Implementing SAML SSO on Azure IdP - An Example

This section provides a step-by-step sample scenario for implementing SAML SSO on the ESA with the Azure IdP.

Prerequisites

  • An ESA is up and running.

  • Ensure that the IP address of ESA is resolved to a reachable FQDN.
    For example, resolve the IP address of ESA to esa.protegrity.com.

  • On the Azure IdP, perform the following steps to retrieve the entity ID and metadata.

    1. Log in to the Azure Portal.
    2. Navigate to Azure Active Directory.
    3. Select the tenant for your organization.
    4. Add the enterprise application in the Azure IdP.
      Note the value of Application Id for your enterprise application.
      For more information about creating an enterprise application, refer to https://docs.microsoft.com/.
    5. Select Single sign-on > SAML.
    6. Edit the Basic SAML configuration and enter Reply URL (Assertion Consumer Service URL). The format for this text box is https://</FQDN of the appliance>/Management/Login/SSO/SAML/ACS.
      For example, the value in the Reply URL (Assertion Consumer Service URL) is, https://esa.protegrity.com/Management/Login/SSO/SAML/ACS
    7. Under the SAML Signing Certificate section, copy the Metadata URL or download the Metadata XML file.

  • Users leveraging the SAML SSO feature are available in the Azure IdP tenant.

Steps

  1. Log in to ESA as an administrative user. Add all the users for which you want to enable SAML SSO. Assign the roles to the users with the SSO Login permission.

    • For example, import the user Sam from the User Management screen on the ESA Web UI. Assign a Security Administrator role with SSO Login permission to Sam.

    • Ensure that the user Sam is present in the Azure AD.

  2. Navigate to Settings > Users > Single Sign-On > SAML Single Sign-On. In the Service Provider (SP) settings section, enter esa.protegrity.com and the Appliance ID in the FQDN and Entity ID text boxes respectively. Click Save.

  3. If the metadata URL is available, then under the IdP Settings section, select Metadata URL from the Metadata Settings drop-down list. Enter the URL of the metadata.

  4. If the metadata file is downloaded, then under the IdP Settings section, select Metadata File from the Metadata Settings drop-down list. Upload the metadata file.

  5. From the Unique Name Identifier (Name ID) drop-down, select one of the following two options as the unique identifier for user authentication.

    • Firstname.Lastname: A local user should be manually created having first name and last name.
    • UserPrincipleName: This user can be created locally or imported from Azure AD, if user exists on Azure AD.

  6. Click Save.

  7. Select the Enable option to enable SAML SSO.

  8. If you want to allow access to User Management screen, enable the Access User Management screen option.

  9. Log out from the ESA.

  10. Open another session on the Web browser and enter the FQDN of ESA. For example, esa.protegrity.com.

    Ensure that the user session on the IdP is active. If the session is idle or inactive, then a screen to enter the IdP credentials will appear.

  11. Click Sign in with SAML SSO.

  12. The screen is redirected to Azure portal for authentication.

  13. If the Azure user is not logged in, the login dialog appears. Provide the Azure user credentials for login.

    If the multi-factor authentication is enabled, then provide the required authentication using the Authenticator application to proceed further.

After logging in successfully, the screen is automatically redirected to the ESA Dashboard.


Last modified : October 31, 2025