Azure AD: Identity Provider initiated SSO

In an Identity Provider (IdP) initiated login, a user gains access to the IdP site (Azure AD) first and then clicks on the service provided by the remote Service Provider (Bright). After the user selects the required service, the IdP initiates the authentication process.

Configuration (Bright app)

Open the Bright app and do the following:

  1. Log in to the Bright app.

  2. In the left pane, select the Settings option.

  3. At the ORGANIZATION SETTINGS section, open the Single sign on (SSO) Authentication dropdown list, select AD FS, and then click Connect.

  4. Fill in the AD FS Authentication fields with the credentials copied in Azure AD, and then click Continue.

  5. Select the SAML protocol and fill in the fields: Default Role and Metadata URL.

  6. Copy the Entity ID and Callback URL properties to Azure on this step.

  7. Provide Metadata URL that you copied from the Azure side on this step.

  8. Click Continue to finish the integration process.

Configuration (Azure)

  1. Create the enterprise application; see details on how to create it here.
  2. To configure SSO for your application, go to Enterprise ApplicationYour applicationSingle sign-onSAML
  1. Fill in the fields in Basic SAML Configuration section:
    1. Entity ID - paste the Entity ID value you copied from Bright app on step 5

    2. Reply URL - paste the Callback URL value you copied from Bright app on step 5

    3. Sign on URL (Optional) - Use it if you want SP-Initiated login only (that means to use SAML sign-in only from Bright web UI, not from Microsoft My Apps), fill in this field with the value https://app.brightsec.com/sso, https://eu.brightsec.com/sso or https://your-cluster-name.brightsec.com/sso. Leave this field empty you if you want both IDP-Initiated and SP-Iniaited to work.

Attributes and Claims (Azure)

Open Attributes & ClaimsAdditional Claims and provide the following data to each Claim name in the list to make your application compatible with Bright:

Claim nameTypeValue
emailSAMLuser.mail
firstNameSAMLuser.givenname
lastNameSAMLuser.surname
nameSAMLuser.principalname

Here is an example of correctly provided data of one claim:

📘

The "Namespace" field must be blanked to successfully complete the integration

Final steps

  1. Open Azure AD, go to Enterprise ApplicationYour applicationSingle sign-onSAMLSAML Certificates, copy App Federation Metadata Url
  1. Go back to the SSO settings in Bright and paste the value you copied from Azure AD to Metadata URL field.
  2. Click Continue to complete the integration.

Integration usage

After the integration process finishes, all settings can be managed from the Settings page, at the ORGANIZATION SETTINGS section:

It is also possible to log in to the Bright app from the list of applications in Azure. To do that, open the Apps dashboard and click the Bright App icon.