Azure AD: Identity Provider initiated SSO

In an Identity Provider (IdP) initiated login, a user gains access to the IdP site (Azure AD) first and then clicks on the service provided by the remote Service Provider (Bright). After the user selects the required service, the IdP initiates the authentication process.

Configuration (Bright app)

Open the Bright app and do the following:

  1. Go to OrganizationOrganization settingsSingle sign-on (SSO) Authentication.

  2. Open the SSO providers list, select AD FS, and click Connect.

  3. Select a Default Role that will be assigned to users signing in via SSO.

  4. Select SAML protocol.

  5. Copy the Entity ID and Callback URL properties to Azure on this step.

  6. Provide Metadata URL that you copied from the Azure side on this step.

  7. Click Continue to finish the integration process.

Configuration (Azure)

  1. Create the enterprise application; see details on how to create it here.
  2. To configure SSO for your application, go to Enterprise ApplicationYour applicationSingle sign-onSAML

  1. Fill in the fields in Basic SAML Configuration section:
  • Entity ID - paste the Entity ID value you copied from Bright app on step 5
  • Reply URL - paste the Callback URL value you copied from Bright app on step 5
  • Sign on URL (Optional) - to use only service provider-initiated SSO (that means to use SAML sign-in only from Bright web UI, not from Microsoft My Apps), fill in this field with the value https://app.brightsec.com/sso, https://eu.brightsec.com/sso or https://your-cluster-name.brightsec.com/sso. If you leave this field blank, both IdP initiated and service provider initiated SSO will work.

Attributes and Claims (Azure)

  1. Open Attributes & ClaimsAdditional Claims and provide the following data to each Claim name in the list to make your application compatible with Bright:
Claim nameTypeValue
emailSAMLuser.mail
firstNameSAMLuser.givenname
lastNameSAMLuser.surname
nameSAMLuser.principalname

Here is an example of correctly provided data of one claim:

📘

The "Namespace" field must be blanked to successfully complete the integration

Final steps

  1. Open Azure AD, go to Enterprise ApplicationYour applicationSingle sign-onSAMLSAML Certificates, copy App Federation Metadata Url
  1. Open Bright OrganizationOrganization settingsSingle sign-on (SSO) Authentication, and paste the value you copied from Azure AD to Metadata URL field.
  2. Click Continue to complete the integration.

Integration usage

After the integration process finishes, all settings can be managed from the Organization tab:

👍

Note:

All changes made will not affect the operation of Service Provider initiated SSO. To learn more about it, see the article.

Also, now it's possible to log in to the Bright app from the list of applications in Azure. To do that, open the Apps dashboard and click the Bright App icon.