Configuring Azure AD SSO integration with Venafi Cloud¶
If Azure AD is your SSO solution, this topic shows you how to integrate Azure with VaaS.
VaaS can be integrated with Azure AD to enable SSO for users who are managed by Azure AD (and any on-prem active directory forests that are synchronized with Azure AD). You do this by registering VaaS as an enterprise application in your AzureAD tenant.
To setup this integration, you'll first create an App registration for VaaS within Azure AD.
As an option, you can also configure Azure AD to include user group information in OIDC tokens, and then configure VaaS with the URLs and client ID/secret needed to interface with Azure AD.
Azure AD does not support requesting custom scopes to alter the claims returned in OIDC tokens. So, when using Azure AD, be sure to leave the Scopes field on VaaS's SSO configuration page blank.
Because you'll be making changes in both the Azure AD portal and VaaS, you'll complete the configuration faster if you open both user interfaces side-by-side before proceeding.
To set up this integration, you'll need to
- Configuring Azure AD to work with VaaS
- Test the connection between VaaS and Azure AD
- (Optional) Add a Groups claim
Step 1: Configuring Azure AD to work with VaaS
Log in to your Azure account as a directory administrator or other user with permissions to create application registrations in your Azure AD tenant.
Go to App registrations and click New registration.
Type a name for the application (e.g. VaaS), and then configure supported account types.
In VaaS, copy the Redirect URL from the SSO configuration page (VaaS > Settings > VaaS Platform > Single Sign On > Configuration) and paste it into the Redirect URI in Azure.
After the registration is complete, you're directed to the App registration page for the VaaS application you just created. The next step then is to create a client secret for VaaS to use to authenticate with Azure AD.
In Azure, go to Certificates & secrets, click New client secret, and then give your secret a description and specify its lifetime.
Be sure to give the secret a useful description, such as, Secret used by the VaaS application, which makes it easier to identify later on.
Also, if you decide to use expiring client secrets, be sure to renew them and update VaaS with the new secrets as soon as possible.
Copy the generated secret and then in VaaS, paste it into the Client Secret field on the SSO Configuration page.
After you leave the App registration blade, the client secret won't be visible again. Copy it to a secure password vault if you want to be able to retrieve it later on.
In Azure, go to the Overview section in the App registration blade.
Copy the Application (client) ID and then in VaaS, paste it into the Client ID field on the SSO Configuration page.
In Azure, from the Overview section of the App registration blade, click Endpoints.
This shows you the set of endpoints on which Azure AD provides OAuth/OIDC services.
Copy the portion of the URL from the OpenID Connect metadata document that precedes .well-known/openid-configuration, and in VaaS, paste it into the Issuer URL field on SSO Configuration page.
More about this step
Regardless of the SSO solution you're using, VaaS automatically adds the full path to the OpenID metadata URL (.well-known/openid-configuration). Since Azure AD publishes the full URL, you'll need to copy the portion of the URL from the OpenID Connect metadata document that precedes .well-known/openid-configuration.
For example, if the full URL were https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXXXXXX/v2.0/.well-known/openid-configuration, then you'd need to copy https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXXXXXX/v2.0 and paste it into the Issuer URL field on VaaS's SSO Configuration page.
You're now done configuring the VaaS application in Azure AD. The next step is to test your connection.
Step 2: Testing the connection between VaaS and Azure AD
From the VaaS SSO Configuration page, click Test connection.
When prompted, type your enterprise credentials into Azure AD.
When the authentication succeeds, you're redirected back to the VaaS SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by Azure AD.
Save your SSO configuration.
Your users can now sign in using their SSO credentials.
Step 3: Adding a Groups claim (Optional)
Adding a groups claim in Azure AD allows group membership information to be sent to VaaS. Including group membership information in OIDC tokens allows you to leverage the Teams feature in VaaS to automatically add users to Teams and automatically assign a role to them based on your organization's requirements.
In Azure AD, from the VaaS App registration blade, click Token configuration, and then click Add groups claim.
Select the group types to include in the claim.
In most cases, All groups is the correct choice. But if you have a large number of groups in Azure AD, you might want to send only those groups that have been assigned to the application specifically. This approach lets you specify the set of groups that are relevant for VaaS at the App registration level so that the set of groups returned in a user's group claims are limited to just those groups that are explicitly assigned to the application.
Select ID from the Customize token properties by type section, and then select one of the options to indicate the format of the group name to be returned.
For simple Azure AD deployments, sAMAccountName is sufficient.
In VaaS, from the SSO Configuration page, under Scopes, click Test Connection to verify that you now have a new claim called groups that returns the user groups to which the user is assigned in Azure AD.