In order to integrate Azure AD with ConcealBrowse and leverage Single Sign-On(SSO) within your organization, you will first need to make sure that you have an application created in Azure AD, configured that application for SSO, and uploading data into the Conceal dashboard. This guide will outline all of these steps.
- Azure AD
Before you begin
- You can only set SSO up with one domain and use that domain to login (ex: if you set it up with @example.com, only @example.com domains will be allowed via SSO, no variations such as @examples.com would be allowed)
- You need to be logged into the Conceal dashboard with the same domain you plan to set up with SSO (Ex: firstname.lastname@example.org would need to be logged in to upload the data to the Conceal dashboard. email@example.com would not work if you are configuring the SSO for firstname.lastname@example.org)
- You do not need to add users in the Conceal dashboard prior to this process. Once the configuration is complete and the user logs into either the extension or the dashboard using SSO, they will automatically be added to the dashboard.
Setting up a new application in Azure
- Please follow Azure's documentation on setting up a new application: Create a new application in Azure
Configuring Application for SSO
- Open your web browser and log into the Conceal Dashboard at dashboard.conceal.io, login if necessary.
- In the left hand menu, click the section labeled Settings.
- Click the dropdown arrow on the right next to SAML Single Sign On and choose the option labeled Azure AD.
- You will need the Identifier and the Reply URL listed here to enable SSO in Azure. You will use these in steps below.
- Make sure the attributes and claims match your attributes and claims section in your Azure instance.
- Once you have configured an application in Azure AD, in a new tab navigate and login into your Azure portal at portal.azure.com. Click on the button labeled View in the Manage Azure Active Directory tile
- In the left hand menu, select Enterprise Applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant.
- You can type in the search bar or choose from the list for your application where you want to configure the SSO integration. Locate and select the correct application.
- Once you have opened the application, on step 2. Set up single sign on click Get Started.
- In the next screen, choose the tile labeled SAML.
- In the Basic SAML configuration box, in top right click Edit.
- This is where you will need to enter the two required values from your Conceal Dashboard from step 4. Click the blue text Add Identifier to add a value in the box. From your Conceal dashboard, copy the Identifier and paste into the Identifier box.
- Next you will click the blue text Add Reply URL. From your Conceal dashboard, copy the Reply URL and paste into the Reply URL box.
- In the top left click Save.
- Review Attribute's and Claims, the default settings are appropriate for most organizations. If your organization's user.userprincipalname and user.mail attributes differ, then you will need to change the Unique User Identifier from user.userprincipalname to user.mail.
- Example of differing attributes: user.userprincipalname is UniqueID@conceal.io and user.mail is email@example.com.
- Next you will need to download the metadata file. Scroll down to section 3 labeled SAML Certificates. You will see Federation Metadata XML. Click Download next to that and this will give you the SAML needed to add into your Conceal Dashboard. You can either download or copy and paste this information, but keep it in a safe place as you will need it to integrate with ConcealBrowse.
- You will need to add users to your group in order for the configuration to be successful.
- Then you need to upload the SAML Metadata document that you downloaded into the Conceal dashboard. You can copy and paste this into the area or you may upload it by clicking the button labeled Upload SAML Data.
- Once the SAML Metadata is uploaded, click the button labeled Configure SSO Provider.
You should now have Azure AD integrated with ConcealBrowse!
Note: As of now, even though SSO has been integrated, each employee will still have to login to the extension the first time to be authenticated. After login, they will then show as a user in the dashboard.
*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.