Azure SAML Setup

Azure has its own SAML provider that is subtlety different to standard ADFS SAML and general SAML. The following guide is to help the deployment of an Azure SAML configuration as the authentication provider for Pyramid.

Note: This feature is available with Enterprise licensing only.

Important: If Same Site client security is set to Strict when using SAML authentication, this may cause a loop redirect between Pyramid and the SAML provider, as cookies are prevented from working across different web domains. This shouldn't be an issue if your SAML provider and Pyramid are within the same web domain.

Azure Setup

Step 1.

Start by configuring your Azure portal. From the Homepage of your Azure portal, login to your Azure site, then go to Enterprise applications - All applications.

Next, click New Application and select the Non-gallery application button. Name your application and click Add.

Select the Single Sign-on tab and then select SAML.

Step 2.

Enter the following details on your Azure portal single sign-on page:

  • Identifier (Entity ID): this can be any name you like, as long as it's in the correct format for Azure (red arrow below)
  • Reply URL (Assertion Consumer Service URL): the Pyramid web site address with /login/callback - i.e. (blue arrow)
  • Sign on URL: the Pyramid web site address without any additions - (green arrow)
  • User Identifier: this should be user.userprincipalname (orange arrow)

Step 3.

Click the Configure button to open the Configure sign-on pop-out (below). Copy both the SAML Single Sign-On Service URL and the Sign-Out URL and paste in Notepad. You will need these later to configure SAML settings in Pyramid.

Step 4.

Save your Azure settings

Step 5.

An additional setting in IIS must be configured. By default, the web.config file can be found at the below path on all Pyramid web servers running IIS:

"C:\program files\pyramid\repository\iis\web.config"

Change your web.config file to the following. The update must be done on all Pyramid web servers running IIS:

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering> </security> <rewrite> <rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://localhost:8181/{R:1}" /> </rule> </rules> <outboundRules> <rule name="302" preCondition="302"> <match serverVariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)" /> <action type="Rewrite" value="{R:2}" /> </rule> <preConditions> <preCondition name="302"> <add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]" /> </preCondition> </preConditions> </outboundRules> </rewrite> <defaultDocument> <files> <clear /> <add value="readme.html" /> </files> </defaultDocument> </system.webServer> </configuration>

Pyramid Setup

Step 6.

Open Pyramid and go to the Admin console. From the main menu, click Security > Authentication. From the Provider drop-down, select SAML.

In the SAML Settings panel (blue highlight) in Pyramid, enter the following details as per the general SAML setup described here.

For Azure, the details are:

  • Consumer URL: the sign on URL given in Step 2
  • SAML Issuer: the Identifier (Entity ID) given in Step 2
  • IDP URL: paste the SAML Single Sign-On Service URL copied in Step 3
  • Logout URL: paste the Sign-Out URL copied in Step 3

Step 7.

Enter the credentials for the Initial User (green highlight above). The Initial User is typically the user who is responsible for the Pyramid configuration.

  • User Name: the internal user name of the initial user. This is a bypass for the user when working outside of SAML.
  • First Name: the first name of the initial user
  • Last Name: the last name of the initial user
  • Email: the email of the initial user
  • Principal Name: the Azure UPN (username) of the initial user
  • Password: the internal password for the user. Only required if manually logging in without the SAML framework.

Note: all new Pyramid users must have a principal name that matches the user's user.userprincipalname in Azure AD.