Configure a SAML authentication

In this topic, you learn how to set up an authentication via SAML and how to configure it in your Cockpit.

Prerequisites

  • You have registered the DXP - Open Edition in the Azure portal. Find more information about how to register an app in the Microsoft documentation.

  • You know the Display Name and your client ID from the Azure Account.

  • In the Azure portal, you have added users and groups to the DXP - Open Edition.

  • You have downloaded the SAML certificate from the Azure Portal.

Procedure

Add a redirect URI

  1. In the Azure portal, go to Authentication.

  2. In Redirect URI, add URIs for a web and/or a public client. These URIs will be accepted as destinations when returning authentication responses (tokens) after authenticating users.

    The redirect URI must have the following format

    https://<Planet-9-URL>/user/logon/saml/<path>;

    For example

    https://planet9dev.neptune-software.com:8081/user/logon/saml/developers

    settings azure add uri

Add API Permissions

  1. In the Azure portal, go to API permissions.

  2. Click Add a permission to configure a permission.

    settings set api permission

Add SAML authentication provider in the Neptune DXP - Open Edition

  1. In the Cockpit, go to Settings, and click System Settings.

  2. Navigate to the Authentication tab and click Edit.

  3. Click Add, and select SAML.

    settings auth saml

    Result: The Authentication dialog opens.

  4. In OpenID Connect, fill in or check the following fields:

    1. Enter a Name for the authentication.

    2. Check Active to activate this authentication method.

    3. Check Show on login page to display the authentication method on the login page.

    4. Enter a Description.

    5. Enter a Login URL, use the following format:

      https://myapps.microsoft.com/signin/<Display Name>/<Application(Client) ID>

Change <Display Name> to your app display name, and change <Application (Client) ID> to your app client ID.

+ NOTE: You find Display name and Application (client) ID in the Azure Portal.

+ .. In Logout URL, enter the login URL, use the following format:

+ https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

  1. In Redirect URL, enter the URLs that will be accepted as destinations in a Neptune DXP - Open Edition when returning authentication responses (tokens) after successfully authenticating users and redirect users to apps mentioned in Neptune DXP - Open Edition. For example, if users should be directed to a particular launchpad, then you can add the link of that launchpad here.

  2. Enter the Path to the external SAML login data.

    Do not enter the path when you use the login screen. In this case, you must set the path according to the following: http://planet9server/logon/saml/path

  3. In Issuer, enter the entity from the Azure Portal that has verified the certificate content: <Application(Client) ID>.

  4. Add identifier format for single sign-on (SSO).

  5. In Binding, select HTTP redirect or HTTP Post.

  6. In Cert (ldp), enter the certificate from the Azure Portal.

    1. Optional: In Public Key(SP), enter the public key from Azure Portal.

    2. Optional: In Private Key(SP), enter the private key from Azure Portal.

  7. In Claims Assignment, click Add to add claims assignments.

  8. In Auto Assignment, assign roles, and the departments if required (Microsoft Entra ID/system?).

  9. In Custom Script, you can enter your code (optional) to tweak the roles' assignment manually.

    1. Click OK to confirm.

Results

  • You have configured and activated a SAML authentication.

Related topics