Integrations

Azure Active Directory Integration

27min

Overview

This document is designed to assist with the setup of SAML federation between Nile, leveraging Okta as a Service Provider (SP), and Azure Active Directory (AD) as the Identity Provider (IdP). Integrating Azure AD with the Nile Access Service is an important step in establishing a secure, zero-trust campus network aligned with Nile's architectural principles.

By configuring this integration, you can leverage your existing Azure AD infrastructure to authenticate users and devices, ensuring consistent access controls and policies across your network. This guide will walk you through the necessary steps to set up the Azure AD enterprise application, configure the Nile Identity Provider, and map Azure AD groups to Nile access groups.

Requirements

  • Administrator rights to Nile Customer Portal.
  • Administrator rights to Azure AD.
  • The same Nile Customer Portal administrator needs to be a user in Azure AD

Azure AD Enterprise Application Setup

Sign in to the Microsoft Azure portal: https://portal.azure.com

  • Click the portal menu icon in the top left, and select
  • In the left pane, under
  • On the Enterprise applications page, click “New application”
Browse Azure AD Gallery
Browse Azure AD Gallery

  • On the “Browse Azure AD Gallery”, click “Create your own application
Azure Enterprise Applications page
Azure Enterprise Applications page

  • Click Create.
Document image

  • On the Nile Overview page:
Azure Org Overview Page
Azure Org Overview Page

  • Click “Assign users and groups”.
    • On the Users and groups page: Click on “Add user/groups”.
Azure Organization Users and Groups Page
Azure Organization Users and Groups Page

Azure Organization Add Assignment Page
Azure Organization Add Assignment Page

  • Select user(s) to assign to the application:
  • Click Assign
  • Next; Click Single sign-on in the left menu
Azure Organization Select Single Sign On method Page
Azure Organization Select Single Sign On method Page




  • In Select a single sign-on method, click SAML panel and Click Edit.
  • On the Set UP Single Sign-On with SAML page, in the Basic SAML Configuration section click "Edit".
  • Enter temporary values for Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) to generate the certificate for download.
  • Click on Save (top bar) to save the changes.
  • 



Azure Organization Select Single Sign On method Page
Azure Organization Set up Single Sign On Page

Document image

  • Back on the Set UP Single Sign-On with SAML page, in the Attributes & Claims section, click Edit
    • The Attributes & Claims page is presented

Document image




  • Edit each claim one by one as follows:
    • Click on the user.mail claim line to open it for editing and delete the namespace URI. Change the Name to “mail” and click Save.
Document image




  • Similarly edit user.givenname by deleting the namespace URI and renaming givenname to firstName, and click save.
Document image




  • Edit user.userprinciplename by deleting the namespace URI, and click Save.
Document image

  • Edit user.surname by deleting the namespace URI and renaming surname to lastName, and click Save.
Document image




  • Next, add a new claim for the mobile attribute:
    • Name: "mobile"
    • Source: "Attribute"
    • Source Attribute: "user.mobilephone"
    • Click Save
Document image




  • Add a new claim for the displayName attribute;
    • Name: displayName
    • Source: "Attribute"
    • SourceAttribute: "user.displayname"
    • Click Save
Document image

  • Add a group claim for the memberOf attribute;
    • Select "All Groups" option.
    • Check "Customize the name of this group claim"
    • Click Save



Document image




  • Download the ‘SAML Signing Certificate’ (to be uploaded later to the Nile Customer Portal when adding Azure AD as a provider):
  • Azure AD Identifier:
    • https://sts.windows.net/f8b44d9b-778d-47da-9391-6249440b17a9/
  • Login URL:
    • https://login.microsoftonline.com/f8b44d9b-778d-47da-9391-6249440b17a9/saml2
Document image

  • Make a note of the Azure AD Identifier and the Login URL (to be used on the Nile Customer Portal provider setup):
Document image


To be done after completing the next section:

Update the ‘Identifier’ and ‘reply URL’ in the ‘Basic SAML Configuration’ section of the Nile app from the metadata.xml file downloaded after completing the Nile Customer Portal provider setup in the next section.

After Azure AD is made an identity provider in the next section, the actual values for Identifier and Reply URL can be updated.

Nile Customer Portal Identity Provider Setup

Login to the Nile Customer Portal (https://www.nile-global.cloud) as an administrator.

  • Go to Settings -> Global Settings -> Identity
Document image


Click on ADD A NEW PROVIDER:

  • Fill up the fields in the new provider window as follows:
    • Name: An appropriate string to name the provider.
    • IdP Issuer URI: Azure AD SAML app Identifier noted in step 15 of the previous section.
    • IdP SSO URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
    • Destination URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
    • SELECT CERTIFICATE: Upload the ‘SAML signing certificate downloaded previously.
    • Click the SUBMIT button to save the changes and add the new Azure AD provider.
Document image


Click the METADATA button to download the file.

Document image


Open the downloaded file with a text editor, and search for the ‘entityID’ and ‘Location’ strings.

NOTE: Save the entityID and Location values. Those values are used later to complete the Azure AD enterprise application configuration

For illustration purposes only, the values used in this example: entityID: https://www.okta.com/saml2/service-provider/spchehmcqiylhitxumru Location: https://login.u1.nile-global.cloud/sso/saml2/0oaah83qpuT5TRtMY5d7

Go back to the enterprise app (Nile) created on Azure AD to edit the ‘Basic SAML Configuration and click Edit.

Document image


Replace the temporary values of Entity ID and Reply URL with the values of entityID and Location collected previously.

Document image


Click the Save button to save the changes and thus complete the Azure AD enterprise app (Nile) configuration.

Document image


Verify your changes on the single sign on page.

It is assumed that the administrator credentials belong to a domain in Azure AD. This domain would already be an Allowed domain on the Nile Customer Portal. Note: The Azure AD provider configuration is completed for SSO users to gain Internet access after signing-in using their AD credentials.

Group Mapping

The group mapping is used to map a designated Azure AD admin group to the Nile Customer Portal Administrator group. A Group rule is needed and can be added on the Nile Customer Portal as illustrated in the following steps.

The example that follows maps an AD admin group “NileAdmin” to the Nile Customer Portal Administrator group, and a ‘NileMonitor’ group to the Nile Customer Portal Monitor Admin group

1. Click the Group Rules tab:

Document image


2. Click “Add Group Mapping”:

Document image


Add the group name to the “Friendly name” and “External name” fields and click Save.

Next, click the ADD GROUP RULE:

Document image


Add two group rules to map AD users members of two AD groups (NileAdmin and NileMonitor in this example) to the Nile Customer Portal Administrator and Monitor groups respectively, by evaluating the ‘memberOf’ attribute value coming in the SAML assertion from Azure AD:

  • Name: An appropriate rule name
  • Mapping Value: Azure AD Group object ID
  • Assigned groups: Select the appropriate Nile group from the drop-down list
  • Click Save.
Document image

Document image


After adding the two rules, this pane is displayed:

Document image


Activate the two rules by clicking on the INACTIVE button to change the state to ACTIVE:

Document image


PSK-SSO SSID Setup

Log back in to the Nile Customer Portal

  • Go to the Settings → Segments page to create the PSK SSO Segment:
    • Click on the ⊕ to add a new segment
    • Type a meaningful segment name (Demo PSK SSO)



Document image


Go to the ‘Service area’ tab to select the DHCP server and scope:

Document image


Go to the ‘Advanced’ tab and check off the ‘URL Allow List’ and click on to add the following DNS names one at a time:

  • azure.microsoft.com
  • amp.azure.net
  • dev.azure.com
  • *.amcdn.msftauth.net
  • *.trafficmanager.net
  • *.omegacdn.net
  • *.azureedge.net
  • *.aadcdn.msftauth.net
  • *.msidentity.com
  • *.dev.azure.com
  • *.aadcdn.msauth.net

Click SAVE to complete the addition of the new segment



Document image


Go to the Settings ” Wireless page to create the PSK SSO SSID:

  • Select the ‘
  • Type the desired SSID name
  • Select the
  • Check off the ‘
  • Enter the Pre-shared key
  • Select the previously created PSK-SSO segment
  • Click the SAVE button to complete the PSK-SSO SSID creation.
Document image