Configure Microsoft Entra ID (formerly Azure AD) for single sign-on to the SolarWinds Platform Web Console

To configure single sign-on (SSO), you work in both Microsoft Entra ID (formerly Azure Active Directory - Azure AD) and SolarWinds Platform Web Console. During the process, you copy configuration values from one system into the other.

Step 1: Prepare the identity provider in the SolarWinds Platform Web Console

1. Log in to the SolarWinds Platform Web Console hosted on your main SolarWinds Platform server using an administrator account.

2. Click Settings > All Settings.

3. In the User Accounts section, click SAML Configuration.

4. Click Add Identity Provider.

5. In the Enter Orion URL step, check that the external URLs are correct and adjust them if necessary.

   SolarWinds Platform Web Console External URL

   This is the URL of your SolarWinds Platform server or its DNS alias.

   Additional Web Console external URLs

   If you have Additional web servers deployed, check the URL(s) for the servers hosting the additional web console. The field should contain one of the following:

   • The address of the server hosting your Additional Web Console

     Example: https://solarwinds.my-company.com

   • The DNS alias of the server hosting the Additional Web Console

     Example: https://orion

   • No input

     Clear the suggested URL. When you try to log in to the Additional Web Console using SAML authentication, you'll be redirected to the primary SolarWinds Platform Web Console

   These URLs are used to generate the URL and URI you copy into your identity provider settings.

   

6. The Prepare IdP step provides Audience URI and SSO Service URL(s). You will copy and paste these values into Microsoft Entra ID in the next step.

   Keep the browser open and continue in Microsoft Entra ID.

   If you have deployed additional web servers, the SSO Service URLs section includes more URLs - one for the primary SolarWinds Platform Web Console and one for each additional web server.

   

Step 2: Configure Microsoft Entra ID to communicate with the SolarWinds Platform

1. In the Azure portal, navigate to Enterprise applications.

2. Click Create your own application, enter a name for the application, and select Integrate any other application you don't find in the gallery (Non-gallery).

3. Select Single sign-on, and choose SAML as the sign-on method.

4. Go to SAML Settings and select Edit under Basic SAML Configuration.

5. Enter the following values from the SolarWinds Platform Web Console.

   The SolarWinds Platform Web Console must be configured to support https.

   • Identifier (Entity ID): Enter the external URL or hostname of your SolarWinds instance, such as https://solarwinds.my-company.com

   • Reply URL (Assertion Consumer Service URL): Enter the SAML login page of the above machine or URL, such as https://solarwinds.my-company.com/Orion/SamlLogin.aspx

     If you have additional web servers deployed, paste all additional web console URLs from SAML configuration in the SolarWinds Platform, each URL on a separate line. Select the SolarWinds Platform Web Console on the main polling engine as the default one.

   • Leave everything else as is.

6. In Assign users and groups, keep the default settings and add a group claim:

   1. Choose Security groups.
   2. If Microsoft Entra ID is synchronized with your on-premises Active Directory, change Source attribute to sAMAccountName. Otherwise, leave it as Group ID.
   3. Set the group claim name to OrionGroups.
   4. Save the group claim and click the X in the upper right corner twice to get back.

7. Under SAML Signing Certificate, click the download link next to Certificate (Base64), and save it.

   Do not install the certificate on your computer if prompted.

   Open the certificate in a text editor and copy when setting up SAML login in the SolarWinds Platform Web Console.

8. Keep the browser open. You need the following details from the Set up <Enterprise application name> section later in the SolarWinds Platform Web Console:

   • Login URL link
   • Microsoft Entra Identifier

Step 3: Complete the identity provider configuration in the SolarWinds Platform Web Console

1. Return to the Add Identity Provider wizard in the SolarWinds Platform Web Console, and click Next.

2. In the Configure step, complete the following:

   1. Specify the Identity Provider Name. Use for example 'Microsoft Entra ID'.
   2. In SSO Target URL, paste the Login URL from Microsoft Entra ID.
   3. In Issuer URI, paste the Microsoft Entra Identifier.
   4. In the X.509 Signing Certificate field, copy the contents of the certificate file you downloaded from SAML Signing Certificate in the Azure portal. Include all text, starting with BEGIN CERTIFICATE and ending with the END CERTIFICATE line.

3. Save your configuration.

Step 4: Define users and groups for SAML login

Assign users and groups in Microsoft Entra ID

1. In the Azure portal, navigate to Enterprise applications.

2. Select the SolarWinds (Orion) enterprise application you created in the Azure portal.

3. Open Users and Groups and assign the required users and groups. See Assign a user or group to an enterprise app for details.

Create SAML accounts in the SolarWinds Platform Web Console

1. Log in to the SolarWinds Platform Web Console using an account with Administrator privileges.

2. Click Settings > All Settings, and then click Manage Accounts in the User Accounts section.

3. Click Add New Account.

4. Define the SAML individual user or group.

Create SAML individual user account

1. Select SAML individual account.
2. Provide Name ID. Use the user principal name from Microsoft Entra ID, such as example.user@my-company.com.
3. Specify what the user can access and do, and then complete the wizard.

Create SAML group account

1. Select SAML group account.
2. Provide Group ID.
   • Use the Microsoft Entra group Object ID, or
   • sAMAccountName for groups synchronized from on-premises Active Directory
3. Specify what users in the group can access and do, and complete the wizard.

• Microsoft Entra ID emits a maximum of 150 groups in a SAML token. Users who exceed this limit do not receive group claims. See Configure group claims for applications by using Microsoft Entra ID.

• Groups created directly in Microsoft Entra ID are always identified by group ID.

• Groups synced from on-premises Active Directory can use group names and need an optional group claim.

Your users can now log in. You can also test the login in SolarWinds Platform SAML Configuration.

Configure an optional group claim for on-premises synced groups

1. In the Azure portal, navigate to Enterprise applications.

2. Click Create your own application, enter a name for the application, and select Integrate any other application you don't find in the gallery (Non-gallery).

3. In the left-hand menu, select Token configuration.

4. In Optional claims, click Add groups claim.

5. Select the group type to add to the optional claim. For example, select Security groups.

6. Expand SAML and select sAMAccountName.

When you check the SAML response, the value of the group attribute contains group names instead of group IDs.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third-party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.