Universal Policy Administrator Documentation
< All Topics
Print

Configuring SAML Authentication with Microsoft ENTRA ID

  1. Install the UPA Gatekeeper and Gateway.
  2. Create and configure UPA as an enterprise application in your Microsoft Entra ID tenant:
    1. Sign in to the Microsoft Entra admin center:
      1. From the left navigation pane, select Enterprise apps > All applications.
      2. Select New application.
      3. On the Browse Microsoft Entra Gallery page, select Create Your Own Application.
      4. Enter a name for your application. For example, ‘UPA_SAML’.
      5. Select Integrate any other application you don’t find in the gallery (Non-gallery).
      6. Click Create.
    2. Assign Users and Groups:
      1. On your application’s Overview page, select Assign Users and Groups from the Identity menu or the Getting Started area.
      2. Select Add User/Group on the Users and Groups page.
      3. On the Users and Groups tab of the Add Assignment page, select one or more Users and Groups checkboxes.
      4. Click Select
      5. On the Select a role tab of the Add Assignment page, select a role
      6. Click Select
      7. Click Assign
      8. (Optional) On the Users and Groups page, select a User or Group.
        1. (Optional) Select Edit Assignment to assign a different role
        2. (Optional) Select Remove Assignment to delete assigned users and groups
    3. Set up single sign-on:
      1. Configure your application to use SAML authentication:
        1. Download the HAPI SAML metadata:
          1. In the Full Armor UPA Owner Portal (https://<gatekeeper>/portal/account), select SSO.
          2. Click Get SAML Metadata.
          3. Save to a file. For example, C:\UPA\Metadata\GetSAMLMetatadata.xml.
      2. Navigate to the Microsoft Entra admin center:
        1. From the left navigation pane, select Single sign-on.
        2. On the Single sign-on page, select SAML.
        3. On the SAML-based Sign-on page, select Upload metadata file and upload the HAPI SAML metadata saved in a previous step.
          1. On the Basic SAML Configuration tab, enter a domain name for UPA under Relay State (Optional), to use with Microsoft Entra ID users and groups. For example, ‘Entra’ or ‘MyDomain’.
          2. Enter the Sign on URL (Optional) (https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>) where Provider Name is the name of the SAML provider for UPA, specified in the previous step.
          3. In the SAML Certificates area, select Download Federation Metadata XML.
          4. Save to a file. For example, C:\UPA\Metadata\SAMLFederationMetatadata.xml.
  3. Configure UPA to use SAML authentication:
    1. In the Full Armor UPA Owner Portal (https://<gatekeeper>/portal/account), select SSO.
    2. Click Add SAML Provider to launch the SAML Configuration Settings page and complete the following steps:
      1. Enter the Provider Name to match the value in Relay State in a previous step.
      2. Select the Set as Default Login Provider check box for the UPA web console to use this SAML provider as the default identity provider for logins
      3. (Optional) To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>.
      4. In the Provisioning Mode list, click AutomaticProvisioning
      5. Click Configure Provisioning to launch the Provisioning Settings page:
        • View the Provider Name
        • View the Provisioning Mode
        • Click Get SCIM Token
      6. Click Configure Claims Mapping to launch the Claims Mappings page:
        1. In the Match login claims to users using this property list, click UserName.
        2. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name as the Unique ID.
        3. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name as the UserName.
        4. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name as the Display Name.
          • (Optional) Configure a different claim in your Microsoft Entra application’s SAML-based Sign-on > Attributes & Claims section.
        5. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress as the Email Address.
        6. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups as the Groups claim.
        7. You may leave Domain\Username blank.
        8. You may leave SID blank.
        9. You may leave IP Address blank.
        10. Click Save
      7. In the Name ID Format list, click EmailAddress
      8. In the Signature Algorithm list, click SHA_256
      9. Select the Always Sign Requests check box
      10. Enter the Logout Url to send the SAML logout response to the application
      11. Enter IDP Metadata
      12. Click Save Changes

Note: To assign UPA roles based on Groups, you must configure a Group Claim in your Microsoft Entra application, else to delegate UPA roles to individual users you might leave this field blank.

  1. Configure provisioning in the Microsoft Entra admin center:
    1. In the Microsoft Entra admin center
    2. From the left navigation pane, go to Enterprise apps
    3. Select your application created in the previous steps
    4. On your application’s Overview page, select Provisioning
    5. On your application’s Provisioning page, select Provisioning again
      1. In the Provisioning Mode list, click Automatic.
      2. In the Admin Credentials section:
        1. Enter the Tenant URL of the SCIM endpoint https://<gatekeeper>/api/scim>.
        2. Paste the Secret Token retrieved in a previous step
        3. Click Test Connection to verify.
      3. In the Settings section:
        1. Select to Send an email notification when a failure occurs Notification Email
        2. Select to Prevent accidental deletion Accidental deletion threshold
    6. Click Save
    7. Click Start Provisioning and allow time for the initial provisioning cycle to complete
    8. Check the provisioning status in the Microsoft Entra admin center
  2. Assign a UPA Global Administrator role:
    1. In the Full Armor UPA Owner Portal, select SSO when provisioning completes
    2. Select the List Users button for the SAML provider
      • Confirm that the users or groups were imported correctly
    3. Select the user to grant Global Administrator permissions
    4. Click Set User as Global Admin

For more information, see Enable SAML single sign-on for an enterprise application in Microsoft Entra ID

In This Article