edit, then follow below:

   **Under "Additional Claims"**, locate the claim that has a value of user.mail, and copy the corresponding claim name (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) and paste to a separate doc/file/note for now.

3.3.3  In Section 3 (SAML Signing Certificate):
   
   Copy the value contained in the "App Federation Metadata URL" field to a doc/file/note.  Should look something like this: https://login.microsoftonline.com/<random-string>/federationmetadata/2007-06/federationmetadata.xml?appid=<random-string>

   Click the Download link next to Certificate (Base64) and remember where you saved it.

3.3.4 In Section 4 (Set up <name of your Enterprise App>):

   Copy the value contained in the Login URL field to a doc/file/note.

Now login to Eramba with your admin account and go to System > Settings > SAML Connectors. Then under Actions click Add.

4.1 Add the following configuration:

 **Name:** Choose a name that describes the connector, e.g. Azure AD SSO

 **Identity Provider:** Paste in the value for App Federation Metadata URL you captured in 3.3.3

 **IDP x509 Certificate:** Using a Text Editor, open the certificate you downloaded in 3.3.3 and copy its contents and paste in this field.

 **Remote sign in URL:** Paste in the Login URL from 3.3.4

 **Email field:**  Paste in the Claim name you copied in step 3.3.2

 Leave everything else as default and click Save.

In Eramba, go to System > Settings > Authentication. Under SAML Authentication there is a drop down field, choose the newly created SAML Connector (e.g. Azure AD SSO)
Now you can create users that will use Azure AD to authenticate. In Eramba, go to System > Settings > Users, then click Add under the Actions menu. The key values of note when adding a new user are:

Email: use the email address configured in Azure AD for the user you are adding - must match exactly

Login Name: again use the exact email address that is configured in Azure AD for the user you are adding as this is what Eramba will try and match against.

Local Account: make sure this switch is disabled

Portal: choose Main as I don’t believe the other portals are SSO enabled.

Groups: add the user to whichever groups you see fit (as mentioned in Step 2, this is what decides a user can do in Eramba after they have Logged in)

Click Save.

Test the login!

If it doesn’t work, then it is highly likely one of the steps has not been followed above or there is a typo or mismatch in configuration. Go through each step, line by line and verify your configuration. The SAML and SSO configuration works just fine in Azure AD and Eramba e2.20.6.

Many thanks to Sam @ eramba who helped guide me in the right direction in order to debug my problems with setting this up.

Thanks,
Prav

eramba · March 21, 2021, 11:30am

good stuff!!!

mblime · March 30, 2021, 2:03pm

Thanks a lot for the guide! I have just spent a good part of the day getting SAML to work with Azure AD and would like to add two details:

Had to set Authentication Context to Disable otherwise it wouldn’t work with our MFA setup.
If I pasted the certificate info including the “-----BEGIN/END CERTIFICATE-----” header/footer the login would fail with a “The user account is not enabled for this portal” message. After having spent some time looking through the code (and digging out the actual error message from the SAML library), I determined that the SAML response couldn’t be properly verified. Removing the header/footer in the certificate configuration fixed it.

Now I will just wait for a feature to enable just-in-time user creation for SAML (or Azure AD Oauth/Open ID Connect?) so that we can get rid of LDAP. Or SCIM provisioning perhaps?

itadmins · June 2, 2021, 9:00pm

New to Eramba here, just wanted to say thank-you for this. Worked perfectly!

jaijtink · June 28, 2022, 1:28pm

When using Online Assessments with SAML, the Azure AD users will receive an error message regarding the reply URL.

AADSTS50011: The reply URL ‘https:///portal/vendor-assessments/login’ specified in the request does not match the reply URLs configured for the application ‘https:// /samlConnectors/getMetadata’. Make sure the reply URL sent in the request matches one added to your application in the Azure portal. Navigate to Error AADSTS50011 - The reply URL specified in the request does not match the reply URLs configured for the application <GUID>. - Azure | Microsoft Learn to learn more about how to fix this.

I resolved this by adding a second Reply URL in the Azure AD configuration (from step 3.3.1). The reply URL added: “https:///portal/vendor-assessments/login”

This solved the authentication issues for my Azure AD users.

Ben · February 20, 2024, 4:23am

Thanks so much for these instructions - this saved me so much hassle! I still had some trouble setting it up, but mostly because I wasn’t reading the instructions properly