Azure AD + SAML
This page provides instructions on installing the Azure Active Directory (AD) security assertion markup language (SAML). For questions or concerns regarding these instructions or other Azure-configuration-related issues, reach out to us through the Customer Support Portal.
Value Names (DivvyCloud vs. InsightCloudSec)
Some examples, screen captures, and components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Before getting started with this installation, you must have the following:
- A functioning InsightCloudSec platform (20.4.4 or later)
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Azure Portal and an active Azure AD subscription
Before Getting Started
The completion of this setup requires a lot of back and forth between your Azure Console and InsightCloudSec, each step where this changes is clearly specified.
We recommend that you plan on enough time (approximately 15-20 minutes) to complete the process before you start so you don't lose the work and have to start over.
Steps to Complete
Refer to the steps below to complete the Azure AD SAML installation process.
Login to your Microsoft Azure portal and navigate to Azure Active Directory > Enterprise applications.
Next, click New application, then click Create your own application and name it InsightCloudSec/DivvyCloud. Ensure the Integrate any other application you don't find in the gallery (Non-gallery) option is selected, and click Create.
Navigate to the new application pane (Azure Active Directory > Enterprise applications > InsightCloudSec/DivvyCloud).
On the left-side column under Manage, select Single sign-on.
Next, select the SAML box.
The Set up Single Sign-On with SAML page will appear.
In a different browser tab navigate to your InsightCloudSec instance, then click Administration > Identity Management > Authentication Servers.
Click Add Server and the Create Authentication Server window will appear. Provide a server nickname and select SAML from the drop-down menu.
Selecting SAML will expand this dialog box, which contains the required URL for this configuration.
Copy the Assertion Consumer Service URL and the Metadata Identifier URL.
Return to the Azure console and click Edit (pencil icon) next to section 1 (Basic SAML Configuration).
- Insert the Metadata Identifier URL for your InsightCloudSec/DivvyCloud instance in the Entity ID box and then insert the Assertion Consumer Service URL (from the previous step) into the Reply URL (Assertion Consumer Service URL) box.
- Make sure the MetaData Identifier URL has a trailing slash when pasted into Azure (ex:
Edit section 2 as necessary (User Attributes & Claims).
In section 4 (Set up InsightCloudSec/DivvyCloud), copy the Azure AD Identifier:
In your InsightCloudSec instance, paste the Azure AD Identifier into the field provided.
In the Azure console, copy the Login URL:
In your InsightCloudSec instance, paste the Login URL into the field provided.
In the Azure console, download the Certificate (Base64) from Azure and open it in a text editor.Copy the entire certificate.
In your InsightCloudSec instance, paste the certificate into the field provided.
Paste the following URN value into the field provided:
Ensure the dontSendSubject checkbox in the attributes list is selected.
Ensure the Don't Send RequestedAuthnContext and Send Custom RequestedAuthnContext checkboxes remain unchecked.
Requested Authentication Context Issues
If you are experiencing errors while logging in and not sending any Requested Authentication Context, please contact support.
- Navigate to the bottom of the dialog and click Submit.
- Return to the Azure console and select the Test button.
- Ensure the current user has a role in this application and then press the Sign in as current user button. (Verify that the token is generated and returned.)
- You should now be logged into InsightCloudSec with your account activated.