Skip to content

Azure AD

Follow the steps documented below to integrate your Rafay and AzureAD for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.


Step 1: Create IdP in Rafay

  • Login into the Rafay Console as an Organization Admin.
  • Click on System and Identity Providers
  • Click on "New Identity Provider"
  • Provide a name, select "Custom" from the "IdP Type" drop down
  • Enter the "Domain" for which you would like to enable SSO
  • Optionally, toggle "Encryption" if you wish to send/receive encrypted SAML assertions
  • Provide a name for the "Group Attribute Name"
  • Click on Save & Continue

Create IdP

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay Org) can decrypt the SAML assertion.


Step 2: View SP Details

The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your AzureAD Enterprise Application. Provide the following information to your AzureAD administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format

View SP Details


Step 3: Create Rafay App in AzureAD

  • Login into your AzureAD as an Administrator
  • Select Enterprise applications and New application

Create App Integration


  • Select "Non-gallery application" to create a new application

Create App Integration


Step 4: General Settings

In Add your own application page:

  • Enter name like "Rafay Systems SSO" for the application name
  • Click "Add" button to add the application

General Settings


Step 5: Configure SAML

In the application configuration page

  • Go to Single sign-on and select "SAML"

Configure SAML


  • Click Edit Basic SAML Configuration

Configure SAML


  • Copy/Paste the Entity ID from Step 2
  • Copy/Paste the Rafay ACS URL from Step 2 into the "Reply URL"
  • Copy/Paste the Rafay ACS URL from Step 2 into the "Sign on URL"
  • Then Save the configuration

Configure SAML


  • Click Edit User Attributes & Claims

Configure SAML


  • Click on the Name ID claim to edit the Claim

Configure SAML


  • Select "Email address" in the Name ID format dropdown
  • Select the right "Source attribute" of the user which has the email format and the domain matched the email domain configured in Rafay in Step 1
  • Save the settings

Configure SAML


Step 6: Assign Users and Groups to Rafay Application And Configure Group Claim

The "Group" configuration step is critical because it will ensure that AzureAD will send the groups the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role.

If you have the users and groups synced from Active Directory to your AzureAD tenant, follow Step 6.1 below to configuration the Group Claims

Otherwise, follow Step 6.2 to use appRoles for Group attribute to send to Rafay.


Step 6.1: Configure Group Claim for Users and Groups Synced from Active Directory

Assign Active Directory Users and Groups to the Rafay App:

  • Go to Enterprise application > Rafay_App > Users and groups > Add user

Assign Groups

  • Select the Users and/or Groups synced from Active Directory to allow access to Rafay App

Assign Groups

  • Assign the User Role for the selected groups

Assign Groups


Add Group Claims Using Active Directory Group Names:

  • Go to Enterprise application > Rafay_App > Single sign-on
  • Click Edit for "User Attributes & Claims"
  • Select "Add a group claim"
  • Select the "Source attribute" as "sAMAccountName" from your Active Directory group name/memberships of the users to send in the group claim
  • Provide the name for the "Name" to the same "Group" attribute name that configured in Rafay Step 1
  • Save the settings

In the illustrative example below, we are using "RafayRoles" as the name of the group claim.

Configure SAML


Groups Configuration In Rafay Console

Identical named groups with the Active Directory group names need to be created on Rafay. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

It is important to emphasize that because of SSO via AzureAD, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "OrgAdmin" group because they are all managed in the attached AzureAD tenant.

Users in Group


Step 6.2: Configure appRoles to Use in place Group Claim for Users/Groups in Cloud Directory of AzureAD

Add appRoles to Rafay application from manifest:

Reference link: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

  • Go to AzureAD Portal > App registrations > Rafay_App > Manifest
  • Edit the manifest by locating the appRoles setting and add additional appRoles to the Rafay Application
  • Save the manifest

Assign Groups


An example of the appRoles to add to Rafay App as below ("id" of each appRoles needs to be unique)

"appId": "3474f74b-523e-4d5b-854d-f21697f8f8d9",
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Orginization Admin",
            "displayName": "OrgAdmin",
            "id": "404b32c2-b0ba-11ea-b3de-0242ac130004",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "OrgAdmin"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Demo Project Admin",
            "displayName": "DemoAdmin",
            "id": "f76c0fda-b0ba-11ea-b3de-0242ac130004",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "DemoAdmin"
        },

Groups Configuration In Rafay Console

Identical named groups with the appRoles values need to be created on Rafay. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

Assign Groups


Assign AzureAD Cloud Directory Users and Groups to the Rafay App:

  • Go to Enterprise application > Rafay_App > Users and groups > Add user

Assign Groups

  • Select the Users and/or Groups from AzureAD Cloud Directory to allow access to Rafay App

Assign Groups

  • Select the appRoles for the selected users/groups from the dropdown list. The new appRoles added in the above steps should display in the list

Assign Groups

Add A Custom Claim Using the Assigned appRoles for Users/Groups to Rafay:

  • Go to Enterprise application > Rafay_App > Single sign-on
  • Click Edit for "User Attributes & Claims"
  • Select "Add new claim"

Configure SAML

  • Provide the name for the "Name" to the same "Group" attribute name that configured in Rafay Step 1
  • Select the "Source attribute" as "user.assignedroles" to send the assigned appRoles in the above steps to Rafay to use as group information
  • Save the settings

In the illustrative example below, we are using "RafayRoles" as the name of the claim.

Configure SAML

Step 7: Specify IdP Metadata

  • Go back to AzureAD Portal > Enterprise application > Rafay_App > Single sign-on configuration page.
  • Copy the "App Federation Metadata Url" URL from the Rafay App > SAML Signing Certificate section

IdP Metadata

  • Navigate back to the Rafay Console's IdP configuration wizard
  • Paste the App Federation Metadata Url from AzureAD to the Identity Provider Metadata URL
  • Complete IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP