SSO with Azure

๐Ÿ‘

Request an SSO setup

Follow this link to directly request an SSO setup for your workspace(s): https://leanix.zendesk.com/hc/en-us/requests/new?ticket_form_id=5897099761948

This page gives best practices how to configure your Microsoft Azure when configuring it for SSO with LeanIX.

๐Ÿ“˜

Attention

Please make sure to read the general SSO guide first. The general process is defined there, this page gives configuration details for Azure.

For information about how to add a non-gallery-application, please refer to the official documentation https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

LeanIX Domain and URLs

Example Settings

Please ensure that the settings are configured according to the example below:

Identifier (Entity ID): https://<customerDomain>.leanix.net/Shibboleth.sso
Reply URL: https://<customerDomain>.leanix.net/Shibboleth.sso/SAML2/POST

Mapping attributes

When using SAML login with Microsoft Azure, you need to pass a user's first name, last name, email and role as described by Single sign-on (SSO) for details. These values are defined as SAML Token Attributes in the Relying Party Trust.

In order to properly configure the attribute mapping, custom claim rules need to be configured. The following example rules help to configure your Microsoft Azure federation with LeanIX.

๐Ÿ‘

Important Information

The entries shown in the image below are the target values on the screen. It may show different values when. you start the setup. For example, the first row in token attributes table will be "givenname", and needs to be changed to "firstname"
For each SAML token attribute, the namespace element must be deleted.

Role Assignment

For customers who assign roles in Azure AD, it's necessary to create corresponding App Roles in your App Registrations.

These app roles can then be assigned to users and/or groups within the enterprise application.

Claim Conditions

Claim conditions is an option for assigning roles to Active Directory groups. When adding conditions, they will be met in order of appearance. In the example below if a user belongs to scoped groups of "VIEWER" and "MEMBER," they will be assigned VIEWER permission by order of operation.

๐Ÿ“˜

To learn more how to configure the user.assignedroles values, please see https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest

๐Ÿ“˜

Information

For SMP roles, please see the SMP user role mapping section.