This document runs through the basic steps to configure an SSO integration in Panaseer with Microsoft Entra ID using SAML.
Please contact your CSM if you need support from our engineering teams.
Register an enterprise application
- Login to Microsoft Azure and search for Enterprise applications.
-
Click Enterprise applications.
-
Click New application.
-
Click Create your own application.
If Create your own application is grayed out, you may not have the correct permissions to create applications. Please see your administrator for more information. -
Click Single sign-on and select SAML.
-
An illustration of how to set up the SAML configuration is shown here.
Please substitute your environment identifier in place of c00 and use a Notification Email relevant to your organization.
For example:
https://c123.panaseer.com/saml/sp
https://c123.panaseer.com/psdl/auth/callback/SamlSSO
https://c123.panaseer.com/psdl/auth/sso-logout-callback
Please fill in the Sign On URL with https://c123.panaseer.com if you are using My-Apps in SSO - Make a note of the App Federation Metadata URL or download the Metadata XML file to pass to Panaseer.
A URL to the metadata file is the preferred format.
Configure Panaseer Groups and Azure Entra ID Application Roles
For full and up-to-date information, refer to Microsoft’s documentation.
- Login to Microsoft Azure and search for App registrations.
-
Click App registrations and then All Applications.
- Search for the enterprise you registered under Register an enterprise application.
-
Click App roles.
-
Create the same number of application roles as you have Groups in Panaseer.
Values are mapped 1-1 with group names in Panaseer when you create applications roles. These roles determine how a user is assigned to groups when they login with Entra ID. - Click Overview and then Managed application in local directory to go to the Enterprise application.
-
Click Users and Groups and then Add user/group.
-
Assign groups in Azure Entra ID to the roles you created previously.
We recommend assigning Entra Security Groups to roles to manage access. Any user that is a member of that group then inherits the role assignment when they login to Panaseer. -
Click Single sign-on, Attributes & Claims, Add new claim to propagate the app roles in the SAML claim with values.
• Name: groups
• Source attribute: user.assignedroles
Attributes & Claims
Add new claim
Propagate the user attribute user.assignedroles
SAML FAQ
| Question | Answer |
|---|---|
| What format is preferred for the identity providers SAML metadata file? |
Panaseer accepts either:
A URL is the preferred option. |
| Do we need Panaseer to send signed authentication requests? |
No. If this is a requirement, we will need to generate a Java keystore and generate a self-signed certificate that is then used to sign the requests. |
| Are we forced to re-authenticate with the identity provider when logging in to Panaseer? |
No. However, if this is enabled, users always have to re-login with your identity provider. Azure Entra ID is an example of an identity provider. |
| What version of SAML is supported? | SAML v2.0 protocol |
Comments
0 comments
Please sign in to leave a comment.