Configuring Azure Active Directory as an identity provider

To use Microsoft Azure Active Directory to manage the user IDs and passwords that access applications through Federated Single Sign-On with IBM®® Security Verify, you must configure it as an identity provider.

Before you begin

You must have an Azure Active Directory account with administrative access.

Procedure

  1. Log in to the Azure AD portal as an administrator.
    https://portal.azure.com/
  2. Click Azure Active Directory from the left navigation pane.
    The image shows the Azure AD portal navigation pane.
  3. Click Enterprise applications.
    The image shows the Azure Active Directory navigation pane.
  4. Click New application from the Enterprise applications page.
    The image shows the Enterprise applications page selections.
  5. Click All > Non-gallery application.
    The image shows the new application options.
  6. Type a name for the application and click Add.
    For example,
    The image shows the Name field.
    The application might take a few minutes to be created. After it is created, a management page is displayed.
  7. Click Properties and then select Yes for User assignments required.
    The image shows the Name field.
  8. Click Save.
  9. Click Users and groups from the Manage navigation.
    Assign the users and groups that are entitled to this application.
    1. Click Users and groups > Add user > None Selected.
    2. Select the users and groups that you want to entitle.
    3. Click Assign.
    1. Click Save.
  10. Click Single sign-on.
    1. Select SAML-based Sign-on from the Single Sign-on Mode menu.
    2. Get the SAML EntityID and Assertion Consumer Service URL information from IBM Security Verify.
      1. Log in to IBM Security Verify.
      2. Click Configuration > Identity sources > Add identity source.
        The image shows the step in IBM Security Verify identity source creation task where the Entity ID and the Assertion Consumer Service URL are obtained.
      3. Return to the Azure Active Directory.
    3. Specify the following settings.
      Identifier
      Specify the SAML EntityID of IBM Security Verify.
      Reply URL
      Specify the Assertion Consumer Service URL of IBM Security Verify.
      For example,
      The image shows the Identifier and Reply URL fields.
    4. Select the attribute in the User Attributes section that is to be sent as the SAML subject from the User Identifier menu.
      For example, select user.userprincipalname.
      The image shows the User Identifier field.
    5. Select the View and edit all other user attributes check box to view or edit the claims issued in the SAML token to the application.
      The image lists the SAML token attributes.
    6. Select Create new certificate.
      The image shows the manage certificate options with Create new certificate highlighted.
    7. Click Save > OK to create a new certificate.
      The image shows the manage certificate options with Create new certificate highlighted.
    8. Select the Make new certificate active check box.
    9. Click Metadata XML in the DOWNLOAD column of the SAML Signing Certificate section to download the identity provider metadata that is to be imported on the service provider side ( Verify) .
      The image shows the manage certificate options with Metadata XML highlighted.
    10. Select the Show advanced certificate signing settings check box and specify the following settings.
      Signing Option
      Select the option that meets your requirements from the drop-down list.
      Signing Algorithm
      Select SHA-256 or SHA1 from down-down list.
      The image shows the manage certificate options.
    11. Optional: Modify the value for Notification Email.
    12. Click Save.