Azure AD SAML Integration

Azure AD SAML integration for the Edge Delta web application.

Overview

You can set up an Azure AD SAML integration with Edge Delta. The Azure AD SAML Toolkit is used to integrate with Azure AD over SAML. Afterwards, your users will be able to access Edge Delta via a single sign-on process.

Edge Delta supports both identity provider (IDP) and service provider (SP) initiated login workflows. The IDP workflow logs in a user from the IDP dashboard, whereas the SP workflow logs a user in from the Edge Delta login page.

Create an Azure AD SAML integration

Step 1: Add the Azure AD SAML Toolkit

  1. Access the Azure portal, then on the left-side navigation, select Azure Active Directory.
  2. Navigate to Enterprise Applications, and then select All Applications.
  3. To add new application, select New application.
  4. In the Add from the gallery section, type Azure AD SAML Toolkit in the search box.
  5. Select Azure AD SAML Toolkit, and then add the app. You may need to wait a few seconds for the app to be added to your tenant.

Step 2: Configure the Azure AD SAML Toolkit

  1. In the Azure portal, on the Azure AD SAML Toolkit application integration page, locate the Manage section, and then select single sign-on.
  2. On the Select a single sign-on method page, select SAML.
  3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration.
  4. Enter the following values in the corresponding fields:

As another option, you can download then upload the Edge Delta SAML service. To download, visit https://api.edgedelta.com/saml/metadata.

  1. Next to Federation Metadata XML, click Download, and then save the file. You will need this file in a later step.

Step 3: Assign Users for SAML

Before a user can utilize single sign-on access, you must assign the user to the Azure AD SAML.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Azure AD SAML Toolkit.
  3. In the app’s overview page, locate the Manage section, and then select Users and groups.
  4. Select Add, and then in the Add Assignment box, select Users and groups.

Step 4: Configure the Edge Delta App

  1. Log on to the Edge Delta App with an administrator account.
  2. Click Admin - My Organization.
  3. In the SAML Settings section, click Edit.
  4. If you are using a Service Provider Initiated login workflow, you must enter the domain of the email addresses of authorized users.
  5. Select Metadata URL, and then paste the IDP Metadata URL you copied earlier.
  6. For Metadata URL Verification, select Enabled.
  7. Optionally, select Enforcement - Require Authentication Via SAML To Access This Organization. This disables the ability to log in to Edge Delta with a user name and password for normal users. They must use the IDP to log in. However, Edge Delta admin account holders can still log in with their username and password on the Edge Delta login page.
  8. Optionally, select JIT Provisioning - Enable JIT User Provisioning And Dynamic Group Membership For This Organization. Enter a Group Attribute Mapping Field and a Default Group. The field name is groups by default but it is configurable. It should match the SAML attribute name sent by IDP.
  9. Click Save.

Just in Time (JIT) provisioning determines the group configured for the user in the IDP based on the Group Attribute Mapping Field and it assigns users to an existing Edge Delta permissions group with the same name.

<saml:Attribute 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
   Name="groups">
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_admin
   </saml:AttributeValue>
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_super_admin
   </saml:AttributeValue>
</saml:Attribute>

In this example of an IDP’s SAML group assertion, the groups values are custom_admin and super_custom_admin. The user will be added to an Edge Delta group called custom_admin if it exists in Edge Delta and it will also be added to the super_custom_admin group if it exists. When there is more than one group, the user will have the most permissive permissions of the groups they belong to.

If no IDP group is detected, or if the asserted group does not match an existing Edge Delta group, the user is added to the default group. When the user logs out, they are removed from the Edge Delta group.