Example of SAML configuration with Microsoft Entra ID

This page describes the steps to enable SAML authentication in Cyberwatch using Microsoft Entra ID as the identity provider.

It presents a minimal configuration for the SAML service to function.

Prerequisites

The procedure assumes that you have the following:

• An Azure account with an active subscription
• Administrator access to Microsoft Entra ID and Cyberwatch

Creating the SAML application in Entra ID

1. Log in to the Azure portal: https://portal.azure.com
2. Navigate to Microsoft Entra ID > Enterprise applications
3. Click on “New application”, search for “Microsoft Entra SAML Toolkit”
4. Give it a name (e.g., SAML Toolkit), click on “Create”
5. Start the SSO configuration by clicking on “Get started” in “Set up single sign on”, select SAML

Configuration of the Service Provider and Identity Provider in Entra ID and Cyberwatch

In Entra ID, configure the Service Provider in “Basic SAML Configuration”:

• Identifier (Entity ID): ID of Cyberwatch
• Reply URL (ACS): URL of Cyberwatch’s ACS
• Sign on URL: URL to log in to Cyberwatch
• Logout URL (optional): Single Logout URL
• Save the configuration

In Cyberwatch, specify the general information, Service Provider, and Identity Provider:

1. Name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
2. Login button text: “Entra ID SAML Login”
3. SP Entity ID: ID of Cyberwatch
4. IDP metadata URL: copy “App Federation Metadata URL” from Entra ID
5. Apply to retrieve the IDP certificate
6. IDP Entity ID: copy “Microsoft Entra Identifier” from Entra ID
7. IDP SSO target URL: copy “Login URL” from Entra ID
8. Save. The Cyberwatch certificate will be generated.

Upload the certificate generated by Cyberwatch to the SAML Toolkit application in Entra ID:

• Microsoft Entra ID > Enterprise applications > click on the name of the SAML Toolkit app
• Single sign-on > SAML Certificates > Verification certificates > Edit
• Check “Require verification certificates” and upload the certificate

For more information on creating the application, please refer to the Entra documentation https://learn.microsoft.com/en-us/entra/identity/saas-apps/saml-toolkit-tutorial

Optional - Advanced Configuration

Show advanced configuration details

This requires having a paid Entra ID license to perform certain actions

To configure roles, groups, and other attributes in Cyberwatch:

1. Define roles in Entra ID > App registrations > name of the SAML Toolkit app > App roles > Create app role.
2. Define groups in Entra ID > Groups > New group.

Note: These groups must be created in Cyberwatch for the mapping to be functional.

Associate groups and roles:

• Entra ID > Enterprise applications > name of the SAML Toolkit app
• Users and groups > check the group > Edit assignment
• Select the role > Assign

Optional: Configuration of claims

Adding role and group claims

• Entra ID > Enterprise applications > name of the SAML Toolkit app > Single sign-on > Edit.

For the role claim:

• Click on Add new claim.
• In the Name field, enter role.
• In Namespace, enter http://schemas.microsoft.com/ws/2008/06/identity/claims.
• For Source Attribute, select user.assignedroles.
• Click on Save.

For the group claim:

• Click on Add a group claim.
• Select Groups assigned to the application.
• For Source Attribute, choose Cloud-only group display names.
• Click on Save.

For the description claim:

• Click on Add new claim.
• In Name, enter description.
• For Source Attribute, choose for example user.jobtitle.
• Click on Save.

Note: The email address claim should already be configured in the SAML Toolkit application. Make the necessary configurations in Cyberwatch at the identity provider level. The connection should be correctly established, retrieving the attributes configured in Cyberwatch.

For more information on creating roles and groups, please refer to the Entra documentation:

• Roles: https://learn.microsoft.com/en-us/entra/identity-platform/enterprise-app-role-management

• Groups: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

Verifying the functionality

Open a private browsing window and access the Cyberwatch authentication page. An “Entra ID SAML Login” button should be displayed.

Click on it, the browser redirects to the Entra ID authentication page if the configurations are valid.

Authenticate with your credentials, the browser redirects you and authenticates you on Cyberwatch.

Verify the absence of an existing local/LDAP account in Cyberwatch using the same email address to avoid an error during login.

Troubleshooting

Don’t hesitate to contact Cyberwatch support for any technical assistance.