Microsoft Entra ID

overview this document covers the setup of saml (security assertion markup language) federation between nile (okta) as a service provider (sp) and azure entra id as an identity provider (idp) requirements · have administrator rights to the nile portal · have administrator rights to entra id · the same nile portal administrator needs to be a user in entra id configuration entra id groups the purpose of this section is to create/highlight entra id groups to be subscribed to the nile saml enterprise app two group categories are to be created/reviewed a groups to be newly created whose members are granted administrator privileges (read/write, read only) to the nile portal b group(s) of employees to be identified that can leverage the nile sso feature nile admin and nile monitor group creation sign in to the microsoft entra portal https //entra microsoft com navigate to the groups page and click on ‘ new group ’ fill up the group name (ex nile admin), group description, and select the desired members of this group; then click on create repeat the previous group creation operation to create a second group (ex nile monitor) that could be displayed afterward as illustrated an existing group (nile sso) with 4 members that represent the employees that can sign in to the nile sso ssid is presented for illustration entra id enterprise app configuration nile app creation ·on the microsoft entra admin center or entra id accessed through the azure portal, navigate to the ‘ enterprise applications ’ page click on ‘ new application ’ on the browse microsoft entra gallery page, click the create your own application link enter the following name “nile” radio button select “integrate any other application…” click the create button assign users and groups on the nile overview page click the assign users and groups link on the users and groups page, click on the +add user/group link on the add assignment page, click the none selected hyperlink to users and/or groups to assign to the app nile click the groups tab and enter ‘nile ’ in the search field to display the groups that contain the string ‘nile ’ check off those groups, namely ‘nile admin’ and ‘nile monitor’, as well as any user groups that will be signing in to the nile sso ssid in this document, the nile sso is one example of such groups and click on the select button to confirm the selection click the assign button to complete the addition of the groups to the nile app note individual users can also be assigned to the nile saml app by selecting the users tab in the illustration above set up single sign on click single sign on in the left menu click the saml panel on the set up single sign on with saml page, in the basic saml configuration section, click the edit link enter temporary values for identifier (entity id) and reply url (assertion consumer service url) to generate the certificate for download click on save (top bar, left) to save the changes note after entra id is made an identity provider in the next section, the actual values for identifier and reply url can be updated back on the set up single sign on with saml page, in the attributes & claims section, click the edit button the attributes & claims page is presented edit each claim one by one as follows click on the user mail claim line to open it for editing, delete the contents of namespace and change the name to “mail” then click the save button (top, left) similarly, edit user givenname delete the contents of namespace, change name from “givenname” to “firstname” then click the save button edit user userprinciplename by deleting the contents of namespace, and click the save button edit user surname by deleting the contents of namespace , and changing the name from ‘surname’ to ‘lastname’ click the save button click + add new claim link, add a new claim for the mobile attribute as shown click the save button click + add new claim link, add a new claim for the displayname attribute then click the save button click + add a group claim link, and add a group claim for the memberof attribute as illustrated then click the save button saml certificate ·back on the set up single sign on with saml page, in the saml certificates section download the ‘saml signing certificate’ (to be uploaded later to the nile portal when adding entra id as a provider) | microsoft entra id and login url make a note of the microsoft entra identifier and the login url (to be used on the nile portal provider setup) to be done after completing the next section update the ‘identifier’ and ‘reply url’ in the ‘basic saml configuration’ section of the nile app from the metadata xml file downloaded after completing the nile portal provider configuration in the next section nile portal identity provider configuration log in to the nile portal (https //www nile global cloud) as an administrator note it is assumed that the administrator credentials belong to a domain in microsoft entra id this domain would already be an allowed domain on the nile portal navigate to global settings → identity click on add a new provider link fill up the fields in the new provider window as follows idp issuer uri microsoft entra identifier noted in the previous section idp sso url login url noted in the previous section destination url \ login url noted in the previous section select certificate upload the text content of the downloaded saml base64certificate click the submit button to save the changes and add the new microsoft entra id provider click the metadata button to download the file open the downloaded file with a text editor, and search for the ‘entityid’ and ‘location’ strings note save the entityid and location values those values are used later to complete the entra id enterprise app configuration for illustration purposes only, the values used in this example entityid 	 https //www okta com/saml2/service provider/spchehmcqiylhitxumru location 	 https //login u1 nile global cloud/sso/saml2/0oaah83qput5trtmy5d7 go back to the enterprise app (nile) created on microsoft entra id to edit the ‘ basic saml configuration ’ click on edit replace the temporary values of entity id and reply url with the values of entityid and location collected earlier click the save button to save the changes and thus complete the azure entra id enterprise app (nile) configuration verify your changes note s 1 the entra id provider configuration is completed for sso users to gain internet access after signing in using their entra id credentials 2 entra id user profiles should contain all previously mapped attributes including emails and mobile phones in order to connect successfully to the nile sso ssid group mapping the group mapping is used to map a designated entra id group to the nile portal administrator group a group rule is needed and can be added on the nile portal as illustrated in the following steps the example that follows maps an ad admin group “nile admin” to the nile portal administrator group, and a ‘nile monitor’ group to the nile portal monitor admin group click the group rules tab click add group mapping button add ‘memberof’ as “friendly name” and “external name” of type “array” press the save button click the add group rule link add the first of two group rules to map entra id desired nile portal admin users , members of two entra id groups (nile admin and nile monitor in this example) to the nile portal administrator and monitor groups respectively, by evaluating the ‘memberof’ attribute value received in the saml assertion from entra id name an appropriate rule name mapping value e ntra id group object id assigned groups select “administrator” from the drop down list click the save button add the second group (nile monitor in this example) to map it to the nile portal monitor group name an appropriate rule name mapping value entra id group object id assigned groups select “monitor” from the drop down list click the save button after adding the two rules, this pane is displayed activate the two rules by clicking on the inactive button to change the state to active psk sso ssid configuration log back in to the nile portal go to the network setup >segments tab page to create the psk sso segment click on the + sign to add a new segment type a meaningful segment name (demo psk sso) click the service area tab to select the dhcp server and scope go to the ‘ advanced ’ tab and check off the ‘url allow list’ and click on + to add the following dns names one at a time azure microsoft com amp azure net dev azure com amcdn msftauth net trafficmanager net omegacdn net azureedge net aadcdn msftauth net msidentity com dev azure com aadcdn msauth net t msedge net when finished, this is what the page looks like click the save button to complete the addition of the new segment go to network setup >wireless page to create the psk sso ssid click onthe + sign to add a ssid enter this data type personal (radio button) name type the desired ssid name security select wpa2 from pull down list enable sso \ click checkbox to checked passkey enter the pre shared key segments select the previously created psk sso segment 	 from the pull down list click the save button to complete the psk sso ssid creation