Connect Entra ID

Here we provide an overview of how to connect Entra ID (Azure AD) to Vasion Automate Pro SAML SSO.

Requirements

To connect SAML 2.0 you need the following:

• Vasion Admin rights.
• Admin console access to the Entra ID (Azure AD) portal.
• Full rights to create apps in Entra ID (Azure AD).
• A user account with the SAML login type.

Create a New App

1. Navigate to https://entra.microsoft.com
2. On the side navigation expand the Applications section and select Enterprise applications.
3. Select New Application.
4. On the Browse Microsoft Entra Gallery page select Create your own application.
5. In the Create your own application panel, enter a name for your application.
6. Select the Integrate any other application option.
7. Select Create at the bottom of the panel.

For more information about creating an app, see their help section Add an Enterprise application.

Manage the App

Setup Single Sign On

To set up single sign-on, open a new browser tab or window and access the Connect SAML modal by following the first 3 steps in the Connect SAML section below. Leave this web page open to complete the setup and connection processes.

Connect SAML

1. Select the Admin app.
2. Expand the Integrations option on the side menu and select Authentication.

3. Select Connect SSO.

   

4. In the Connect SAML modal complete the following:
   1. Name — enter a name that identifies the SAML connection.

   2. Entity Name— enter the following:

      Copy

      urn:vasion:SAMLServiceProvider

Continue Entra ID Setup

On the Entra ID (Azure AD) app's Overview page do the following:

1. In the Getting Started section select the Get Started link under 2. Setup single sign on.
2. On the Single sign-on page select SAML.
3. Select Edit in the Basic SAML Configuration section on the Set up Single Sign-On with SAML pane.
4. In the Identifier (Entity ID) field enter the Entity Name field value.
5. In the Reply URL (Assertion Consumer Service URL), paste the value found in the Assertion Consumer Service field on the Connect SAML modal.
6. Scroll down to the SAML Certificates section and select the Download link for the Certificate (Raw) option. You will need to upload the certificate file when you configure the connection.

Keep the web page open. You'll need to copy and paste the URLs found in section 4 Setup <app name> when you get to step 4 in the Connect SAML instructions below.

Select the Download Link for the Federation Metadata XML option in the SAML Certificates section. This file provides all the information related to your app and you can use it for reference, if necessary, while configuring the SAML Connection in Vasion Automate Pro.

Complete the Configuration

1. Complete the rest of the options on the Connect SAML modal.
   1. Certificate — select the Upload button and upload the X509 certificate.

   2. SSO URL — paste the URL from the Entra ID (Azure AD) app, Login URL field.

   3. SLO URL —paste the URL from the Entra ID (Azure AD) app, Logout URL field.

   4. SSO Binding — enter the following code into this field. You can confirm the binding information by opening the XML file you previously downloaded and checking the service binding, typically found near the end of the file.

      Copy

      urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

   5. SLO Binding — enter the same code into this field.

      

   6. Clock Skew Minutes — if the times are different between the client and the server, increase the number accordingly, otherwise leave the default.
   7. Response Attribute Username — to obtain this value do the following:
      1. Return to the Entra ID (Azure AD) app web page and scroll up to the Attributes & Claims section, then select Edit.
      2. On the Attributes & Claims page, under the Additional claims section, copy the URL listed for the user.principalname value.
      3. Return to the Connect SAML modal and paste the URL.
   8. Sign Authentication Request — set the option to False.
   9. Want SAML Response Signed — set the option to True.
   10. Want Assertion Signed — set the option to False.
   11. Want Assertion Encrypted — Set the option to False.

   12. Enable SAML Logging at Server — select this option to turn on logging for SAML events to help with troubleshooting at the server level or when reaching out to Product Support.

       

2. Select Save.

Test the Connection

Before you test the connection make sure you have a user account created with the SAML login type. That account should have the same username as the user assigned to the new Entra ID app.

1. Return to the SAML-based Sign-on web page.
2. Scroll down to the bottom of the page and select Test.
3. In the Test single sign-on panel select Test sign in.
4. Enter or select the account username and complete the sign in process.

If the app is configured correctly you'll be signed in to Vasion Automate Pro. When you're ready, you can enable SAML SSO.

App Registration & Permissions

1. Under the Security section select Permissions.
2. On the Permissions panel, select the app registration link.
3. On the API permissions page select Add a permission.
4. Select Microsoft Graph.
5. Select Delegated permissions.
6. Scroll down to the User section and select User.Read.All.
7. Select Add Permissions at the bottom of the panel.
8. Select Grant admin consent for MSFT.
9. Follow the prompts and select Accept in the Permissions Requested modal.

Enable SAML SSO

Once you're ready to enable SAML, access the Connect SAML modal and select Enable SAML Login.

Because once SAML is enabled and the identity provider's sign in flow is launched automatically, you can append the following code to the end of your Vasion Automate Pro URL on the web browser to bypass SAML login and access your instance using your admin credentials.

login?vasionLogin=true

Edit the SAML Connection

You can make any updates to the connection at any time by doing the following:

1. Select Edit SSO.

   

2. Update the information in the appropriate fields

   

3. Select Save.