Single Sign-On for Tanzu 1.15

1.16 1.15 1.14

Configuring Microsoft Entra ID as a SAML Identity Provider

Last Updated October 29, 2024

This topic tells you how to set up Microsoft Entra ID as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu Application Service and Microsoft Entra ID.

Overview

To set up Microsoft Entra ID as your identity provider through SAML integration:

Set up SAML in Single Sign‑On

To set up SAML in Single Sign‑On, follow the steps in Configure SAML Settings.

Set up SAML in Microsoft Entra ID

To set up SAML in Microsoft Entra ID:

  1. Log in to Microsoft Entra ID as a Global Admin at https://portal.azure.com/.

  2. Navigate to Microsoft Entra ID tab > Enterprise application.

    The Overview section in Microsoft Entra ID. Red boxes are drawn around the Azure Active Directory (Microsoft Entra ID) tab and the link Enterprise application.

  3. Select Non-gallery application. Provide a name and click Add.

    The Add an application section, which allows you to choose between the app you're developing, a on-prem app, or a non-gallery app.

  4. Navigate to Microsoft Entra ID > Enterprise applications.

    Shows available tabs and categories. A red box is drawn around the Enterprise applications category.

  5. Click your app and then click the Single sign-on tab.

  6. Select SAML-based Sign-on from the drop-down menu and click Upload metadata file to upload the metadata file you downloaded earlier in Set up SAML in Single Sign‑On.

    Shows the Single sign-on category. There is a Single Sign-on Mode drop-down menu with the option SAML-based Sign-on selected, and Identifier and Reply URL fields that contain example URLs.

  7. Record the App Federation Metadata Url. You need this for setting up the SSO identity provider configurations. For more information, see Setting up SAML.

  8. Provide a Notification Email and click Save.

    Screenshot of the SAML Signing Certificate section, where you can manage the certificate used by Microsoft Entra ID to sign SAML tokens.

  9. Navigate to the Users and groups tab and then click Add User .

    The new_test - Users and groups section of Microsoft Entra ID, where you can manage and add groups, users, owners, and so on.

  10. Select users or group names from the drop-down menu. For example, you can add a group that includes all users that should be able to log in to the Single Sign‑On plan.

    The Users and groups tab of the Add Assignment section of Microsoft Entra ID, where you can select users or groups.

Set up Claims Mapping

To set up claims mapping:

  1. Navigate to Microsoft Entra ID (previously Azure Active Directory) > App registration. Click your app.

    The Default Directory - App registrations section of Microsoft Entra ID where you can view app registrations or add new ones.

  2. To enable user attribute mappings:

    1. Select the View and edit all other user attributes checkbox under the User Attributes header.
    2. Modify the attributes.

    For more information, see the Microsoft documentation.

    Screenshot of the User Attributes section, where you can view, edit, and add user attributes.

  3. To pass group membership claims to the app:

    1. Click Manifest.
    2. Locate groupMembershipClaims and set the value to one of the following:
      • SecurityGroup. Groups claim contains identifiers of all security groups of which the user is a member.
      • All. Groups claim contains the identifiers of all security groups and distribution lists of which the user is a member.
    3. Save the change.

    For more information, see the Microsoft documentation.

  4. Navigate to Azure Active Directory > Groups.

  5. For each group that the Single Sign‑On plan uses, record the Object ID. Azure AD passes the Object ID of these groups to the Single Sign‑On plan. For more information, see Configure Group Permissions.

    Screenshot of the Admin group. There are details for Type, Membership type, Source, and Object ID. There is a red box around the Object ID, which is partially redacted.