Azure SAML Setup
Azure has its own SAML provider that is subtlety different to standard ADFS SAML and general SAML. The following guide is to help the deployment of an Azure SAML configuration as the authentication provider for Pyramid.
Note: this feature is available with Enterprise licensing only.
Important: if Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.
Azure Setup
Step 1.
Start by configuring your Azure portal. From the Homepage of your Azure portal, login to your Azure site, then go to Enterprise applications – All applications.
Next, click New Application and select the Non-gallery application button. Name your application and click Add.
Select the single sign on tab and then select SAML.
Step 2.
Enter the following details on your Azure portal single sign-on page:
- Identifier (Entity ID): this can be any name you like, as long as it’s in the correct format for Azure (red arrow below)
- Reply URL (Assertion Consumer Service URL): the Pyramid web site address with /login/callback – i.e. https://saml.pyramidanalytics.com/login/callback (blue arrow)
- Sign on URL: the Pyramid web site address without any additions – https://saml.pyramidanalytics.com (green arrow)
- User Identifier: this should be user.userprincipalname (orange arrow)
Step 3.
Click the Configure button to open the Configure sign-on pop-out (below). Copy both the SAML Single Sign-On Service URL and the Sign-Out URL and paste in Notepad – you will need these later to configure SAML settings in Pyramid.
Step 4.
Save your Azure settings
Step 5.
An additional setting in IIs must be configured. Change your web.config file to the following:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering> </security> <rewrite> <rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://localhost:8181/{R:1}" /> </rule> </rules> <outboundRules> <rule name="302" preCondition="302"> <match serverVariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)" /> <action type="Rewrite" value="{R:2}" /> </rule> <preConditions> <preCondition name="302"> <add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]" /> </preCondition> </preConditions> </outboundRules> </rewrite> <defaultDocument> <files> <clear /> <add value="readme.html" /> </files> </defaultDocument> </system.webServer> </configuration>
Pyramid Setup
Step 6.
In the SAML Settings panel (blue highlight) in Pyramid, enter the following details as per the general SAML setup described here.
For Azure, the details are:
- Consumer URL: the sign on URL given in Step 2
- SAML Issuer: the Identifier (Entity ID) given in Step 2
- IDP URL: paste the SAML Single Sign-On Service URL copied in Step 3
- Logout URL: paste the Sign-Out URL copied in Step 3
Step 7.
Enter the credentials for the Initial User (green highlight above). The Initial User is usually the user who is responsible for the Pyramid configuration.
- User Name: the internal user name of the initial user. This is a bypass for the user when working outside of SAML.
- Password: the internal password for the user. Only required if manually logging in without the SAML framework.
- First Name: the first name of the initial user
- Last Name: the last name of the initial user
- Email: the email of the initial user
- Principal Name: the Azure UPN (username) of the initial user
Note: all new Pyramid users must have a principal name that matches the user’s user.userprincipalname in Azure AD.