Skip to content

Configure Azure AD as an IdP for Accops HySecure

Purpose of the Document

This document provides step-by-step instructions on configuring Azure Active Directory (Azure AD) as an Identity Provider (IdP) for Accops HySecure.

There are two steps in this configuration:

  1. Azure AD configuration

  2. Configuring Authentication server in HySecure

Note

The configuration details provided are for demonstration purposes only and may not reflect real-world configurations.

Prerequisites

Before you begin, make sure you have read the prerequisites.

  1. Azure AD user account: Ensure you have one of the below-mentioned roles.

    • Global Administrator
    • Cloud Application Administrator
    • Application Administrator
    • Owner of the service principal

  2. Accops HySecure Gateway: Make sure you have the following details ready.

    • The public DNS name of the Accops HySecure Gateway
    • Valid SSL certificate installed on the gateway

  3. Management console access: You should have access to the Accops HySecure Gateway management console using a Security Officer Account.

Configure the Azure Active Directory Application

To configure the Active Directory in Azure. Follow the steps given below:

  1. Access the Azure Portal

    1. Log in to Azure Portal.
    2. Navigate to Azure Active Directory > Enterprise applications.

    image-20240715174308422

  2. Create a new application

    1. Select New Application.
    2. Select Create your own application and name it.

    image-20240715174926261

  3. Configure Single Sign-On (SSO)

    1. Navigate to Manage > Single sign-on.
    2. Choose SAML to open the SSO configuration page.

    image-20240715180750248

  4. Configure Basic SAML

    1. Select Edit and enter the Basic SAML Configuration details, as shown in the table below.

    image-20240715180907919

    Field Example
    Identifier (Entity ID) https://hysecure.accops.xyz
    Reply URL (Assertion Consumer Service URL) https://hysecure.accops.xyz/saml-idp/AzureAD
    Sign on URL https://hysecure.accops.xyz/saml-login/AzureAD
    Relay State (Optional) https://hysecure.accops.xyz
    Logout URL (Optional) https://hysecure.accops.xyz/saml-slo/AzureAD

    Once entered, save the details. The configurations verification screen will appear. Verify the details before proceeding.

    image-20240715181134631

  5. Download the SAML Certificates

    1. Download the Certificate (Raw) and Federation Metadata XML to the SAML Certificates section. Save these files for later use.
    2. Record the values of the Login URL, Microsoft Entra Identifier, and Logout URL.

    image-20240715181306203

  6. Assign User/Group

    1. Assign users or groups that require SSO login access.

    image-20240716123842039

  7. Copy Application Details

    1. Navigate to Microsoft Entra ID, select App Registrations, and copy the following details:

      • Application (client) ID
      • Object ID
      • Directory (tenant) ID

    image-20240716123925249

  8. Create Application Secrets

    1. Create a Client Secret for the application.

    image-20240716123949919

  9. Copy the secret Value.

    image-20240716124009951

  10. Configure Application Token Claims and Set Up Group Claims

    1. Navigate to Token Configuration. Select Add groups claim.
    2. In the Add groups claim section, select Security groups.

    image-20240716124031303

  11. Assign API Permissions with Microsoft Graph.

    1. Select API permissions > Add a permission.
    2. Select Request API permissions > Microsoft Graph.

    image-20240716124100379

  12. Assign the necessary API permissions for the application.

    1. Select Delegated permissions and Application permissions, as shown below.

      image-20240716124548952

    2. Application permissions: Allow the application to access resources directly without a signed-in user.

      Application Permissions Description
      Group.Read.All Read all groups.
      GroupMember.Read.All Read group memberships.
      User.Read.All Read all users' basic profiles.

      Note

      When an on-premises Active Directory is synchronized with Azure AD using Azure AD Connect or Entra Cloud Sync, the application requires OnPremisesSynchronization.Read.All permission. This permission allows the application to read the on-premises directory synchronization settings without granting the ability to modify them.

    3. Delegated Permissions: Allow the application to access resources on behalf of a signed-in user.

      Delegated Permissions Description
      Email Access the user’s email address.
      Profile Access the user’s basic profile information.

  13. Grant admin consent confirmation

    1. Once the permissions are added, select Grant admin consent for [Your Organization] to grant admin consent for the permissions. It authorizes the application to access the specified resources on behalf of all users in the organization.

    2. Confirm the consent in the confirmation dialog box.

      image-20240716125140643

      The permissions Status will change to Granted for [Your Organization].

      image-20240716125206814

This completes the Azure configuration.

Configure the Authentication Server in HySecure.

  1. Access the HySecure Management Console

    1. Login to the HySecure Management Console.
    2. Navigate to Settings > Authentication Servers to create an Authentication Server to add the SAML Identity Provider (IdP). For more information, click here.
    3. Enter the details as shown below.

    image-20240716125508499

    General Settings:

    Field Sample value Description
    Upload IdP Metadata Accops-HySecure.xml Metadata downloaded from the Azure AD
    single sign-on application.
    Identity Provider Name AzureAD Name of the IdP.
    Identity Provider Protocol SAML 2.0 SAML Version.

    Note

    Make sure the Identity Provider Name matches the one in the IdP Basic SAML Configuration and is utilized as a post-suffix for the Reply URL (Assertion Consumer Service URL), Sign on URL, and Logout URL (Optional).

    SAML Protocol Settings:

    Field Sample value Description
    IdP Issuer URI https://sts.windows.net/56f6bxxx-04xx-41xx-83xx-43xxxxxxxxxx/ Azure AD Identifier
    IdP Single Sign-On URL https://login.microsoftonline.com/56f6bxxx-04xx-41xx-83xx-43xxxxxxxxxx/saml2 IdP Login URL
    IdP Signature Certificate - IdP SAML Certificate
    Request Binding HTTP-POST -
    Request Signature - -
    Response Signature Verification Assertion -
    Response Signature Algorithm SHA-1 SHA-1 or SHA-256 algorithm can be used

    Service Provider Settings

    Field Sample value Description
    SP Issuer URI https://hysecure.accops.xyz Accops HySecure Gateway Address
    Assertion Consumer Service URL https://hysecure.accops.xyz/saml-idp/AzureAD -
    SP Initiated URL https://hysecure.accops.xyz/saml-login/AzureAD -
    Name ID Format Unspecified -

    User Attribute Mapping:

    User Attribute Name Directory Attribute
    LoginID NameID
    EmailID email
    PhoneNo mobile
    GroupsName group

    Verify Connectivity:

    1. Click Test Connection in the HySecure Management Console to verify the Azure AD and Accops HySecure connectivity.
    2. Ensure the test is completed successfully, confirming that the SAML integration is functional.

  2. Configure Authentication Domain

    1. Navigate to Settings > Authentication Domain in the HySecure Management Console.
    2. Select Add. Under the Server at Priority 1 field, select the respective Authentication Server (AzureAD). For more information, click here.

    image-20240716130828226

  3. Configure HySecure Domain

    1. Navigate to Settings > HySecure Domain in the HySecure Management Console.
    2. Select Add. Select the respective Authentication Domain (AzureAD) under the Select Authentication Domain field. For more information, click here.

    image-20240716133319150

  4. Application and ACL Policy Configuration

    1. Navigate to Policies > ACL in the HySecure Management Console.
    2. Create an application and assign it to the application group.
    3. Create an ACL policy and configure it with the SAML authentication Server and the respective application group. For more information, click here.

    image-20240716133409995

    Field Sample value Description
    Select HySecure Domain AzureAD The domain within Accops HySecure using Azure AD for authentication.
    Select Authentication Domain AzureAD The domain for verifying user credentials, configured for Azure AD.
    Selected Group - A specific group of users within HySecure with access to the resources,
    mapped to Azure AD security groups.
    Select User Group - The user group within HySecure is used to manage and assign collective permissions
    corresponding to Azure AD user groups.
    Select Application Group - Group of applications within HySecure assigned collective access permissions,
    facilitating efficient management.

  5. Configure Sites

    1. Configure the sites in the HySecure gateway that will be accessible using SAML authentication. For more information, click here.

    image-20240716133438821

This completes the HySecure configuration.

Users should now be able to use SAML authentication to access the web resources according to the configuration.