Integrate with Microsoft Azure AD

Overview

Integrating Azure AD Single Sign On (SSO) is a quick and easy process. There are only three pieces of information we are going to copy and paste from one system to the other.

  • The Frame SAML2 Integration Name. This is a name you pick when you create the SAML authentication integration. The name should be something no one else has used across the platform. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter.

Note

The SAML2 integration name you choose will be displayed on the SSO login button used by anyone attempting to log in to the platform.

  • The Azure AD Federation Metadata Document URL. This is a URL where Azure AD keeps the SAML Metadata for your Azure tenant.
  • The Application ID from your Azure AD application.

Following the steps below, you can find these values and copy them from Azure AD to Frame and from Frame to Azure AD. This process should take less than fifteen minutes.

Configure Azure AD

To connect Frame to Azure AD for Single Sign On (SSO) we will need to register an Azure Application and collect three pieces of information about that Azure Application.

  1. First, go to your Azure portal. Search for “Active Directory” in the top search bar. Click on the “Azure Active Directory” service.
../../_images/azuread1.png
  1. On the “Default Directory Overview” page, click “App registrations.”
../../_images/azuread2.png
  1. Click “New registration.”
../../_images/azuread3.png
  1. Enter the following information into the corresponding fields:

    ../../_images/azuread4.png
    • Name: Enter the application name. We will call this application Xi Frame.

    • Supported Account Type: Select “Accounts in this organizational directory (Default).”

    • Redirect URI (Optional): Select “Web” from the drop down menu. Enter your Redirect URI in the following format:

      https://img.frame.nutanix.com/saml2/done/[SAML_INTEGRATION_NAME]/
      

      See the image above for our example. Please use your own SAML2 integration name for your own SAML2 integration.

  2. Click the “Register” button at the bottom of the section to proceed. This requires you to agree to Microsoft Platform Policies.

  1. Your app information will appear immediately. Copy the Application ID and save it. You will need to use this information this later.
../../_images/azuread5.png
  1. Next, click on the “Endpoints” button at the top of this section. Copy the “Federation metadata document” URL and save it. You will need this information later.
../../_images/azuread6.png
  1. Click “Branding” listed under the “Manage” section in the menu on the left. Review the fields listed below. Leave any remaining fields at their default values.

    ../../_images/azuread6two.png
    • Name: This should be set to the name you provided above in step 4.
    • Upload new logo: You can use this image if desired.
    • Home page URL: Enter your Xi Frame account URL here. See the example above.

    Click the “Save” icon at the top of this panel when you have finished editing the required fields.

  2. Select “Authentication” listed under the “Manage” section in the menu on the left. You will see the redirect URI you entered earlier. Under “Advanced settings” enter the Logout URL in the following format:

    https://img.frame.nutanix.com/saml2/slo/[SAML_INTEGRATION_NAME]/
    

    Warning

    The forward slash at the end of the URL is required for the integration to work correctly.

    ../../_images/azuread7.png

    Click the “Save” icon at the top of this panel when you have finished editing the required fields.

  3. Click “Manifest” listed under the “Manage” section in the menu on the left.

../../_images/azuread8.png
  1. Navigate to the "optionalClaims": null, attribute in the manifest. In place of null, you will want to add the following JSON:
{
    "idToken": [],
    "accessToken": [],
    "saml2Token": [
        {
            "name": "email",
            "source": null,
            "essential": true,
            "additionalProperties": []
        }
    ]
},

It should look like this:

../../_images/manifest1.png
  1. Next, scroll down until you find the "replyUrlsWithType": attribute in the manifest.

    ../../_images/manifest2.png

    Under the object highlighted above, enter JSON in the following format:

{
    "url": "https://img.frame.nutanix.com/login?return_url=https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]&account_type=[SAML_INTEGRATION_NAME]",
    "type": "Web"
}

When you have finished editing "replyUrlsWithType":, it should look like this:

../../_images/manifest3.png

Note

The manifest will not allow you to save if there are any JSON formatting issues.

Create the SAML2 Authentication Integration Provider in Frame

  1. Open up a new tab and navigate to your Frame account. A SAML2 authentication integration can be configured at any level (depending on administrative access) by navigating to the Admin page and clicking on the ellipsis listed next to the desired entity name. Select “Edit” from the menu that appears.
../../_images/authnav1.png
  1. Navigate to the “Security” tab and enable the “SAML2” toggle under “Authentication.”
../../_images/authnav2.png
  1. Once the setting is saved, the “SAML2 Providers” tab will appear. Navigate to this tab and then click “Add Provider.”
../../_images/image99.png
  1. A new window will appear prompting you to enter some of the information you obtained earlier.

    ../../_images/addazureAD.png
    • Application ID: Paste the Application ID from step 6.
    • Auth provider metadata: Check the “URL” option and paste the Federation Metadata Document URL you copied in step 12 into this field.
    • Name: Enter the SAML2 Integration name here. The name should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive. As mentioned above, we will use the SAML2 integration name docs-auth-azureAD for this example. Please do not use this name for your own integration.
    • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
    • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
    • Signed assertion: Enable this toggle.
  2. Click “Add.”

Configure SAML2 Permissions

Once the IdP is successfully configured, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed to the right of the current tab. Read more about user roles and permissions on our “User Permissions” section.

../../_images/saml2permissions.png

Using Azure AD as a SAML2 Authentication Integration

Your new SAML2 auth integration will appear as button on your Xi Frame login page. The URL for navigating to your Xi Frame login page will vary depending on which level the SAML2 integration was configured.

Customer level:

https://frame.nutanix.com/[customer_URL]/

Organizational level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/

Account level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]/
../../_images/finalazureAD.png