Setting Up SSO for ZPM with Azure IdP

:information_source: About SAML Single Sign-On in ZPM

Single Sign-On can be setup in ZPM against any Identity Provider (IdP) which supports SAML 2.0.

This guide covers the steps required to setup SAML SSO for ZPM against Azure AD.

For an exhaustive list of supported IDP’s, visit SAML-based products and services.

Add Provisioning as an Enterprise Application in Azure

:warning: Wildcard Certificates are not supported for SSO.

  1. Connect to your Azure Portal.

  2. Search for Enterprise Applications and click the result.

  3. Click on +New Application

  4. Click Create your own application, provide a name (example ZIRO SSO) and select the 3rd option Integrate any other application you don’t find in the gallery (Non-gallery)

:white_check_mark: The Enterprise Application is now added :heavy_check_mark:

Download ZPM SP Metadata.

  1. Connect to your ZPM instance using the IP or the hostname.

  2. Navigate to the SAML Single Sign-On page available within the admin menu’s System Settings section.
    image

  3. Click on the Export SP Metadata button and save the file. You will need it in the next section.
    image

Configure the Enterprise Application for Single Sign-On

  1. Go back to the enterprise application you created in Azure in the first section and and click on Single Sign-On from the left vertical menu.
    image

  2. Click on the SAML Single Sign-On method.
    image

  3. Click on Upload metadata file
    image

  4. Click on the folder icon and point to the ZPM SP Metadata to upload it.

  5. Once uploaded, a panel with your Basic SAML Configuration will appear on the right hand side which will be populated with values for your Identifier and Reply URL. Click Save.
    image

  6. Once saved, click on the Download link next to Federation Metadata XML
    image

Upload IdP Metadata to ZPM & Enable SSO

  1. Go to your ZIRO tenant, acces the SAML Single Sign-On Page from the vertical Admin menu.
    image

  2. Click Import IdP Metadata and point the file you downloaded in the previous step from Azure.
    image

  3. Click on the Enable Single Sign-On toggle.
    image

:warning: If you have previously set up single sign-on and need to modify the existing SSO configuration, you must restart the smacs service to ensure that the latest IdP metadata is applied.

Restarting the smacs service requires root access and will require the assistance of ZIRO Support.

Command to run:
smacs-services restart sideA

Edit Attribute & Claims

  1. From the Enterprise Application you added in the previous steps, select Attributes & Claims from the left-hand vertical menu.
    image

  2. Click on the ellipsis to modify the Unique User Identifier (Name ID)
    image

  3. Change the default Name Identifier format and Source Attribute

  4. Name Identifier format should be set to Email address

  5. Source Attribute should be set to user.userprincipalname
    image

  6. Click Save.

Add Users/Groups Requiring Access to Provisioning to your Enterprise Application

  1. From the Enterprise Application you added in the previous steps, select Users and groups from the left-hand vertical menu.
    image

  2. Click on + Add user/group
    image

  3. Click on None Selected
    image

  4. A search panel will appear on the right hand side. Use it search for and select the individual users or groups who should be able to log into your Provisioning tenant via Single Sign-On and click Select.
    image

Test Single Sign-On from Azure

  1. Return to the Single Sign-On section of your newly added Enterprise Application and click Test at the bottom of the page.
    image

  2. A panel will appear with testing options on the right hand side of the page, select Sign in as current user option and click Test sign in.
    image

  3. You will be presented with the Provisioning home screen if you completed the previous steps correctly.
    image

:white_check_mark: SSO Configuration Complete :heavy_check_mark:

Once logged in you will have initiated a Single Sign-On session which will give you access to all other applications registered to your IdP server without having to re log-in.