How to use SAML authentication for your administrators with Cloudi-Fi and Azure to access the admin interface.

Configure Azure AD SSO

Add the Azure AD SAML Toolkit application

From Home, click on Enterprise applications

Add a new application and Search for Azure AD SAML Toolkit and create it after giving it an explicit name (Cloudi-Fi Administrators, for instance)

Configure Single Sign-On

Once you have the Azure AD SAML Toolkit application, click on it and go to Single Sign-On and On the Select a single sign-on method page, select SAML.

On Set up Single Sign-On with SAML Page

On the Basic SAML Configuration page, enter the values for the following fields :

Identifier (Entity ID) : https://admin.cloudi-fi.net/ ( From Cloudi-Fi = Marked A click on copy icon )
Reply URL (Assertion Consumer Service URL): Copy and paste the linkback URL or type https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin// ( From Cloudi-Fi = Marked B click on copy icon )
Sign-on URL : https://admin.cloudi-fi.net/sso/ ( From Cloudi-Fi = Marked C click on copy icon )

The company hash is visible on your Cloudi-Fi account; go to Setting Company Account Cloudi-Fi Public Key

On Cloudi-Fi Side

Go to Settings Auth modes SAML For Administrators, enter the values for the following fields :

Entity Id: Azure AD Identifier (Marked 2)
Binding Method: Post or Redirect
Login Endpoint: Login URL (Marked 1)

Logout Binding Method (Optional) : Post or Redirect
IdP Signing Certificate (x509 format) : Download the raw Certificate and Past it here (without "Begin Certificate" and "End certificate" markers)

Email Attribute name: Claim name corresponding to the Mail value ( Marked 1 )

( Optional )

Enable Administrator auto-provisioning

Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Azure AD group to which they belong.

( Optional )

On Azure AD Side, once the groups are created and the members allocated, the next step is the SSO SAML configuration with the creation and management of the "Attributes & Claims". In addition to the information on the user, i.e., the name, the first name, and the email address, we need to assign a profile to this user by creating an Additional claims.

The configuration is done as follows:

Click on Add a new claim
Give it a name (profile, for instance)
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
- User type: Members or Any
- Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
- Source: Attribute
- Value: Profile value (Lobby, ReadOnly, or Admin, for instance)

On Cloudi-Fi Side, Configure or finalize the SAML configuration

Go to Settings Auth modes SAML for Administrators. Enable Administrator auto-provisioning and type the Claim name corresponding to the profile in the SAML Profile Attribute field.

You can also assign a Default profile if no profile is received in the SAML response.

Useful Links

https://docs.microsoft.com/en-gb/azure/active-directory/develop/active-directory-saml-claims-customization?WT.mc_id=Portal-Microsoft_AAD_IAM

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml

Troubleshooting

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50105-user-not-assigned-role