Set up SAML Authentication for Orchestrate Using Microsoft Entra ID
Notice
Microsoft Azure Active Directory (Azure AD) is renamed to Microsoft Entra ID.
In Orchestrate, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Microsoft Entra ID.
Before you Start:
You must have administrative privileges to create an external application using Microsoft Entra ID.
Your user group in Orchestrate must have View and Update Configuration permission to access the Configuration module in Orchestrate.
Steps
To set up SAML authentication for Orchestrate using Microsoft Entra ID, you must
Fetch Assertion URL and Entity ID from Orchestrate
The assertion consumer URL is an endpoint on Orchestrate, where the identity provider (Microsoft Entra ID) will redirect to with its authentication response. An entity ID is a globally unique name for the service provider or the identity provider. You need these values while setting up the SAML 2.0 app in Microsoft Entra ID.
To fetch the assertion consumer URL and entity ID from Orchestrate, do the following:
Sign in to the Orchestrate platform.
Navigate to Admin Panel > Authentication > SAML 2.0.
Copy the following values.
Assertion Consumer URL
Entity ID
Configure SAML Application for Orchestrate on Microsoft Entra ID
Set up Microsoft Entra ID for SSO by creating an external application for Orchestrate and configuring SSO for it.
To configure the SAML application for Orchestrate, follow these steps:
Sign in to the Microsoft Entra ID admin center.
From the menu, select Microsoft Entra ID.
Select Enterprise Applications and click New Application > Create your own application
In what's the name of your app field, enter Orchestrate and select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create to create the application.
Under Manage, select Single Sign-on.
From Select a single sign-on method, select SAML.
Click Edit on Basic SAML Configuration and enter the Entity ID in Identifier (Entity ID) and Assertion Consumer Service URL in Reply URL copied from the Orchestrate platform. In the Reply URL field, the Index is optional.
The Sign on URL, Relay State, and Logout URL fields are optional. Save your changes.
Click Edit on Attributes and Claims. For more information on claims, see Claims.
In Required Claim, select the Unique User Identifier (Name ID) and enter the value as
user.userprincipalname
Edit the existing additional claims and add the claims for email, first name, and last name.
Note that the application automatically provides Namespace values for the parameters added for the claim. The Namespace field is optional. You must remove the value of Namespace present in each additional claim by editing the values and keeping the Namespace values empty.
Enter the following values to add an email claim:
Name as email
Select Source as Attribute
Source Attribute as user.mail
Enter the following values to add a claim for the first name:
Name as first_name
Select Source as Attribute
Source Attribute as user.givenname
Enter the following values to add a claim for the last name:
Name as last_name
Select Source as Attribute
Source Attribute as user.surname
The following image illustrates the list of claims that must be added to Microsoft Entra ID.
Go to SAML Certificates and download the Certificate (Base64) or Certificate (Raw), Federation Metadata XML, and copy the App Federation Metadata URL to use while configuring the SSO in the Orchestrate platform.
Assign Users to Orchestrate Application in Microsoft Entra ID
Ensure that you have created users in Microsoft Entra ID to set up SAML authentication. For more information on creating users in Microsoft Entra ID, see Add or Delete Users. You must assign the created users or user groups to the Orchestrate application present in Microsoft Entra ID.
To assign users to the Orchestrate application, do the following:
Sign in to the Microsoft Entra ID as an administrator.
Go to Enterprise Applications > Orchestrate.
Under Manage, select Users and Groups.
Click Add User/Group and select and add your users.
Create Users in Orchestrate
The users you added in Microsoft Entra ID must be added to Orchestrate. See Create Userto add users in Orchestrate.
Configure Microsoft Entra ID SSO in Orchestrate
You must configure a single sign-on for Microsoft Entra ID in Orchestrate to allow users to seamlessly and securely sign in to Orchestrate from Microsoft Entra ID.
To configure Microsoft Entra ID SSO in Orchestrate, do the following:
Sign in to the Orchestrate application.
Navigate to Admin Panel > Authentication.
Select SAML 2.0 and click Edit.
Go to IDP (Identify Provider) section and upload the Federation Metadata XML file downloaded from Microsoft Entra ID in Metadata XML. Ensure that the .xml file is less than 40 MB.
In the SSO URL field, enter the App Federation Metadata URL copied from Microsoft Entra ID, and in the Certificate field upload the Certificate (Base64) or Certificate (Raw) file downloaded from Microsoft Entra ID.
Encrypt and Sign Certificate fields are optional. Enable AuthnRequest to send authentication requests from Orchestrate to Microsoft Entra ID.
Select Activate Authentication and click Save.