LogoLogo
3.1.6
3.1.6
  • Getting Started
    • What is Cymmetri?
    • Release Notes
      • 3.0.1-Beta
      • 3.0.2-Beta
      • 3.0.3-Beta
      • 3.0.4-Beta
      • 3.0.5-Beta
      • 3.0.6-Beta
      • 3.0.7-Beta
      • 3.0.8-Beta
      • 3.0.9-Beta
      • 3.0.10-Beta
      • 3.0.11-Beta
      • 3.0.12-Beta
      • 3.1.0 - Product Release
      • 3.1.1-Beta
      • 3.1.2 - Product Release
      • 3.1.3-Beta
      • 3.1.4-Beta
      • 3.1.5-Beta
      • 3.1.6 -Beta
      • 3.1.7 - Product Release
      • 3.0.x Consolidated
      • 3.1.x Consolidated
    • Starting your Cymmetri Trial
    • Admin Dashboard
    • Accessing Cymmetri
    • Supported Web Browsers
    • Cymmetri Error Codes
    • Help
    • Personalization
      • General Config
      • Admins
      • Masters in Cymmetri
      • Personalize Notification Templates
      • Tenant Branding
      • Custom Attributes
      • API Client
      • Batch Tasks
      • API Extension
    • Global Search
  • Identity Hub
    • Managing Users and Groups
      • User Management
      • User Detail
      • Create Users
      • Edit Users
      • Create Groups
      • Importing Users
      • Assigning Users to Groups
      • Delegation
        • Setting up Delegation
        • Delegating Work to Delegatee
        • Accepting Delegation
      • Suspended Users
      • Archived Users
      • All Users Session
    • Authentication
      • Identity Provider
        • Internal IDP
          • Introduction
          • Internal Identity Provider Configuration: Cymmetri
          • Internal Identity Provider Configuration: Active Directory
          • Internal Identity Provider Configuration: LDAP
        • External IDP
          • Introduction
          • External Identity Provider Configuration - Google IDP
          • External Identity Provider Configuration - Azure IDP
          • External Identity Provider Configuration - Salesforce IDP
      • Service Provider
      • Authentication Rules
      • Password Policy
      • Global Auth Policy
      • Adaptive
    • Attribute Setting
    • Password Filter
    • Logs
      • Audit Log
      • Import History
      • Scheduler History
  • Lifecycle Management
    • Application Management
      • Support for Application Management
      • Getting Started
        • Introduction to Application Management
        • Adding Applications to be managed by Cymmetri
        • Assigning Applications to End Users
        • Application Detail
        • Dynamic Forms
        • Configuring Connector Server
        • 360 Degree Recon
      • Provisioning How to
        • Cymmetri Connector List
        • Supported Provisioning Operations
        • Azure Provisioning
        • Active Directory (AD) Provisioning
        • Google Workspace Provisioning
        • LDAP Provisioning
        • Powershell Provisioning
        • REST Connector Provisioning
        • SCIM v2.0 Provisioning with Basic Authentication
        • SCIM 2.0 with Bearer Authentication
        • SCIM 2.0 with Fixed Bearer
        • Github Provisioning
        • ServiceNow Provisioning
        • AMAYA
        • HRMS
          • Darwin Box
        • Database Provisioning
        • CSV Directory (Flat-file)
        • Managing Manual Application Assignments
        • SOAP Connector (XML)
        • Integration with Service Desk Management Systems
      • Reconciliation How to
        • Configuring Reconciliation Process
      • Rules
        • Provisioning
        • Deprovisioning
    • Workflow Management
      • Workflow Configuration
      • Workflow Rules
      • Pending Workflows
      • Workflows List
    • Teams Config
    • Configuring Webhooks
    • On Demand Access
  • Single Sign On
    • Introduction
    • SSO Configuration
      • SAML 2.0 Based SSO
      • API Based SSO
      • OpenID Connect Based SSO
    • Multifactor Authentication(MFA)
      • Introduction
      • Cymmetri Authenticator
      • Push Authenticator
      • Google Authenticator
      • SMS Authenticator
      • Secret Questions
      • FIDO Authenticator
      • Admin MFA Setting
    • Passwordless
      • Introduction
      • TOTP Based
      • OTP Based
      • Consent Based
      • FIDO Based
  • My Workspace
    • Getting Started
      • Introduction
      • First Time User Registration
      • End User Login Process
      • Forgot Password & Unlock Account
      • User Settings
    • How to use the My Workspace
      • Dashboard
      • My Access
      • Inbox
      • Team
      • On Behalf
  • Privileged Access Management
    • PAM Administration
      • Introduction to Privilege Access Management (PAM)
      • How to Access PAM in Cymmetri
      • Sub-Sections of PAM
      • Steps to configure PAM Server
      • Adding a device/ server in PAM
      • Vault User
      • Vaulting Configuration
      • Break Glass Configuration
      • PAM Reports and PAM History
      • Dormancy Disable Config
    • PAM Usage
      • Assign a server to a user
      • Access the server
  • Governance
    • Compliance Management
      • IGA Policy Violations
    • Insights
      • Reports
      • Risk
      • Management Dashboards
        • CISO Dashboard
        • CRO Dashboard
      • Industry Compliance
    • Access Certification
      • Setting up and managing Access Reviews
    • Recommendation Engine
    • Role Management
      • Role Mining
      • Entitlements
      • Managing Roles in Cymmetri
    • Segregation Of Duties (SOD)
  • Self-Service App
  • Analytics
    • Cymmetri Analytics
Powered by GitBook

Cymmetri.com

On this page

Was this helpful?

Export as PDF
  1. Identity Hub
  2. Authentication
  3. Identity Provider
  4. External IDP

External Identity Provider Configuration - Azure IDP

Was this helpful?

Setting up Cymmetri Service Provider for External Identity Provider Configuration

The page shows how to configure a Service Provider.

Navigate to External IDP in Identity Provider.

Select Azure-IDP.

Configure Azure AD for Creating Identity provider configuration

Now Login to the Azure portal and select Azure Active Directory.

Navigate to Enterprise applications and select New Application.

Create your own application and enter the name of the application.

Set up Single Sign On after creating the application using SAML.

Click on Edit basic SAML configuration.

Add Identifier (Entity ID) and Assertion Consumer Service URL from the XML file downloaded in step 3 (For Azure, Sign on and ACS URL are the same) and save the configuration.

Download the Certificate (Base64) from SAML Certificates.

Continue configuration of Identity Provider In Cymmetri Administration Console

Copy Azure AD Identifier from Set up, navigate to azure-idp in Cymmetri, and paste it in Entity ID. Similarly, copy the login URL and paste it into the Single Sign On Service URL in Cymmetri.

Open the Base64 certificate downloaded in step 12, copy it, and then paste it into the x509Certifcate field in Cymmetri.

Select the created service provider in the Service Provider Id field dropdown and save the changes.

Assigning Users

Assigning users to applications in Azure Administration Console to allow users to use Azure as an External Identity provider

Navigate to Enterprise applications and select the application you created in step 8.

Go to Users and Groups, and select Add user/group and add the user.

Configuring JIT provisioning in Cymmetri Administration Console

If JIT provisioning needs to be enabled for Azure AD as external Identity provider, we may set it up using the steps below.

Navigate to JIT in external identity provider and enable JIT Configuration.

The following fields are mandatory in Cymmetri - firstName, lastName, login, userType, displayName, and email.

For Azure JIT configuration, the following mapping needs to be done -

  1. First Name -

    1. Application Field - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    2. Cymmetri Field - firstName

  2. Last Name -

    1. Application Field - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    2. Cymmetri Field - lastName

  3. Login (Username) -

    1. Application Field - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    2. Cymmetri Field - login

  4. User Type -

    1. Application Field - any string

    2. Cymmetri Field - userType

    3. Default Value - <will be one of Employee, Vendor, Consultant>

  5. Display Name -

    1. Application Field - http://schemas.microsoft.com/identity/claims/displayname

    2. Cymmetri Field - displayName

  6. Email Address -

    1. Application Field - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    2. Cymmetri Field - email

In Azure Administration Console

Login to cymmetri using Azure Email Address

The user will be redirected to the Azure portal to enter the Azure credentials.

Once the credentials have been entered properly in the Azure portal, the user will be redirected back to Cymmetri and will be logged in successfully.

Replace the text "<host-name>" as the URL of the Cymmetri deployment (e.g., ) "aktestidp.ux.cymmetri.in" in the destination field - "https://<hostName>/spsamlsrvc/samlSP/SingleSignOnService" as "spsamlsrvc/samlSP/SingleSignOnService".

For enabling Azure IDP to be used as an IDP for a specific set of users an Authentication Rule needs to be configured. you can see the steps on how to configure Authentication Rules.

https://aktestidp.ux.cymmetri.in
https://aktestidp.ux.cymmetri.in/
Here
here