Use case
The following sections will provide step-by-step instructions to set-up a SAML authentication for your Cloudi-Fi administrators with Cloudi-Fi and Azure.
Prerequisites
SAML for Administrators URLs
Navigate to the Cloudi-Fi Admin user interface (UI)
Go to "Configuration > Auth modes > SAML for Administrators"
Collect the necessary information
Linkback URL
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
- To find your Cloudi-fi public key, go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
Cloudi-Fi Entity ID
https://admin.cloudi-fi.net/
Sign On URL
https://admin.cloudi-fi.net/sso/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account).
If "SAML for Administrators" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?)
1. Create Azure AD SAML app
- Navigate to the "Enterprise applications" section
- Add a new application
- Click on "Create your own application"
- Set a specific name to the application (example: Cloudi-Fi Administrators SAML)
- Opt for the third option: "Integrate any other application you don't find in the gallery (Non-gallery)"
- After creating the application, navigate to "Single sign-on"
- Select "SAML" as the sign-on method
- Access "Basic SAML Configuration" to edit settings
Attributes | Details |
Linkback URL |
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/************ |
Cloudi-Fi Entity ID |
https://admin.cloudi-fi.net/ |
Sign on URL |
https://admin.cloudi-fi.net/sso/************ |
- Go to section "(2) Attributes & Claims"
- Collect the specified URL
- For the certificate:
- Go to "(3) SAML Certificates"
- Download the "Certificate (Base64)"
- To collect the URL:
- Proceed to "(4) Set up Your Application"
- Collect the necessary URL
- Login URL
- Microsoft Entra Identifier
- Logout URL
- Login URL
2. Configure Single Sign-On
To start step 2, make ensure you have all of these information
Attributes | Details |
Linkback URL |
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/************ |
Cloudi-Fi Entity ID |
https://admin.cloudi-fi.net/ |
Sign on URL |
https://admin.cloudi-fi.net/sso/************ |
Login URL |
https://login.microsoftonline.com/*********/saml2 |
Microsoft Entra Identifier |
https://sts.windows.net/*********/ |
Logout URL |
https://login.microsoftonline.com/***********/saml2 |
Certificate (Base64) | |
Email_address Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Profile Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/profile |
2.1. On set up Single Sign-On with SAML page
- Navigate to "Single sign-on" and then to "Basic SAML Configuration"
- For "Identifier (Entity ID)": Use the Cloudi-Fi Entity ID (refer to "SAML for Administrators" URLs)
- For "Reply URL (Assertion Consumer Service URL)": Enter the Linkback URL (refer to "SAML for Administrators" URLs)
- For "Sign on URL": Input the Cloudi-Fi Entity ID (refer to "SAML for Administrators" URLs)
2.2. On Cloudi-Fi side
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Access "Configuration" > "Auth modes" > "SAML"
- Enter the required values into the respective fields
-
-
IdP EntityId: Microsoft Entra Identifier (see 2. Configure Single Sign-On)
-
Binding Method: POST
-
IdP Endpoint: Login URL (see 2. Configure Single Sign-On)
-
Logout Binding Method (Optional): POST
-
Logout Endpoint: Logout URL (see 2. Configure Single Sign-On)
-
IdP Signing Certificate (x509 format): Past the content of Certificate (Base64) (see 2. Configure Single Sign-On) without the "Begin Certificate" and "End certificate" markers
- Email attribute name: emailaddress (see 2. Configure Single Sign-On)
-
3. Enable administrator auto-provisioning (optional)
Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Azure AD group to which they belong.
On Azure AD Side, once the groups are created and the members allocated, the next step is the SSO SAML configuration with the creation and management of the "Attributes & Claims". In addition to the information on the user, i.e., the name, the first name, and the email address, we need to assign a profile to this user by creating an Additional claims. The configuration is done as follows:
-
Click on Add a new claim
-
Give it a name (profile, for instance)
-
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
-
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
-
User type: Members or Any
-
Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
-
Source: Attribute
-
Value: Profile value (Lobby, ReadOnly, or Admin, for instance)
-
On Cloudi-Fi Side, Configure or finalize the SAML configuration, go to Settings > Auth modes > SAML for Administrators. Enable Administrator auto-provisioning and type the Claim name corresponding to the profile in the SAML Profile Attribute field.
You can also assign a Default profile if no profile is received in the SAML response (for instance: "Read Only").
Troubleshooting
Azure error message
An administrator access to the application and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Azure Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
What's next ?
Congratulations on enabling SAML authentication with Azure for your Administrators.Useful links