Configure Azure AD for single sign-on login to the SolarWinds Platform Web Console
This topic applies to all SolarWinds Platform products.
When configuring Azure AD to communicate with your SolarWinds Platform Web Console, you will be working with both Azure AD and SolarWinds Platform Web Console at the same time. You need to copy information from one system into the other.
Step 1: Prepare the identity provider in the SolarWinds Platform Web Console
-
Log in to the SolarWinds Platform Web Console hosted on your main SolarWinds Platform server using an administrator account.
-
Click Settings > All Settings.
-
In the User Accounts section, click SAML Configuration.
-
Click Add Identity Provider.
-
In the Enter Orion URL step, check that the external URLs are correct and adjust them if necessary.
SolarWinds Platform Web Console External URL
This is the URL of your SolarWinds Platform server or its DNS alias.
Additional Web Console external URLs
If you have Additional web servers deployed, check the URL(s) for the servers hosting the additional web console. The field should contain one of the following:
-
The address of the server hosting your Additional Web Console
Example:
https://solarwinds.my-company.com
-
The DNS alias of the server hosting the Additional Web Console
Example:
https://orion
-
No input
Clear the suggested URL. When you try to log in to the Additional Web Console using SAML authentication, you'll be redirected to the primary SolarWinds Platform Web Console
These URLs are used to generate the URL and URI you copy into your identity provider settings.
-
-
The Prepare IdP step provides Audience URI and SSO Service URL(s) to be copied and pasted into the configuration in Azure AD.
Keep the browser open, and continue in Azure AD.
If you have deployed additional web servers, the SSO Service URLs section includes more URLs - one for the primary SolarWinds Platform Web Console and one for each additional web server.
Step 2: Configure Azure AD to be able to communicate with the SolarWinds Platform
-
Go to portal.azure.com Enterprise Applications, search for SolarWinds Orion, and select it.
-
Customize the app name, create the app, go to the single sign-on link, and choose SAML.
-
Go to SAML Settings.
-
In Edit Basic SAML Configuration, copy the Audience URI and SSO Service URLs from the SolarWinds Platform Web Console and paste it here.
The SolarWinds Platform Web Console must be configured to support https.
-
Identifier (Entity ID): enter the external URL or hostname of your SolarWinds instance, such as
https://solarwinds.my-company.com
-
Reply URL (Assertion Consumer Service URL): enter the SAML login page of the above machine or URL, such as
https://solarwinds.my-company.com/Orion/SamlLogin.aspx
If you have Additional Web Servers deployed, paste all Additional Web Console URLs from SAML configuration in Orion, each URL on a separate line. Select the SolarWinds Platform Web Console on the main polling engine as the default one.
-
Leave everything else as is.
-
-
In Assign users and groups, keep default settings for all user attributes and add a group claim:
-
Under SAML Signing Certificate, click the download link next to Certificate (Base64), and save it.
Do not install the certificate on your computer if prompted.
You will need to open the certificate in a text editor and copy when setting up SAML login in the SolarWinds Platform Web Console.
-
Keep the browser open. You will need the following details from the Set up <Name of the Enterprise App> section later in the SolarWinds Platform Web Console:
- Login URL link
- Azure AD Identifier Link
Step 3: Complete the identity provider configuration in the SolarWinds Platform Web Console
-
Switch back to the SolarWinds Platform Web Console. You have the Add Identity Provider wizard open on the Prepare IdP step. Click Next.
-
In the Configure step, complete the following:
- Specify the Identity Provider Name. Use for example 'Azure AD'.
- In SSO Target URL, paste the Login URL from Azure.
- In Issuer URI, paste the Azure AD Identifier from Azure.
- In the X.509 Signing Certificate field, copy the contents of the certificate file you downloaded from SAML Signing Certificate in the Azure portal. Include all text, starting with BEGIN CERTIFICATE and ending with the END CERTIFICATE line.
-
Save your configuration.
Step 4: Define users for SAML login using Azure AD (both Azure portal and SolarWinds Platform Web Console).
-
Go to portal.azure.com Enterprise Applications.
-
Find and select the Orion enterprise application you created in the Azure portal.
-
Go to Users and Groups and add users and groups in Azure AD. See Assign a user or group to an enterprise app in Azure Active Directory (© 2020 Microsoft, available at https://docs.microsoft.com/, obtained on June 30, 2020) for details.
-
Log in to the SolarWinds Platform Web Console using an account with Administrator privileges.
-
Click Settings > All Settings, and then click Manage Accounts in the User Accounts section.
-
Click Add New Account.
-
Define the SAML individual user or group.
Create SAML individual user account
- Select SAML individual account.
- Provide Name ID. Use the Azure user principal name, such as
example.user@my-company.com
. - Specify what the user can access and do, and then complete the wizard.
Create SAML group account
- Select SAML group account.
- Provide Group ID. Use the Azure group's Object ID or Azure integrated on-premises group's sAMAccountName.
- Specify what users in the group can access and do, and complete the wizard.
-
For SAML assertions, Azure AD limits the number of groups emitted in a token to 150. If a user is a member of a large number of groups, the groups are omitted. See Configure group claims for applications by using Azure Active Directory (© 2020 Microsoft, available at https://docs.microsoft.com/, obtained on August 16, 2022).
-
Groups created directly in Azure AD are always identified using the group ID. Groups synced from on-premise to Azure AD use a group name and need an optional group claim configured.
For groups synced from an on-premise environment, you need to configure an optional group claim.
Your users can now log in. You can also test the login in SolarWinds Platform SAML Configuration.
Configure an optional group claim for users/groups created on-premise and synced to Azure AD
-
Log in to the portal.azure.com and click Azure Active Directory.
-
Click App registrations, search for your SolarWinds application, and select it.
-
In the left-hand menu, select Token Configuration.
-
In Optional Claims, click Add groups claim.
-
Select the group type to add to the optional claim. For example, select Security groups.
-
In Customize token properties by type, expand SAML and select sAMAccountName.
When you check the SAML response from Azure AD, you can see that the value of the group attribute contains group names instead of group IDs.
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third-party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.