Skip to main content
info
This documentation is for version v2.4 of the product.
For the latest version(v2.7) documentation click here
Version: v2.4 print this page

Azure AD SSO

Amazon Cognito integrates with Azure AD to enable existing AD users to sign-on to Amorphic Data Cloud. This section explains how to register and set up your application with Azure AD as an identity provider.

What is Single Sign-On?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. SSO works based upon a trust relationship set up between an application, known as the service provider, like Amorphic Data Cloud and an identity provider, like Azure AD. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.

Pre-requisites for Azure AD Identity Provider

Before we proceed with the Azure AD IDP setup, we need the following pre-requisites:

  1. Azure account - https://portal.azure.com/
  2. Amorphic Application Deployed with Identity Provider option enabled

Steps to register Amorphic app with Azure AD

  • Create a Non-Gallery Enterprise Application with SSO enabled under Azure Active Directory Service
  • Get App Federation Metadata Url & Login URL
  1. Login to Azure portal using this link.

  2. Search for Azure Active Directory Service as shown in below image and open it.

image

  1. Select Enterprise applications on the left menu panel of portal & Select New Application as shown in below image:

image

  1. Click on Create your own application as shown in below image:

image

  1. Enter a custom name for your application & finally click on Create. Make sure to select Integrate any other application you don't find in the gallery (Non-gallery) option as shown below:

image

Basic SAML configuration

  1. On the newly created Enterprise application page, select Single sign-on option on the left menu panel and select Set up Single Sign-On as shown below:

image

  1. choose SAML as the single sign-on method

image

  1. edit Basic SAML Configuration section and add Identifier Entity Id and Reply URL

image

  • Format of Identifier Entity Id: urn:amazon:cognito:sp:<cognito-userpool-id>
  • Format of Reply URL: https://<cognito-domain>/saml2/idpresponse

Cloudwick Support Team will provide both cognito-userpool-id and cognito-domain values.

User Attributes and Claims

In User attributes and claims section, 3 attributes are important

  • email
  • name
  • username
  1. edit attributes and claims section

image

  1. Click on Add new claim and add values as shown in the image and save them after changes

image

image

use Transformation to extract mail prefix and alphabets from email attribute.

image

  1. after successfully updated, the attribute page shows all three newly added attributes as shown below:

image

Get App Federation Metadata Url & Login URL

  1. Copy App Federation Metadata Url and Login URL as shown below

image

Update Amorphic with credentials

  1. In amorphic CMP (customer management portal), select IDP provider as SAML and update the values.
  • IDP Server URL in cmp corresponds to Login URL retrieved from AD
  • IDP Metadata URL corresponds to App Federation Metadata Url from AD

Once the values are added, click on Update IDP Details. This will take around 45-60 mins to get reflected in the login page.

image

Frequently asked questions (FAQ)

1. Why is attribute mapping required?

a. When integrating with azure AD and cognito, Amorphic requires attributes such as username, name and email from azure to successfully register user.

2. To which value should the email be mapped?

a. In azure email attribute need to be mapped to userprincipalname value.

3. To which value should the username be mapped?

a. In azure username attribute need to be mapped to userprincipalname value along with transformation to get a unique value. The transformations applied are ExtractMailPrefix and ExtractAlpha

4. To which value should the name be mapped?

a. In azure name attribute need to be mapped to displayname value.