Create enterprise applications in Azure AD
You use Azure AD to create an enterprise application for each Admin Node in your system.
-
You have started configuring single sign-on for StorageGRID and you selected Azure as the SSO type.
-
Sandbox mode is selected on the Single sign-on page in Grid Manager. See Use sandbox mode.
-
You have the Enterprise application name for each Admin Node in your system. You can copy these values from the Admin Node details table on the StorageGRID Single Sign-on page.
You must create an enterprise application for each Admin Node in your StorageGRID system. Having an enterprise application for each Admin Node ensures that users can securely sign in to and out of any Admin Node. -
You have experience creating enterprise applications in Azure Active Directory.
-
You have an Azure account with an active subscription.
-
You have one of the following roles in the Azure account: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
Access Azure AD
-
Login to the Azure Portal.
-
Navigate to Azure Active Directory.
-
Select Enterprise applications.
Create enterprise applications and save StorageGRID SSO configuration
In order to save the SSO configuration for Azure in StorageGRID, you must use Azure to create an enterprise application for each Admin Node. You will copy the federation metadata URLs from Azure and paste them into the corresponding Federation metadata URL fields on the StorageGRID Single Sign-on page.
-
Repeat the following steps for each Admin Node.
-
In the Azure Enterprise applications pane, select New application.
-
Select Create your own application.
-
For the name, enter the Enterprise application name you copied from the Admin Node details table on the StorageGRID Single Sign-on page.
-
Leave the Integrate any other application you don't find in the gallery (Non-gallery) radio button selected.
-
Select Create.
-
Select the Get started link in the 2. Set up single sign on box, or select the Single sign-on link in the left margin.
-
Select the SAML box.
-
Copy the App Federation Metadata Url, which you can find under Step 3 SAML Signing Certificate.
-
Go to the StorageGRID Single Sign-on page, and paste the URL in the Federation metadata URL field that corresponds to the Enterprise application name you used.
-
-
After you have pasted a federation metadata URL for each Admin Node and made all other needed changes to the SSO configuration, select Save on the StorageGRID Single Sign-on page.
Download SAML metadata for every Admin Node
After the SSO configuration is saved, you can download a SAML metadata file for each Admin Node in your StorageGRID system.
Repeat these steps for each Admin Node:
-
Sign in to StorageGRID from the Admin Node.
-
Select CONFIGURATION > Access control > Single sign-on.
-
Select the button to download the SAML metadata for that Admin Node.
-
Save the file, which you will upload into Azure AD.
Upload SAML metadata to each enterprise application
After downloading a SAML metadata file for each StorageGRID Admin Node, perform the following steps in Azure AD:
-
Return to the Azure Portal.
-
Repeat these steps for each enterprise application:
You might need to refresh the Enterprise applications page to see applications you previously added in the list. -
Go to the Properties page for the enterprise application.
-
Set Assignment required to No (unless you want to separately configure assignments).
-
Go to the Single sign-on page.
-
Complete the SAML configuration.
-
Select the Upload metadata file button and select the SAML metadata file you downloaded for the corresponding Admin Node.
-
After the file loads, select Save and then select X to close the pane. You are returned to the Set up Single Sign-On with SAML page.
-
-
Follow the steps in Use sandbox mode to test each application.