-
-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: azure sso guide #3431
docs: azure sso guide #3431
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work on this! 🙌🏼 The content's all there, but I've got some structural suggestions that I think we should look at. I've added suggestions for most everything so that you can see what I mean. Feel free to push back on any of the suggestions and we'll have a dialog about it!
And before we merge: You'll need to also add the guide to the sidebar by editing website/sidebars.js
. Find the section that has the other SSO how-tos and add this one in too. Remember to organize them such that the order is alphabetical based on their title.
### Step 2: Navigate to SSO configuration {#step-2} | ||
|
||
In order to configure SSO with SAML with your Unleash enterprise you should navigate to the Single-Sign-On configuration section and choose the "SAML 2.0" tab. | ||
|
||
![sso-config](/img/sso-configure-saml.png) | ||
|
||
### Step 3: Create an Enterprise Application within Azure AD {#step-3} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This first section isn't used at all until the next next section, so we can remove it.
### Step 2: Navigate to SSO configuration {#step-2} | |
In order to configure SSO with SAML with your Unleash enterprise you should navigate to the Single-Sign-On configuration section and choose the "SAML 2.0" tab. | |
![sso-config](/img/sso-configure-saml.png) | |
### Step 3: Create an Enterprise Application within Azure AD {#step-3} | |
### Step 1: Create an Enterprise Application within Azure AD {#step-1} |
**d) Section 2: Attributes & Claims** | ||
|
||
Unleash requires an email to be sent from the SSO provider so make sure to set the "Unique User Identifier" to the "user.mail" source attribute. | ||
|
||
In addition you may provide the following attributes: | ||
|
||
- firstName | ||
- lastName | ||
|
||
_(These will be used to enrich the user data in Unleash, but are not required)._ | ||
|
||
![Azure: SAML Unique Identifier](/img/sso-azure-saml-unique-id-email-id.png) | ||
![Azure: SAML Attributes](/img/sso-azure-saml-attributes-claim.png) | ||
|
||
> Please make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name. | ||
> | ||
> The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does Unleash require an email? The wording here is a little confusing, I think. I don't quite understand what's going on.
Where does the firstname and lastname go? I don't see them in the screenshot? Or is that the givenname and surname claims that are shown in the second screenshot?
**d) Section 2: Attributes & Claims** | |
Unleash requires an email to be sent from the SSO provider so make sure to set the "Unique User Identifier" to the "user.mail" source attribute. | |
In addition you may provide the following attributes: | |
- firstName | |
- lastName | |
_(These will be used to enrich the user data in Unleash, but are not required)._ | |
![Azure: SAML Unique Identifier](/img/sso-azure-saml-unique-id-email-id.png) | |
![Azure: SAML Attributes](/img/sso-azure-saml-attributes-claim.png) | |
> Please make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name. | |
> | |
> The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback | |
##### Section 2: **Attributes & Claims** | |
1. Set the "name identifier format" to "Email address". | |
2. Select "attribute" as the source. | |
3. Enter "user.mail" in the source attribute field. | |
Optionally, you can also provide a first name and a last name. If provided, these will be used to enrich the data in Unleash. | |
![Azure: The manage claim form with email configuration filled out](/img/sso-azure-saml-unique-id-email-id.png) | |
![Azure: The list of claims used by the SAML setup, including the optional claims for given name and surname](/img/sso-azure-saml-attributes-claim.png) |
**e) Get the Azure AD Setup Details** | ||
|
||
Make note of the following details necessary for the Unleash SAML configuration. | ||
|
||
Unleash will need: | ||
- Azure AD Identifier | ||
- Login URL | ||
- X.509 Certificate (in the Federation Metadata XML) | ||
|
||
![Azure: Azure Details for Unleash](/img/sso-azure-saml-azure-details.png) | ||
![Azure: Azure X509 for Unleash](/img/sso-azure-saml-x509cert.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**e) Get the Azure AD Setup Details** | |
Make note of the following details necessary for the Unleash SAML configuration. | |
Unleash will need: | |
- Azure AD Identifier | |
- Login URL | |
- X.509 Certificate (in the Federation Metadata XML) | |
![Azure: Azure Details for Unleash](/img/sso-azure-saml-azure-details.png) | |
![Azure: Azure X509 for Unleash](/img/sso-azure-saml-x509cert.png) | |
##### Sections 3 and 4: Azure AD setup details {#azure-details} | |
You will need some details from section 3 and 4 of the SAML setup form to configure the integration within Unleash. These details are: | |
- Azure AD Identifier (from section 4) | |
- Login URL (from section 4) | |
- X.509 Certificate (in the Federation Metadata XML from section 3) | |
<Figure caption="Section 3 contains a download link for the Federation Metadata XML file. Section 4 lists the Azure AD identifier and the login URL" img="/img/sso-azure-saml-azure-details.png"/> | |
<Figure caption="Within the Federation Metadata XML file, find the `X509Certificate` tag. You'll need the content within that tag." img="/img/sso-azure-saml-x509cert.png"/> |
### Step 4: Configure SAML 2.0 provider in Unleash {#step-4} | ||
|
||
Go back to Unleash Admin Dashboard and navigate to `Admin Menu -> Single-Sign-On -> SAML`. Fill in the values captured in the _"Get the Azure AD Setup Details"_ step. | ||
This is how the Azure details map to Unleash | ||
- Azure AD Identifier > Entity ID (should be formatted as https://sts.windows.net/**{GUID}**) | ||
- Login URL > Single Sign-On URL (should be formatted as https://login.microsoftonline.com/**{GUID}**/saml2) | ||
- Azure Federation Metadata XML (copy the X509Certificate) > X.509 Certificate | ||
|
||
You may also choose to “Auto-create users”. This will make Unleash automatically create new users on the fly the first time they sign-in to Unleash with the given SSO provider (JIT). If you decide to automatically create users in Unleash you must also provide a list of valid email domains separated by commas. You must also decide which global Unleash role they will be assigned (Editor role will be the default). | ||
|
||
![Unleash: SAML 2.0](/img/sso-azure-saml-unleash-config.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, is this step 2 or 3 now?
Also, the section on auto-creating users is great, but it does not belong here. Instead, we should check to see if this is already covered in the user group SSO configuration doc (website/docs/reference/rbac.md
) and link there. Or wait, that's for user groups. Single users might be different?
### Step 4: Configure SAML 2.0 provider in Unleash {#step-4} | |
Go back to Unleash Admin Dashboard and navigate to `Admin Menu -> Single-Sign-On -> SAML`. Fill in the values captured in the _"Get the Azure AD Setup Details"_ step. | |
This is how the Azure details map to Unleash | |
- Azure AD Identifier > Entity ID (should be formatted as https://sts.windows.net/**{GUID}**) | |
- Login URL > Single Sign-On URL (should be formatted as https://login.microsoftonline.com/**{GUID}**/saml2) | |
- Azure Federation Metadata XML (copy the X509Certificate) > X.509 Certificate | |
You may also choose to “Auto-create users”. This will make Unleash automatically create new users on the fly the first time they sign-in to Unleash with the given SSO provider (JIT). If you decide to automatically create users in Unleash you must also provide a list of valid email domains separated by commas. You must also decide which global Unleash role they will be assigned (Editor role will be the default). | |
![Unleash: SAML 2.0](/img/sso-azure-saml-unleash-config.png) | |
### Step 3: Configure a SAML 2.0 provider in Unleash {#step-3} | |
In Unleash, navigate to the SAML 2.0 tab on the single sign-on page. | |
<Figure caption="The single sign-on page is accessible from the single sign-on link in the admin menu (in the navigation bar)." img="/img/sso-configure-saml.png"/> | |
Use the values from the [previous section](#azure-details) to fill out the form: | |
1. In the entity ID field, add the **Azure AD identifier**. It should look a little like this `https://sts.windows.net/<identifier>. | |
2. In the single sign-on URL field, add the **login URL**. It should look something like `https://login.microsoftonline.com/<identifier>/saml2` | |
3. In the X.509 certificate field, add the content of the `X509Certificate` tag from the **federation metadata XML**. | |
![Unleash: The SAML 2.0 setup form populated with data from Azure.](/img/sso-azure-saml-unleash-config.png) |
### Step 5: Validate {#step-5} | ||
|
||
You have now successfully configured Unleash to use SAML 2.0 together with Azure AD as an IdP. Please note that you also must assign users to the application defined in Azure AD to actually be able to log-in to Unleash. | ||
|
||
Try signing out of Unleash. If everything is configured correctly you should be presented with the option to sign in with SAML 2.0. | ||
|
||
Additionally, Azure gives the option to test logging in with a user at the bottom of the Azure AD SAML setup page. | ||
|
||
![Azure: Test User](/img/sso-azure-saml-test-user.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't really a step, so let's remove that bit of the heading.
Also, the thing about assigning users in Azure seems like a pretty major point. Maybe that should be it's own step?
### Step 5: Validate {#step-5} | |
You have now successfully configured Unleash to use SAML 2.0 together with Azure AD as an IdP. Please note that you also must assign users to the application defined in Azure AD to actually be able to log-in to Unleash. | |
Try signing out of Unleash. If everything is configured correctly you should be presented with the option to sign in with SAML 2.0. | |
Additionally, Azure gives the option to test logging in with a user at the bottom of the Azure AD SAML setup page. | |
![Azure: Test User](/img/sso-azure-saml-test-user.png) | |
### Step 4: Add users {#step-4} | |
You must **assign users to the application you defined in Azure AD** for them to be able to log in. | |
[... maybe add some steps here?] | |
### Validation | |
If everything is set up correctly, you should now be able to sign in with the SAML 2.0 option. You can verify that this works by logging out of Unleash: the login screen should give you the option to sign in with SAML 2.0. | |
You can also test the integration in Azure by using the "test single sign on" step in the SAML setup wizard. | |
<Figure caption="The SAML setup wizard contains a step that lets you test your SAML 2.0 integration. You can use this to verify that everything is configured correctly within Azure." img="/img/sso-azure-saml-test-user.png"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thomasheartman I've made lots of updates to this, let me know what you think!
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! I've added some inline comments, but nothing major 🏆
> Please make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name. | ||
> | ||
> The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be an admonition instead, I think. And what URLs are we asking them to replace?
> Please make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name. | |
> | |
> The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback | |
:::info URLs and formats | |
Make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name. | |
The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback | |
::: |
![Azure: Section 3 contains a download link for the Federation Metadata XML file. Section 4 lists the Azure AD identifier and the login URL](/img/sso-azure-saml-azure-details.png) | ||
![Azure: Within the Federation Metadata XML file, find the `X509Certificate` tag. You'll need the content within that tag.](/img/sso-azure-saml-x509cert.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These both feel like they should be figures instead of images. I think the alt text would be a useful caption for anyone. what do you think?
|
||
You can also test the integration in Azure by using the "test single sign on" step in the SAML setup wizard. | ||
|
||
![Azure: The SAML setup wizard contains a step that lets you test your SAML 2.0 integration. You can use this to verify that everything is configured correctly within Azure.](/img/sso-azure-saml-test-user.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turn this into a figure too?
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great; amazing work! 💯 Thanks for sticking with it 🙌🏼
About the changes
Added Azure SSO SAML 2.0 instructions based off of testing/user feedback.
Not on GH, internally yes
Important files
website>docs>how-to>how-to-add-sso-azure-saml.md
website>docs>static>img (added images for docs)