Azure Active Directory Integration
This document is designed to assist with the setup of SAML federation between Nile, leveraging Okta as a Service Provider (SP), and Azure Active Directory (AD) as the Identity Provider (IdP). Integrating Azure AD with the Nile Access Service is an important step in establishing a secure, zero-trust campus network aligned with Nile's architectural principles.
By configuring this integration, you can leverage your existing Azure AD infrastructure to authenticate users and devices, ensuring consistent access controls and policies across your network. This guide will walk you through the necessary steps to set up the Azure AD enterprise application, configure the Nile Identity Provider, and map Azure AD groups to Nile access groups.
- Administrator rights to Nile Customer Portal.
- Administrator rights to Azure AD.
- The same Nile Customer Portal administrator needs to be a user in Azure AD
Sign in to the Microsoft Azure portal: https://portal.azure.com
- Click the portal menu icon in the top left, and select
- In the left pane, under
- On the Enterprise applications page, click “New application”
- On the “Browse Azure AD Gallery”, click “Create your own application”
- Click Create.
- On the Nile Overview page:
- Click “Assign users and groups”.
- On the Users and groups page: Click on “Add user/groups”.
- Select user(s) to assign to the application:
- Click Assign
- Next; Click Single sign-on in the left menu
- In Select a single sign-on method, click SAML panel and Click Edit.
- On the Set UP Single Sign-On with SAML page, in the Basic SAML Configuration section click "Edit".
- Enter temporary values for Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) to generate the certificate for download.
- Click on Save (top bar) to save the changes.
-
- Back on the Set UP Single Sign-On with SAML page, in the Attributes & Claims section, click Edit
- The Attributes & Claims page is presented
- Edit each claim one by one as follows:
- Click on the user.mail claim line to open it for editing and delete the namespace URI. Change the Name to “mail” and click Save.
- Similarly edit user.givenname by deleting the namespace URI and renaming givenname to firstName, and click save.
- Edit user.userprinciplename by deleting the namespace URI, and click Save.
- Edit user.surname by deleting the namespace URI and renaming surname to lastName, and click Save.
- Next, add a new claim for the mobile attribute:
- Name: "mobile"
- Source: "Attribute"
- Source Attribute: "user.mobilephone"
- Click Save
- Add a new claim for the displayName attribute;
- Name: displayName
- Source: "Attribute"
- SourceAttribute: "user.displayname"
- Click Save
- Add a group claim for the memberOf attribute;
- Select "All Groups" option.
- Check "Customize the name of this group claim"
- Click Save
- Download the ‘SAML Signing Certificate’ (to be uploaded later to the Nile Customer Portal when adding Azure AD as a provider):
- Azure AD Identifier:
- https://sts.windows.net/f8b44d9b-778d-47da-9391-6249440b17a9/
- Login URL:
- https://login.microsoftonline.com/f8b44d9b-778d-47da-9391-6249440b17a9/saml2
- Make a note of the Azure AD Identifier and the Login URL (to be used on the Nile Customer Portal provider setup):
To be done after completing the next section:
Update the ‘Identifier’ and ‘reply URL’ in the ‘Basic SAML Configuration’ section of the Nile app from the metadata.xml file downloaded after completing the Nile Customer Portal provider setup in the next section.
After Azure AD is made an identity provider in the next section, the actual values for Identifier and Reply URL can be updated.
Login to the Nile Customer Portal (https://www.nile-global.cloud) as an administrator.
- Go to Settings -> Global Settings -> Identity
Click on ADD A NEW PROVIDER:
- Fill up the fields in the new provider window as follows:
- Name: An appropriate string to name the provider.
- IdP Issuer URI: Azure AD SAML app Identifier noted in step 15 of the previous section.
- IdP SSO URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
- Destination URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
- SELECT CERTIFICATE: Upload the ‘SAML signing certificate downloaded previously.
- Click the SUBMIT button to save the changes and add the new Azure AD provider.
Click the METADATA button to download the file.
Open the downloaded file with a text editor, and search for the ‘entityID’ and ‘Location’ strings.
NOTE: Save the entityID and Location values. Those values are used later to complete the Azure AD enterprise application configuration
For illustration purposes only, the values used in this example: entityID: https://www.okta.com/saml2/service-provider/spchehmcqiylhitxumru Location: https://login.u1.nile-global.cloud/sso/saml2/0oaah83qpuT5TRtMY5d7
Go back to the enterprise app (Nile) created on Azure AD to edit the ‘Basic SAML Configuration and click Edit.
Replace the temporary values of Entity ID and Reply URL with the values of entityID and Location collected previously.
Click the Save button to save the changes and thus complete the Azure AD enterprise app (Nile) configuration.
Verify your changes on the single sign on page.
It is assumed that the administrator credentials belong to a domain in Azure AD. This domain would already be an Allowed domain on the Nile Customer Portal. Note: The Azure AD provider configuration is completed for SSO users to gain Internet access after signing-in using their AD credentials.
The group mapping is used to map a designated Azure AD admin group to the Nile Customer Portal Administrator group. A Group rule is needed and can be added on the Nile Customer Portal as illustrated in the following steps.
The example that follows maps an AD admin group “NileAdmin” to the Nile Customer Portal Administrator group, and a ‘NileMonitor’ group to the Nile Customer Portal Monitor Admin group
1. Click the Group Rules tab:
2. Click “Add Group Mapping”:
Add the group name to the “Friendly name” and “External name” fields and click Save.
Next, click the ADD GROUP RULE:
Add two group rules to map AD users members of two AD groups (NileAdmin and NileMonitor in this example) to the Nile Customer Portal Administrator and Monitor groups respectively, by evaluating the ‘memberOf’ attribute value coming in the SAML assertion from Azure AD:
- Name: An appropriate rule name
- Mapping Value: Azure AD Group object ID
- Assigned groups: Select the appropriate Nile group from the drop-down list
- Click Save.
After adding the two rules, this pane is displayed:
Activate the two rules by clicking on the INACTIVE button to change the state to ACTIVE:
Log back in to the Nile Customer Portal
- Go to the Settings → Segments page to create the PSK SSO Segment:
- Click on the ⊕ to add a new segment
- Type a meaningful segment name (Demo PSK SSO)
Go to the ‘Service area’ tab to select the DHCP server and scope:
Go to the ‘Advanced’ tab and check off the ‘URL Allow List’ and click on to add the following DNS names one at a time:
- azure.microsoft.com
- amp.azure.net
- dev.azure.com
- *.amcdn.msftauth.net
- *.trafficmanager.net
- *.omegacdn.net
- *.azureedge.net
- *.aadcdn.msftauth.net
- *.msidentity.com
- *.dev.azure.com
- *.aadcdn.msauth.net
Click SAVE to complete the addition of the new segment
Go to the Settings ” Wireless page to create the PSK SSO SSID:
- Select the ‘
- Type the desired SSID name
- Select the
- Check off the ‘
- Enter the Pre-shared key
- Select the previously created PSK-SSO segment
- Click the SAVE button to complete the PSK-SSO SSID creation.