Enabling SSO in DAI with Entra ID and SAML v2
This page describes the steps necessary to configure Single Sign-On (SSO) between DAI and Microsoft Entra ID (formerly "Azure AD") using the Security Assertion Markup Language (SAML) v2 protocol. It describes how Entra ID and DAI's embedded identity and access management provider (Keycloak) can be configured to integrate with one another. You can see a summary of the steps involved in this process in the page menu on the right side of this page.
Intended Audience: This topic is intended for DAI Administrators considering an SSO integration.
For more information about the benefits of integrating SSO with DAI, see How Does Single Sign-On (SSO) Work with DAI?. For information about integrating with Entra ID and the SAML v2 protocol, see Enabling SSO in DAI with Entra ID and OIDC.
This page provides specific instructions for configuring Keycloak and an example of how Entra ID might be configured. Every organization's identity management configuration is different and mis-configuration can have significant consequences, so your final designs and roll-out plans must be to your own specifications. If your Entra ID configuration is incompatible with the example provided here, please contact our Customer Support to see how we can help.
Prerequisites
To integrate DAI with Entra ID, your environment must meet the following prerequisites for Entra ID, DAI, and Networking.
Component | Requirement |
---|---|
Entra ID | Components: -Your organization must have a Microsoft Azure Account that you can use to configure Microsoft Entra ID. |
Users and Groups in Entra ID | - The users that need to access DAI must already exist in Entra ID. - You can optionally create groups in Entra ID to represent the DAI Administrator, User, and Viewer roles. Or, you can map users directly to Entra ID application roles when you create your application as described in 3. Create Application Roles below. |
DAI | - If you have an existing DAI installation with local users in Keycloak, you can still enable SSO. Keycloak can join and convert these local accounts into SSO-integrated user accounts on the users' first SSO login. Linking your accounts this way is beneficial because your users will not lose access to any of their models. If your local usernames do not align to the usernames in Entra ID, you can change them by configuring Keycloak to temporarily allow this. See Editing Usernames for SSO for instructions. If you are using Eggplant Cloud, please contact our Customer Support for assistance. - You need at least one user account (preferably a DAI Administrator account) in Entra ID that you can use to verify your SSO integration. Successfully logging into DAI with this user verifies your SSO integration succeeded. If your DAI installation is on-premises ("on-prem"), rather than hosted in Eggplant Cloud, you need to verify the following: - If you are configuring an existing system, please back up your DAI system in the same way you would if you were upgrading DAI to a newer version. See Install or Upgrade Eggplant DAI on Windows for information about backing up DAI. This helps to ensure that users do not lose access to their data if something unexpected occurs during the integration. - DAI 7.1 or above must be installed. Enabling SSO is a separate process that can be performed after DAI is installed. - DAI must be set up to use Transport Layer Security (TLS). See Run an Advanced Install for information about setting up DAI to use TLS. Active Directory will not integrate with a DAI installation that uses plain HTTP. |
Network | - End-user’s workstations must have access to Entra ID login screens and SAML endpoints. - Entra ID must be able to make HTTPS calls to Keycloak so that when users log out of one system, they are logged out of any others. |
Setting up an Application Integration in Entra ID
The following steps summarize the process for setting up an application integration for DAI in Entra ID.
1. Create an Application in Entra ID
The following steps describe how to create an application in Entra ID. For more information about creating an application in Entra ID, see Quickstart: Register an app in the Microsoft identity platform - Microsoft identity platform.
-
In Entra ID, select Enterprise Applications and then click Create your own application from the top menu.
-
Fill in the information about your application (your DAI instance) as follows:
Field Name Value What is the name of your app? An arbitrary name you want to assign to this Enterprise Application. These examples use the name Eggplant Test
for the application. (See the note below).What are you looking to do with your application? Select the option Integrate any other application you don't find in the gallery (non-gallery) ノートIf you have a complex setup with multiple instances of Eggplant Test, you need to be able to distinguish the instances. For example, name one of your instances Eggplant Test (production) to distinguish it from the other instances.
-
Click Create. A details page for this new application opens.
2. Expose the Application in Entra ID using SAML
Now configure your application in Entra ID to expose it using the SAML v2 protocol as follows:
-
Select Single sign-on from the left navigation menu.
-
Select Change single sign-on mode > SAML.
-
Still in the Single sign-on section, select Basic SAML Configuration > Edit and provide the following information:
Field Name Value Identifier (Entity ID) https://<dai_domain>/auth/realms/egglant/<idp_alias>
where:<dai_domain>
is the name of the domain where DAI (and Keycloak) are installed.<idp_alias>
is the alias name assigned to the Entra ID identity provider configuration in DAI. You have not created this yet. So you need to remember what you choose here and use it when you configure DAI later in this process. This example shows the alias namedad
.Reply URL (Assertion Consumer Service URL) https://<dai_domain>/auth/realms/eggplant/broker/<idp_alias>/endpoint
where:<dai_domain>
and<idp_alias>
are the same as defined for Entity ID above.
- Because you only have one, you do not need to worry about the Default checkbox.Sign on URL not needed Relay State not needed Logout URL not needed
Configure a SAML Certificate
By default Entra ID will create a SHA-256 certificate to Sign SAML Assertion when it creates the Enterprise Application so you should not have to make any changes.
Configure Claims
Follow the steps below to configure identity claims:
-
From the Single sign-on section, select Attributes & Claims and select Edit.
-
Select to Add new claim and provide the following information:
Add new claim field Value Name nameidentifier
Namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims
Name identifier format Unspecified
Source Attribute
Source Attribute user.userprincipalname
(Use the Source Attribute drop-down to select the source attributes. If you type them, AD treats them as quoted string literals.)Claim Conditions No need to amend
Advanced SAML claims options > Expose claim in JWT tokens unchecked
-
Click Save.
-
Repeat the steps above to create more claims with the same Source and Namespace but with different Names and Source Attributes as per the table below:
Field Name | Source Attribute |
---|---|
emailaddress | user.mail |
givenname | user.givenname |
name | user.userprincipalname |
surname | user.surname |
3. Configure the App Registration
-
Navigate back to the Entra ID landing page and select App Registrations from the left navigation menu.
-
Select All applications and search for the application you just created for DAI (for example, Eggplant Test).
-
When you find your application, click it to bring up the details.
-
Amend the manifest by selecting Manifest from the left navigation menu and ensuring the following attributes are added or updated in the JSON:
"accessTokenAcceptedVersion": 2
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp",
"WindowsAzureActiveDirectoryCustomSinglesSignOnApplication"
]