Implementing SAML SSO on Azure IdP - An Example

This section provides a step-by-step sample scenario for implementing SAML SSO on the ESA with the Azure IdP.

Prerequisites

  • An ESA is up and running.

  • Ensure that the IP address of ESA is resolved to a reachable FQDN.

    For example, resolve the IP address of ESA to esa.protegrity.com.

  • On the Azure IdP, perform the following steps to retrieve the entity ID and metadata.

    1. Log in to the Azure Portal. Navigate to Azure Active Directory. Select the tenant for your organization. Add the enterprise application in the Azure IdP. Note the value of Application Id for your enterprise application.

      For more information about creating an enterprise application, refer to https://docs.microsoft.com/.

    2. Select Single sign-on > SAML. Edit the Basic SAML configuration and enter the Reply URL (Assertion Consumer Service URL). The format for this text box is https://<FQDN of the appliance>/Management/Login/SSO/SAML/ACS.

      For example, the value in the Reply URL (Assertion Consumer Service URL) is, https://esa.protegrity.com/Management/Login/SSO/SAML/ACS

    3. Under the SAML Signing Certificate section, copy the Metadata URL or download the Metadata XML file.

  • Users leveraging the SAML SSO feature are available in the Azure IdP tenant.

Steps

  1. Log in to ESA as an administrative user. Add all the users for which you want to enable SAML SSO. Assign the roles to the users with the SSO Login permission.

    • For example, add the user Sam from the User Management screen on the ESA Web UI. Assign a Security Administrator role with SSO Login permission to Sam.

    • Ensure that the user Sam is present in the Azure AD.

  2. Navigate to Settings > Users > Single Sign-On > SAML Single Sign-On. In the Service Provider (SP) settings section, enter esa.protegrity.com and the Appliance ID in the FQDN and Entity ID text boxes respectively. Click Save.

  3. In the Identity Provider (IdP) Settings section, enter the Metadata URL in the Metadata Settings text box. If the Metadata XML file is downloaded on your system, then upload it. Click Save.

  4. Select the Enable option to enable SAML SSO.

  5. If you want to allow access to User Management screen, enable the Access User Management screen option.

  6. Log out from ESA.

  7. Open a new Web browser session. Log in to the Azure portal as Sam with the IdP credentials.

  8. Open another session on the Web browser and enter the FQDN of ESA. For example, esa.protegrity.com.

    Ensure that the user session on the IdP is active. If the session is idle or inactive, then a screen to enter the IdP credentials will appear.

  9. Click Sign in with SAML SSO. You are automatically directed to the ESA Dashboard without providing the user credentials.

Last modified February 7, 2025