The Gridsz portal uses Single Sign On to authenticate the users: the user accounts and their roles are maintained within Gridsz, but we rely on for example Microsoft Entra (Azure AD) to log users in.
Gridsz offers to add users as a guest to the Gridsz tenant instead of the organisation’s IT department registering the Gridsz applications within their own tenant. The following instructions are for companies setting up Azure to allow Single Sign On.
Perform the following steps to create an Azure AD SSO:
1. Open Azure Portal
Log in to the Microsoft Azure Portal – if you do not have access, forward these instructions to the person/department with the correct authorization.
2. Create Application
Under Azure Services:
- Select Azure Active Directory. If Azure Active Directory is not listed, click More Services and select Azure Active Directory.
- On the left, click Enterprise applications
- Under All applications, click New Application.
- On the Browse Azure AD Gallery page, click Create your own application.
- In the What’s the name of your app, enter a display name for your application.
- Select Integrate any other application you don’t find in the gallery (non-gallery) and click Create.
3. Set-up single sign on
On the Overview page, under General Settings, on the Set up single sign on tile, click Get Started.
With SAML Configuration we need to input two values:
- Identifier (Entity ID): The unique ID that identifies your application to Azure Active Directory. This value must be unique across all applications in your Azure Active Directory tenant
- Reply URL (Assertion Consumer Service URL):
| Environment | Reply URL |
|---|---|
| Acceptance | https://gridsz-ac-uat.firebaseapp.com/__/auth/handler |
| Production | https://mose-265711.firebaseapp.com/__/auth/handler |
Other options can be left empty for now.
Update Attributes & Claims.
| Atrributes | Value |
|---|---|
| emailaddress | user.mail |
| givenname | user.givenname |
| name | user.userprincipalname |
| surname | user.surname |
| companyname | user.companyname |
| Unique User Identifier | user.userprincipalname |
| Group | user.groups |
Note: The namespace on Attributes must empty.
4. User Groups
If you plan to use user groups-based RBAC, you need to pass the “Groups” SAML attribute to Cohesity. Perform the following steps:
- Under User Attributes & Claims, click Add a group claim.
- For Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
- From the Source attribute drop-down, select the source attribute.
To add users and/or groups that need access to the application, click Users And Groups and than +Add user/group.
5. Retrieve the SSO URL, Provider Issuer ID, and Certificate
You need to retrieve Azure AD information to configure SSO
Perform the following steps to retrieve the SSO URL, Entity ID, and certificate from the Azure AD application:
- Under Set up Single Sign-On with SAML, in the SAML Signing Certificate section, click the edit icon.
- On the SAML Signing Certificate, click on Download Base64 certificate download.
Please provide us with the following details:
- Identifier (Entity ID)
- Certificate (Base64)
- Login URL
- Microsoft Entra Identifier