Configure Single Sign-On for Azure AD¶
To integrate Securden Login with Azure AD, you need to carry out the following steps:
-
Log in to your Microsoft Azure portal.
-
Click on the App Registrations from the left pane under Manage.
-
Click on the + New Registration button on the top bar.
-
The registration page will load. Here, you need to provide the following information:
Name: Enter Securden PAM, or a name of your choice.
Choose supported account types- Accounts in this organizational directory only - Single tenant. Enter the Securden’s Redirect URI. -
Click on the Register button to complete the addition of Securden PAM.
-
The newly registered Securden PAM’s application will open up. Click on Authentication under Manage in the left pane. In the Authentication page, under Advanced Settings, enable Allow Public Client Flows by clicking on the Yes button.
-
Click on API Permissions under Manage in the left pane. In the API Permissions page, click on the +Add a Permission button.
-
A Request API Permissions window will pop up. Here, choose Azure AD Directory Graph under Supported Legacy APIs.
-
Click on Delegated Permissions and search for "read" in the Select Permissions search bar to populate relevant permissions. Select the options Directory.Read.All, User.Read and click Add Permissions.
-
Now, click the Grant Admin Consent button under Grant Consent.
-
In the pop up that opens, click Yes to grant consent for the requested permissions.
-
You can now navigate to Securden PAM’s interface to start importing users, after Securden PAM is registered with the relevant permissions in Azure AD.
Troubleshooting Tips¶
Issue: "User not present" error while configuring Azure AD SSO integration.
Solution:
During authentication, we validate the value returned by the identity provider against the login name in Securden. When you import users from Azure AD, Securden checks the username as DomainName\loginname.
For this, you can change the custom rule for Securden login name in the SSO configuration page under "Admin>>SAML SSO>>Edit"
stringAppend('DOMAINNAME\', loginname)
Example:
stringAppend('SECURDENDEV\', loginname)
If an email is received from identity provider, the login name has to be stripped from the value:
stringAppend('DOMAINNAME\', substringBefore(loginname, '@'))
For extracting username from email:
substringBefore(loginname, '@')