Microsoft Entra ID SSO
Amazon Cognito integrates with Microsoft Entra ID to enable existing Entra ID users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with Microsoft Entra ID as an identity provider.
What is Single Sign-On?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like Microsoft Entra ID. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.
Amorphic username convention
Due to the variety of systems Amorphic integrates with, Amorphic requires strict rules to be enforced for its usernames. Failure to follow the required rules may lead to Amorphic users not being able to login as intended. These rules required for Amorphic are conventional rules required for Entra ID integration from other systems, and follow best practices.
The requirement for the usernames are as follows:
- The usernames must be unique for different users
- Usernames are integrated with access to datasets and resources, and as such cannot change
- Should not start with a number
- Should be only alphanumeric, no special characters are permitted
- Username can contain both lowercase and uppercase alphabets
- Should have a minimum of 3 characters and should not exceed 20 characters
It should be noted that any and all transformations used to convert the username in the SSO provider to the Amorphic username should produce a username compliant with the Amorphic username convention specified above. For example, if you have a username like John_Doe@email.com and the transformation results in JohnDoe or JohnDoe123, this is compliant with the rules. However, if the transformation results in John_Doe or 123John, it would violate the rules (since special characters or starting with a number are not allowed). If you have such IDs, it is recommended to create a new field with an Amorphic compliant username format and use that as the Amorphic username.
Pre-requisites for Microsoft Entra ID Identity Provider
Before we proceed with the Microsoft Entra ID IDP setup, we need the following pre-requisites:
- Azure account - https://portal.azure.com/
- Amorphic Application Deployed with Identity Provider option enabled
Steps to register Amorphic app with Microsoft Entra ID
- Create a Non-Gallery Enterprise Application with SSO enabled under Microsoft Entra ID Service
- Get App Federation Metadata Url & Login URL
Create a Non-Gallery Enterprise Application under Microsoft Entra ID Service
Login to Azure portal using this link.
Search for
Microsoft Entra ID
as shown in below image and open it.
- Select
Enterprise applications
on the left menu panel of portal & SelectNew Application
as shown in below image:
- Click on
Create your own application
as shown in below image:
- Enter a custom name for your application & finally click on
Create
. Make sure to selectIntegrate any other application you don't find in the gallery (Non-gallery)
option as shown below:
Basic SAML configuration
- On the newly created Enterprise application page, select
Single sign-on
option on the left menu panel and selectSet up Single Sign-On
as shown below:
- choose
SAML
as the single sign-on method
- edit Basic SAML Configuration section and add
Identifier Entity Id
andReply URL
- Format of Identifier Entity Id:
urn:amazon:cognito:sp:<cognito-userpool-id>
- Format of Reply URL:
https://<cognito-domain>/saml2/idpresponse
Cloudwick Support Team will provide both cognito-userpool-id
and cognito-domain
values.
User Attributes and Claims
In User attributes and claims section, 3 attributes are important
- email: The email attribute maps to the userprincipalname, ensuring accurate user identification and facilitating seamless communication through verified email addresses during authentication.
- name: The name attribute is mapped to the displayname value, which allows users to be easily recognized within the Amorphic platform, fostering a better user experience.
- username: The username is mapped to the userprincipalname value from Azure, transformed to meet Amorphic's strict username conventions, ensuring uniqueness and compliance without special characters or leading numbers.
- edit attributes and claims section
- Click on Add new claim and add values as shown in the image and save them after changes
Use Transformation to extract mail prefix and alphabets from email attribute.
The following is an example for reference on how to do so. You should ensure that appropriate transformations should be used so as to conform to the Amorphic username convention.
It is very important to note that the mappings, once created and users are logged in, should not be modified later on as that may introduce issues downstream.
- After successfully updated, the attribute page shows all three newly added attributes as shown below:
Get App Federation Metadata Url & Login URL
- Copy
App Federation Metadata Url
andLogin URL
as shown below
Update Amorphic with credentials
- In Amorphic CMP (customer management portal), select IDP provider as SAML and update the values.
IDP Server URL
in cmp corresponds toLogin URL
retrieved from Entra IDIDP Metadata URL
corresponds toApp Federation Metadata Url
from Entra ID
Once the values are added, click on Update IDP Details
.
This will take around 45-60 mins to get reflected in the login page.
Frequently asked questions (FAQ)
1. Why is attribute mapping required?
a. When integrating with Microsoft Entra ID and cognito, Amorphic requires attributes such as username, name and email from Azure to successfully register user.
2. To which value should the email be mapped?
a. In Azure email
attribute need to be mapped to userprincipalname value.
3. To which value should the username be mapped?
a. In Azure username
attribute need to be mapped to userprincipalname value
along with transformation to get a unique value. The transformations applied are ExtractMailPrefix
and ExtractAlpha
4. To which value should the name be mapped?
a. In Azure name
attribute need to be mapped to displayname
value.
5. What happens if any configuration changes at Identity Provider end?
a. When Identity Provider configuration like Certificate, etc changes, Cloudwick support team must re-import the saml metadata file in AWS Cognito Console.