Example of Configuring Microsoft Azure to Connect to Software AG Cloud as the SAML Identity Provider

This article describes how Azure Active Directory can be configured as a SAML based External-Identity provider that can authenticate Software AG Cloud users. Software AG Cloud supports only Service Provider Initiated SSO.

  1. Log on to Azure as a user with Administrator privileges.
  2. If your Azure account does not include users or groups, add them.
  3. Add a Web Security Service as an application and configure it. This example uses the Software AG Cloud gallery application
    a. Go to the Azure Active Directory page and click Enterprise Applications.
    b. Go to New application and search for Software AG Cloud application and add it to your profile.

    c. Click on the Software AG Cloud application and navigate to the Set up single sign-on link.

    d. In the  Basic SAML Configuration section, complete the fields as shown below. For the Reply URL and Sign on URL values, go to Software AG Cloud, go to the Configuration tab, copy the Software AG Cloud redirect URI, and paste it in the fields.

    e. The user attributes in the user attributes & claims section will be configured by default. The namespace for the attributes will be set by default and so the attribute name along with the namespace needs to be mapped in Software AG Cloud.
    f.  Add an attribute named roles and set it to user.assignedroles.
    g.  If you want to import the Azure SAML settings into Software AG Cloud instead of entering them manually, go to the SAML Signing Certificate section in Azure Active Directory and either copy the App Federation Metadata URI or save the federation metadata to a file. Then import the metadata using this URL or file in Software AG Cloud.
    h. To make users available for authentication, go to the Azure Software AG Cloud application, click Users and Groups, select the users to include in the Add user/group screen and click the Assign button. 
    You can grant access to all users in a group by assigning a role with the desired access permissions to the group.                 
    You can also create and assign custom roles to this application from the App roles UI. Navigate to App Registrations and select the Software AG Cloud application and create new app roles.                         
    Repeat step 3h to assign the new custom role to users.
1 Like

Some important specifics missing:

  • There is no ‘Configuration tab’ in SAG Cloud - the required URI can be found by clicking Edit on the Single Sign-on tab under SAG Cloud Administration
  • ‘myaccount’ in all the example URLs/URIs shown to be replaced with the SAG Cloud environment name in use
  • ‘AzureIDP’ also to be replaced with the ‘Identity provider unique identifier’ specified in SAG Cloud when creating the Identity Provider (find this in same place as the URI in next bullet)
  • ‘softwareag.cloud’ also to be replaced with the FQDN of your SAG Cloud tenant such as ‘idm-us-west2.softwareag.cloud’
  • While the roles attribute is added here, would be useful to include the link to instructions on mapping those roles in the last configuration screen for the Identity Provider in SAG Cloud