Prerequisites For Microsoft Azure

Print Friendly, PDF & Email

Creating An Enterprise Application On The Organization’s Azure AD

Before adding Microsoft Azure as an IDP, we need to create an enterprise application on the organization’s azure AD which will serve the SAML request. To create this application, follow these steps:

  1. Login to the azure account with admin rights. Navigate to the azure active directory and select Enterprise applications in the left pane.

    Select enterprise applications

  2. Click New Application.

    Click New application

  3. Click Create your own application.

    Click create your own application

  4. Enter the following details in the Create your own application dialog.

    Create your own application dialog box

    • Enter the name of the application.
    • Select Non gallery option as shown in above image.
    • Click Create.

    You will be redirected on the page of the newly created application.

  5. Click Assign users and groups. This option is used to assign the users/groups that will be allowed to authenticate and access the seqrite ZTNA user portal.

    Assign users and groups

  6. Select the users and groups which will be allowed to access the seqrite ZTNA user portal.

    Select users and groups

  7. Navigate to the Overview of the created application. Now the administrator has to configure SSO for this application.
    Under Getting started, click Set up single sign on option.

    Set up single sign on

  8. On the set up single sign on page, select SAML.

    Single sign on SAML

  9. Navigate to Single sign-on in the left pane to configure the Identifier (Entity ID) and the reply URL of the ZTUA Gateway of the organization in the basic SAML Configuration.
    Click edit to add the parameters.

    Edit single sign on SAML

  10. The Entity ID and Reply URL are the parameters which administrator has to configure while add Microsoft azure as the IdP for the gateway.
    We have to use the same Entity ID and reply URL in the basic SAML configuration of the application.
    Consider an example where the ZTUA gateway base domain is “apps-awstest.qhtpl.com” and the Entity ID and Reply URL are configured on the gateway as shown below.
    The Base domain can be configured according to your organization domain (For example: apps.company.com).

    • Entity ID: /qh/gw
      For example: https://apps-awstest.qhtpl.com/qh/gw
    • Reply URL: /api/v1/saml/acs/callback
      For example: https://apps-awstest.qhtpl.com/api/v1/saml/acs/callback
    • Logout URL: /#/portal/dashboard
      For example: https://apps-awstest.qhtpl.com/#/portal/dashboard

    Configure the parameters and click Save.

    Basic SAML configuration

    Basic SAML configuration attributes

  11. The application creation is now complete.
  12. Basic SAML configuration complete

Now you can copy the App Federation metadata URL and use it while adding the IDP on gateway.

Creating An Application On Microsoft Azure With Microsoft Graph API

You need to sync Microsoft Azure AD users and their attributes for policy creation. For this you need to add another application on MS Azure with Microsoft graph API.

  1. Log on to the azure account with admin rights. Navigate to the Default directory and click App registrations in the left pane. Click New registration.

    New registration

  2. Enter the application name and select Accounts in this organizational directory only option. Click Register button.

    Click register button

  3. On the Overview page, click Add a certificate or secret under essentials.

    Add certificate or secret

    A new page is displayed.

  4. Click New client secret.

    New client secret

    In the right pane, enter the description and select the expiry period.

    Description and expiry period

  5. Navigate to Certificates & secrets. Copy the secret value and secret ID for future reference.

    Copy secret value and ID

  6. Navigate to App registrations in the left pane. Click the application name.

    Click application name

  7. Navigate to API permissions in the left pane and click Add a permission.
  8. In the right pane, click Microsoft Graph.

    Click MS graph

  9. Click Application permissions.

    Click application permissions

  10. Under the User tab, select User.Read.All permission.

    User.read.all

  11. Under the directory tab, select Directory.Read.All permission.

    Directory.read.all

    After selecting these permissions, click Add permissions.

  12. On the API Permissions page, click Grant admin consent for Default Directory.

    Grant admin consent for Default Directory

  13. Navigate to the Overview section of your Application and copy Application (Client) ID, Directory (Tenant) ID for future reference.

    Navigate to Overview

  14. Click Endpoints and copy OAuth 2.0 token endpoint (v2) for future reference.

    Click Endpoints

The Application (client) ID, Client secrets, OAuth 2.0 token endpoint (v2) are required for adding IdP during the onboarding process.

Was this page helpful?