Azure Active Directory

overview this document is designed to assist with the setup of saml federation between nile, leveraging okta as a service provider (sp), and azure active directory (ad) as the identity provider (idp) integrating azure ad with the nile access service is an important step in establishing a secure, zero trust campus network aligned with nile's architectural principles by configuring this integration, you can leverage your existing azure ad infrastructure to authenticate users and devices, ensuring consistent access controls and policies across your network this guide will walk you through the necessary steps to set up the azure ad enterprise application, configure the nile identity provider, and map azure ad groups to nile access groups requirements administrator rights to nile customer portal administrator rights to azure ad the same nile customer portal administrator needs to be a user in azure ad azure ad enterprise application setup sign in to the microsoft azure portal https //portal azure com click the portal menu icon in the top left, and select in the left pane, under on the enterprise applications page, click “ new application” browse azure ad gallery on the “browse azure ad gallery”, click “ create your own application ” azure enterprise applications page click create on the nile overview page azure org overview page click “ assign users and groups” on the users and groups page click on “add user/groups” azure organization users and groups page azure organization add assignment page select user(s) to assign to the application click assign next; click single sign on in the left menu azure organization select single sign on method page in select a single sign on method , click saml panel and click edit on the set up single sign on with saml page, in the basic saml configuration section click "edit" enter temporary values for identifier (entity id) and reply url (assertion consumer service url) to generate the certificate for download click on save (top bar) to save the changes azure organization select single sign on method page back on the set up single sign on with saml page, in the attributes & claims section, click edit the attributes & claims page is presented edit each claim one by one as follows click on the user mail claim line to open it for editing and delete the namespace uri change the name to “mail” and click save similarly edit user givenname by deleting the namespace uri and renaming givenname to firstname , and click save edit user userprinciplename by deleting the namespace uri, and click save edit user surname by deleting the namespace uri and renaming surname to lastname , and click save next, add a new claim for the mobile attribute name "mobile" source "attribute" source attribute "user mobilephone" click save add a new claim for the displayname attribute; name displayname source "attribute" sourceattribute "user displayname" click save add a group claim for the memberof attribute; select "all groups" option check "customize the name of this group claim" click save download the ‘saml signing certificate’ (to be uploaded later to the nile customer portal when adding azure ad as a provider) azure ad identifier https //sts windows net/f8b44d9b 778d 47da 9391 6249440b17a9/ login url https //login microsoftonline com/f8b44d9b 778d 47da 9391 6249440b17a9/saml2 make a note of the azure ad identifier and the login url (to be used on the nile customer portal provider setup) to be done after completing the next section update the ‘identifier’ and ‘reply url’ in the ‘basic saml configuration’ section of the nile app from the metadata xml file downloaded after completing the nile customer portal provider setup in the next section after azure ad is made an identity provider in the next section, the actual values for identifier and reply url can be updated nile customer portal identity provider setup login to the nile customer portal ( https //www nile global cloud ) as an administrator go to settings > global settings > identity click on add a new provider fill up the fields in the new provider window as follows name an appropriate string to name the provider idp issuer uri azure ad saml app identifier noted in step 15 of the previous section idp sso url azure ad saml app login url noted in step 15 of the previous section destination url azure ad saml app login url noted in step 15 of the previous section select certificate upload the ‘saml signing certificate downloaded previously click the submit button to save the changes and add the new azure ad provider click the metadata button to download the file open the downloaded file with a text editor, and search for the ‘entityid’ and ‘location’ strings note save the entityid and location values those values are used later to complete the azure ad enterprise application configuration for illustration purposes only, the values used in this example entityid https //www okta com/saml2/service provider/spchehmcqiylhitxumru location https //login u1 nile global cloud/sso/saml2/0oaah83qput5trtmy5d7 go back to the enterprise app (nile) created on azure ad to edit the ‘basic saml configuration and click edit replace the temporary values of entity id and reply url with the values of entityid and location collected previously click the save button to save the changes and thus complete the azure ad enterprise app (nile) configuration verify your changes on the single sign on page it is assumed that the administrator credentials belong to a domain in azure ad this domain would already be an allowed domain on the nile customer portal note the azure ad provider configuration is completed for sso users to gain internet access after signing in using their ad credentials group mapping the group mapping is used to map a designated azure ad admin group to the nile customer portal administrator group a group rule is needed and can be added on the nile customer portal as illustrated in the following steps the example that follows maps an ad admin group “nileadmin” to the nile customer portal administrator group, and a ‘nilemonitor’ group to the nile customer portal monitor admin group 1\ click the group rules tab 2\ click “add group mapping” add the group name to the “friendly name” and “external name” fields and click save next, click the add group rule add two group rules to map ad users members of two ad groups (nileadmin and nilemonitor in this example) to the nile customer portal administrator and monitor groups respectively, by evaluating the ‘memberof’ attribute value coming in the saml assertion from azure ad name an appropriate rule name mapping value azure ad group object id assigned groups select the appropriate nile group from the drop down list click save after adding the two rules, this pane is displayed activate the two rules by clicking on the inactive button to change the state to active psk sso ssid setup log back in to the nile customer portal go to the settings → segments page to create the psk sso segment click on the ⊕ to add a new segment type a meaningful segment name (demo psk sso) go to the ‘service area’ tab to select the dhcp server and scope go to the ‘advanced’ tab and check off the ‘url allow list’ and click on to add the following dns names one at a time azure microsoft com amp azure net dev azure com amcdn msftauth net trafficmanager net omegacdn net azureedge net aadcdn msftauth net msidentity com dev azure com aadcdn msauth net click save to complete the addition of the new segment go to the settings ” wireless page to create the psk sso ssid select the ‘ type the desired ssid name select the check off the ‘ enter the pre shared key select the previously created psk sso segment click the save button to complete the psk sso ssid creation