Azure AD Single Sign-on

This topic describes how to configure Azure Active Directory (AD) to provide SSO authentication to the Illumio PCE.

TIP:

Because you'll configure settings in both the Illumio PCE Web Console and in Azure AD, have both applications open in adjacent browser tabs.

Prerequisites

To perform this configuration, you need the following:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.

  • An Illumio single sign-on (SSO) enabled subscription.

STEP 1: Obtain URLs from the Illumio PCE Web Console

In this step you'll copy and preserve URLs from the Illumio PCE for use in STEP 2: Configure SSO settings in Azure AD.

  1. Log in to the PCE as a Global Organization Owner.
  2. Go to Access Management > Authentication.
  3. On the SAML tile, click Configure.
  4. Copy and preserve the following URLs needed to complete the Azure configuration in a later step:
    5. TIP:

    Make sure to replace the x's in the URLs below with the actual values from your implementation.

    • Issuer: https://PCE.xxxx:8443/login
    • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • Assertion Source URL: https://PCE.xxxx:8443/login/acs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • Logout URL: https://pce.xxxx:8443/login/logout/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

STEP 2: Configure SSO settings in Azure AD

NOTE:

Only an Azure Application Administrator can configure Azure AD.

  1. In a different browser tab, log in to Azure AD as an Application Administrator.
  2. Go to Enterprise applications > All applications.
  3. Search for the Illumio SSO app and then click the app.

  4. In the center of the page under Getting Started, click Get started on the Set up single sign on tile.

  5. If prompted to select a single sign-on method, click SAML.
  6. Configure Basic SAML:
    1. On the Set up Single Sign-On with SAML page Basic SAML Configuration tile, click Edit.

      2.  

    2. On the Basic SAML Configuration panel that opens, populate the following fields with the values you copied and preserved in STEP 1: Obtain URLs from the Illumio PCE Web Console:
      • In the Identifier (Entity ID) field, paste the Issuer URL you copied from the Illumio PCE.
      • In the Reply URL (Assertion Consumer Service URL)field, click Add reply URL and then paste the Assertion Source URL you copied from the Illumio PCE. Note: Your Reply URL must have a subdomain such as www, wd2, wd3, wd3-impl, wd5, wd5-impl. For example, http://www.myIllumio.com will work but http://myIllumio.com won't.
    3. Click Save and close the Basic SAML Configuration panel.
  7. Click Edit on the Attributes & Claims tile.

  8. Under Required claim, update the Claim name

    1. Click the three dots.
    2. On the Manage claim page, click in the Source attribute field and select user.mail from the dropdown.
    3. Click Save.

  9. Back on the Attributes & Claims page, delete all of the existing claims in the Additional claims section by clicking the three dots for each one and then clicking Delete.

  10. Click Add new claim and add three new claims:

    11. Given Name

    • Name: Enter Given Name.
    • Source attribute: Enter user.givenname

    Surname

    • Name: Enter Surname
    • Source attribute: Enter user.surname

    User.MemberOf

    • Name: Enter User.MemberOf
    • Source attribute: Enter user.assignedroles

STEP 3: Obtain SAML certificate and URLs from Azure AD

In this step you'll download a certificate and copy two URLs that you'll later paste into the Illumio PCE SAML setup in STEP 4: Configure SAML SSO settings in the Illumio PCE.

  1. On the SAML Certificates tile, click Download for the Certificate (Base64) certificate and save the certificate to your computer.

  2. On the Set up Illumo SSO tile, copy and preserve the following URLs that you'll later paste into the Illumio PCE SAML setup in STEP 4: Configure SAML SSO settings in the Illumio PCE.

    • Login URL. You'll paste this in the Remote Login URL field in the PCE Web Console.
    • Logout URL. You'll paste this in the Logout Landing URL field in the PCE Web Console.

STEP 4: Configure SAML SSO settings in the Illumio PCE

In this procedure you'll paste the following information that you copied and preserved from Azure in STEP 3: Obtain SAML certificate and URLs from Azure AD:

  • Certificate (Base64)

  • Azure Login URL

  • Logout URL

  1. In the Illumio PCE Web Console, go to Access Management > Authentication.
  2. On the SAML tile, click Configure.
  3. Click Edit.
  4. In the Information from Identity Destination section, enter the following information that you obtained from Azure AD:

    • SAML Identity Destination Certificate: Open the certificate that you downloaded in STEP 3: Obtain SAML certificate and URLs from Azure AD, and then copy and paste the contents.

    • Remote Login URL: Paste the Login URL you copied from Azure AD.
    • Logout Landing URL: Paste the Logout URL you copied from Azure AD.
  5. In the Information for Identity Destination section:
    1. Choose an authentication method:

      • Unspecified uses the IdP default authentication mechanism.

      • Password Protected Transport requires the user to log in with a password in a protected session.

    2. If you want to require users to re-enter login credentials to access Illumio (even if the session is still valid), select Force Re-authentication. This allows users to log in to the PCE using login credentials different from their default computer login credentials.
  6. Click Save.

STEP 5: Create App Roles in Azure AD

In this step you'll create app roles in Azure AD that you'll map to roles in the Illumio PCE Web Console in STEP 7: Add External Groups and assign roles in the PCE Web Console.

For reference in this step, here's a list of the Global Roles available in the PCE Web Console:

  • Global Organization Owner

  • Global Administrator

  • Global Viewer

  • Globally Policy Object Provisioner

  1. In Azure AD, go to Users and Groups and then click application registration.

  2. Create the roles you want by clicking + Create app role and entering the required information for each role:
    • Display name: For example, enter one of the Global Roles that appear in the PCE Web Console.
    • Value: This must match the name you'll enter in the Add External Groups dialog box in STEP 7: Add External Groups and assign roles in the PCE Web Console.
    • Description: The description will appear as help text in the app assignment and consent experiences.
  3. Click Apply for each role that you create.
  4. Delete the default app role msiam_access.

    5. Note: You first need to disable the default app role before you can delete it.

    1. Click msiam_access to open the Edit app role panel.
    2. Deselect Do you want to enable the app role?
    3. Click Apply. The side panel closes.
    4. Click msiam_access again to to open the Edit app role panel again.
    5. Click Delete.

When you're done creating roles in Azure AD, the App roles section should look similar to this:

STEP 6: Assign users and groups to app roles in Azure AD

In this step, you'll assign users and groups to the app roles you created in STEP 5: Create App Roles in Azure AD.

  1. In Azure AD, go to Users and groups.

  2. Select the Illumio SSO app.

  3. Click Remove to remove the current app assignments.

  4. Click Yes to confirm removal.

  5. Click Add user/group.

  6. On the Add Assignment page, assign desired role(s) to users or groups:

    1. Under User and groups, click None Selected.

    2. In the Users and groups panel that opens, search for your desired user/group, click to select it, and then click Select at the bottom of the panel.

    3. Back on the Add Assignment page, under Select a role*, click None Selected.

    4. In the Select a role panel that opens, find and click the role you want to assign, and then click Select at the bottom of the panel.

    5. Back on the Add Assignment page, click Assign at the bottom of the page.

    6. Repeat these sub-steps for each user and/or to which you want to assign app roles.

STEP 7: Add External Groups and assign roles in the PCE Web Console

In this step, you'll add external groups in the PCE Web Console and assign them the relevant global or scoped roles in Illumio RBAC.

TIP:

Alternatively, you can add individual users by going to the External Users tab and following the onscreen prompts.

  1. On the PCE Web Console, go to Access Management > External Groups.
  2. Click Add.
  3. In the Add External Group dialog box:

  4. Repeat for additional groups.

  5. Click to open a group you created in the above step.
  6. Click Add Role > Add Global Role or Add Scoped Role.
  7. In the Access Wizard, select the appropriate Role and then click Grant Access.
  8. Repeat for additional groups.

STEP 8: Turn on SAML authentication in the PCE Web Console

  1. In the PCE Web Console, go to Access Management > Authentication.
  2. On the SAML tile, click Configure.
  3. On the SAML page, click Turn On and then click Confirm.

STEP 9: Test SSO

Perform this procedure to test the SSO authentication you configured in the previous steps.

  1. In Azure AD, go to Single sign-on.

  2. Click Test this application.

  3. In the panel that opens, select a way to sign in and then click Test sign in.

  4. If the test is successful, the PCE will log you in to the Welcome to Illumio screen.