Skip to main content

Create enterprise applications in Entra ID

Contributors netapp-lhalbert netapp-pcarriga

You use Entra ID to create an enterprise application for each Admin Node in your system.

Before you begin
  • You have started configuring single sign-on for StorageGRID and you selected Entra ID as the SSO type.

  • You have entered sandbox mode in Grid Manager.

  • You have the Enterprise application name for each Admin Node in your system. You can copy these values from the Admin Node details table on the Configure SSO page.

    Note You must create an enterprise application for each Admin Node in your StorageGRID system. Having an enterprise application for each Admin Node ensures that users can securely sign in to and out of any Admin Node.
  • You have experience creating enterprise applications in Entra ID.

  • You have an Entra ID account with an active subscription.

  • You have one of the following roles in the Entra ID account: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

Access Entra ID

Steps
  1. Log in to the Azure Portal.

  2. Navigate to Entra ID.

  3. Select Enterprise applications.

Create enterprise applications and save StorageGRID SSO configuration

To save the SSO configuration for Entra ID in StorageGRID, you must use Entra ID to create an enterprise application for each Admin Node. You will copy the federation metadata URLs from Entra ID and paste them into the corresponding Federation metadata URL fields on the Configure SSO page.

Steps
  1. Repeat the following steps for each Admin Node.

    1. In the Entra ID Enterprise applications pane, select New application.

    2. Select Create your own application.

    3. For the name, enter the Enterprise application name you copied from the Admin Node details table on the Configure SSO page.

    4. Leave the Integrate any other application you don't find in the gallery (Non-gallery) radio button selected.

    5. Select Create.

    6. Select the Get started link in the 2. Set up single sign on box, or select the Single sign-on link in the left margin.

    7. Select the SAML box.

    8. Copy the App Federation Metadata Url, which you can find under Step 3 SAML Signing Certificate.

    9. Go to the Configure SSO page, and paste the URL in the Federation metadata URL field that corresponds to the Enterprise application name you used.

  2. After you have pasted a federation metadata URL for each Admin Node and made all other needed changes to the SSO configuration, select Save on the Configure SSO page.

Download SAML metadata for every Admin Node

After the SSO configuration is saved, you can download a SAML metadata file for each Admin Node in your StorageGRID system.

Steps
  1. Repeat these steps for each Admin Node.

    1. Sign in to StorageGRID from the Admin Node.

    2. Select Configuration > Access control > Single sign-on.

    3. Select the button to download the SAML metadata for that Admin Node.

    4. Save the file, which you will upload into Entra ID.

Upload SAML metadata to each enterprise application

After downloading a SAML metadata file for each StorageGRID Admin Node, perform the following steps in Entra ID:

Steps
  1. Return to the Azure Portal.

  2. Repeat these steps for each enterprise application:

    Note You might need to refresh the Enterprise applications page to see applications you previously added in the list.
    1. Go to the Properties page for the enterprise application.

    2. Set Assignment required to No (unless you want to separately configure assignments).

    3. Go to the Single sign-on page.

    4. Complete the SAML configuration.

    5. Select the Upload metadata file button and select the SAML metadata file you downloaded for the corresponding Admin Node.

    6. After the file loads, select Save and then select X to close the pane. You are returned to the Set up Single Sign-On with SAML page.

  3. Test each application.