Configuring Azure AD SSO integration with Venafi as a Service¶
If Azure AD is your SSO solution, this topic shows you how to integrate Azure with Venafi as a Service.
Venafi as a Service can be integrated with Azure AD to enable SSO for users who are managed by Azure AD (and any on-prem active directory forests that are synchronized with Azure AD). You do this by registering Venafi as a Service as an enterprise application in your AzureAD tenant.
To setup this integration, you'll first create an App registration for Venafi as a Service within Azure AD.
As an option, you can also configure Azure AD to include user group information in OIDC tokens, and then configure Venafi as a Service with the URLs and client ID/secret needed to interface with Azure AD.
Azure AD does not support requesting custom scopes to alter the claims returned in OIDC tokens. So, when using Azure AD, be sure to leave the Scopes field on Venafi as a Service's SSO configuration page blank.
Because you'll be making changes in both the Azure AD portal and Venafi as a Service, you'll complete the configuration faster if you open both user interfaces side-by-side before proceeding.
To set up this integration, you'll need to
- Configuring Azure AD to work with Venafi as a Service
- Test the connection between Venafi as a Service and Azure AD
- (Optional) Add a Groups claim
Step 1: Configuring Azure AD to work with Venafi as a Service
Log in to your Azure account as a directory administrator or other user with permissions to create application registrations in your Azure AD tenant.
Go to App registrations and click New registration.
Type a name for the application (e.g. Venafi as a Service), and then configure supported account types.
In Venafi as a Service, copy the Redirect URL from the SSO configuration page (Venafi as a Service > Settings > Venafi as a Service Platform > Single Sign On > Configuration) and paste it into the Redirect URI in Azure.
After the registration is complete, you're directed to the App registration page for the Venafi as a Service application you just created. The next step then is to create a client secret for Venafi as a Service to use to authenticate with Azure AD.
In Azure, go to Certificates & secrets, click New client secret, and then give your secret a description and specify its lifetime.
Be sure to give the secret a useful description, such as, Secret used by the Venafi as a Service application, which makes it easier to identify later on.
Also, if you decide to use expiring client secrets, be sure to renew them and update Venafi as a Service with the new secrets as soon as possible.
Copy the generated secret and then in Venafi as a Service, paste it into the Client Secret field on the SSO Configuration page.
After you leave the App registration blade, the client secret won't be visible again. Copy it to a secure password vault if you want to be able to retrieve it later on.
In Azure, go to the Overview section in the App registration blade.
Copy the Application (client) ID and then in Venafi as a Service, paste it into the Client ID field on the SSO Configuration page.
In Azure, from the Overview section of the App registration blade, click Endpoints.
This shows you the set of endpoints on which Azure AD provides OAuth/OIDC services.
Copy the portion of the URL from the OpenID Connect metadata document that precedes .well-known/openid-configuration, and in Venafi as a Service, paste it into the Issuer URL field on SSO Configuration page.
More about this step
Regardless of the SSO solution you're using, Venafi as a Service automatically adds the full path to the OpenID metadata URL (.well-known/openid-configuration). Since Azure AD publishes the full URL, you'll need to copy the portion of the URL from the OpenID Connect metadata document that precedes .well-known/openid-configuration.
For example, if the full URL were https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXXXXXX/v2.0/.well-known/openid-configuration, then you'd need to copy https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXXXXXX/v2.0 and paste it into the Issuer URL field on Venafi as a Service's SSO Configuration page.
You're now done configuring the Venafi as a Service application in Azure AD. The next step is to test your connection.
Step 2: Testing the connection between Venafi as a Service and Azure AD
From the Venafi as a Service SSO Configuration page, click Test connection.
When prompted, type your enterprise credentials into Azure AD.
When the authentication succeeds, you're redirected back to the Venafi as a Service SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by Azure AD.
Save your SSO configuration.
Your users can now sign in using their SSO credentials.
Step 3: Adding a Groups claim (Optional)
Adding a groups claim in Azure AD allows group membership information to be sent to Venafi as a Service. Including group membership information in OIDC tokens allows you to leverage the Teams feature in Venafi as a Service to automatically add users to Teams and automatically assign a role to them based on your organization's requirements.
In Azure AD, from the Venafi as a Service App registration blade, click Token configuration, and then click Add groups claim.
Select the group types to include in the claim.
In most cases, All groups is the correct choice. But if you have a large number of groups in Azure AD, you might want to send only those groups that have been assigned to the application specifically. This approach lets you specify the set of groups that are relevant for Venafi as a Service at the App registration level so that the set of groups returned in a user's group claims are limited to just those groups that are explicitly assigned to the application.
Select ID from the Customize token properties by type section, and then select one of the options to indicate the format of the group name to be returned.
For simple Azure AD deployments, sAMAccountName is sufficient.
In Venafi as a Service, from the SSO Configuration page, under Scopes, click Test Connection to verify that you now have a new claim called groups that returns the user groups to which the user is assigned in Azure AD.