Documentation forOrion Platform

Configure Azure AD for single sign-on login to the Orion Web Console

This topic applies to all Orion Platform products.

When configuring Azure AD to communicate with your Orion Web Console, you will be working with both Azure AD and Orion Web Console at the same time. You need to copy information from one system into the other.

  1. Orion Web Console: Prepare the identity provider URL and URI
  2. Configure Azure AD to communicate with the Orion Platform
  3. Configure the identity provider in the Orion Web Console
  4. Define SAML users or SAML user groups in the Orion Web Console

Step 1: Prepare the identity provider in the Orion Web Console

  1. Log in to the Orion Web Console hosted on your main Orion Platform server using an administrator account.

  2. Click Settings > All Settings.

  3. In the User Accounts section, click SAML Configuration.

  4. Click Add Identity Provider.

  5. In the Enter Orion URL step, check that the external URLs are correct and adjust them if necessary.

    Orion Web Console External URL

    This is the URL of your Orion server or its DNS alias.

    Additional Web Console external URLs

    If you have additional polling engines deployed, check the URL(s) for the servers hosting the additional web console. The field should contain one of the following:

    • The address of the server hosting your Additional Web Console

      Example: https://solarwinds.my-company.com

    • The DNS alias of the server hosting the Additional Web Console

      Example: https://orion

    • No input

      Clear the suggested URL. When you try to log in to the Additional Web Console using SAML authentication, you'll be redirected to the primary Orion Web Console

    These URLs are used to generate the URL and URI you copy into your identity provider settings.

  6. The Prepare IdP step provides Audience URI and SSO Service URL(s) to be copied and pasted into the configuration in Azure AD.

    Keep the browser open, and continue in Azure AD.

    If you have deployed additional web servers, the SSO Service URLs section includes more URLs - one for the primary Orion Web Console and one for each additional web server.

Step 2: Configure Azure AD to be able to communicate with the Orion Platform

  1. Go to portal.azure.com Enterprise Applications, search for SolarWinds Orion, and select it.

  2. Customize the app name, create the app, go to the single sign-on link, and choose SAML.

  3. Go to SAML Settings.

  4. In Edit Basic SAML Configuration, copy the Audience URI and SSO Service URLs from the Orion Web Console and paste it here.

    The Orion Web Console must be configured to support https.

    • Identifier (Entity ID): enter the external URL or hostname of your SolarWinds instance, such as https://solarwinds.my-company.com

    • Reply URL (Assertion Consumer Service URL): enter the SAML login page of the above machine or URL, such as https://solarwinds.my-company.com/Orion/SamlLogin.aspx

      If you have Additional Web Servers deployed, paste all Additional Web Console URLs from SAML configuration in Orion, each URL on a separate line. Select the Orion Web Console on the main polling engine as the default one.

    • Leave everything else as is.

  5. In Assign users and groups, keep default settings for all user attributes and add a group claim:

    1. Choose Security groups.
    2. If you have Azure AD synchronized with your on-premise AD, change Source Attribute to sAMAccountName. Otherwise, leave it as Group ID.
    3. Customize the name of the group claim to OrionGroups.
    4. Save the group claim and hit the X in the upper right corner twice to get back.
  6. Under SAML Signing Certificate, click the download link next to Certificate (Base64), and save it.

    Do not install the certificate on your computer if prompted.

    You will need to open the certificate in a text editor and copy when setting up SAML login in the Orion Web Console.

  7. Keep the browser open. You will need the following details from the Set up <Name of the Enterprise App> section later in the Orion Web Console:

    • Login URL link
    • Azure AD Identifier Link

Step 3: Complete the identity provider configuration in the Orion Web Console

  1. Switch back to the Orion Web Console. You have the Add Identity Provider wizard open on the Prepare IdP step. Click Next.

  2. In the Configure step, complete the following:

    1. Specify the Identity Provider Name. Use for example 'Azure AD'.
    2. In SSO Target URL, paste the Login URL from Azure.
    3. In Issuer URI, paste the Azure AD Identifier from Azure.
    4. In the X.509 Signing Certificate field, copy the contents of the certificate file you downloaded from SAML Signing Certificate in the Azure portal. Include all text, starting with BEGIN CERTIFICATE and ending with the END CERTIFICATE line.

  3. Save your configuration.

Step 4: Define users for SAML login using Azure AD (both Azure portal and Orion Web Console).

  1. Go to portal.azure.com Enterprise Applications.

  2. Find and select the Orion enterprise application you created in the Azure portal.

  3. Go to Users and Groups and add users and groups in Azure AD. See Assign a user or group to an enterprise app in Azure Active Directory (© 2020 Microsoft, available at https://docs.microsoft.com/, obtained on June 30, 2020) for details.

  4. Log in to the Orion Web Console using an account with Administrator privileges.

  5. Click Settings > All Settings, and then click Manage Accounts in the User Accounts section.

  6. Click Add New Account.

  7. Define the SAML individual user or group.

    Create SAML individual user account

    1. Select SAML individual account.
    2. Provide Name ID. Use the Azure user principal name, such as example.user@my-company.com.
    3. Specify what the user can access and do, and then complete the wizard.

    Create SAML group account

    1. Select SAML group account.
    2. Provide Group ID. Use the Azure group's Object ID or Azure integrated on-premise group's sAMAccountName.
    3. Specify what users in the group can access and do, and complete the wizard.

    Your users can now log in. You can also test the login in Orion SAML Configuration.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.