Azure AD (SAML 2.0)

Integration with Azure AD enables Single Sign-On (SSO) for Xshield users managed through Azure AD using the Security Assertion Markup Language (SAML) 2.0 authentication standard.

Prerequisites to activate the integration

• An Azure user role with permissions to add Enterprise applications to Azure AD.
• A dedicated user group for Xshield users who require SSO access.
• Admin user role in Xshield to activate the integration.

---

Procedure

On a high level, the SAML Integration between Azure and Xshield are done in 3 phases:

1. Activate SAML 2.0 in Xshield
2. Create a new non-gallery app in Azure AD by configuring the SAML metadata and claims
3. Complete the setup by adding the configuration data from Azure application to Xshield

Follow the below step by step guide to complete the integration:

Enabling SAML 2.0 in Xshield

1. Log into the Xshield tenant and navigate to Settings > Integrations > Identity Provider > SAML 2.0 and click on Activate

2. By default, configuration type is set to Pick from Metadata as shown below

3. Click on Download Metadata, this will be used to configure Azure application in the next steps

Configuring Azure

1. Login to the Azure portal and navigate to Enterprise applications
2. Select New application option in the enterprise applications section of your Azure portal

3. We will use Create your own application option to create an application for Xshield SSO

4. Type in a suitable name for the application, preferably ColorTokens XShield

5. Make sure the Non-gallery option is selected.

6. Click on Create

7. Once the application has been created, select the Single sign-on menu option

8. Select SAML

9. Upload the metadata file you saved earlier from the Xshield SAML 2.0 configuration page

10. If you encounter an error instead of seeing the success message above, please get in touch with Azure customer support

note

We will need to fill in the Sign on URL field. The value of this is the same as the Reply URL (Assertion Consumer Service URL), with “assertion” replaced by “login”

Copy and paste the Reply URL field here and edit the last word

11. Please confirm that the Sign-on URL field is filled in correctly

12. Save the configuration

13. This completes the basic SAML configuration

14. We will skip the test for now

15. Now copy the App Federation Metadata URL & Logout URL which we will use later

16. Next, we will customize the attribute and claim, Click on edit in the attributes and claims ection

17. Let’s add a new claim

18. Enter Name Identifier format as Email address and Source attribute as user.userprincipalname

19. Save the claim and confirm that the new claim has been added

---

Activate Azure AD SSO in Xshield

1. Navigate back to the SAML 2.0 integrations page in Xshield where we left off
2. Ensure Pick from Metadata is selected
3. Add the configuration data copied from Azure app you created earlier (Step 15 in Configuring Azure)

• Fill the App federation Metadata URL in the Metadata URL text box
• Fill the Logout URL in the Logout URL text box

4. Click Save to complete the integration.

note

A log entry will be generated under Monitoring > Logs to confirm that the integration is activated