Appendix

Edit online

Appendix I - MS Entra configuration

Steps to follow within Apptio Domain Management:

  1. Navigate to Domain Management, ensure your authentication domain is selected at the top, select Export SAML Metadata

Steps to follow within Microsoft Entra Portal:

  1. Go to Azure portal and select Enterprise Applications .
  2. Select New Application then Create your own application .
  3. Enter name for your app, which is appeared for end users, for example "Apptio".
  4. Chose Integrate any other application you don't find in the gallery (Non-gallery) from What are you looking to do with your application? . Do not use a gallery application.
  5. After the application is successfully added, you will be redirected to its Overview page.
  6. Assign the required users and/or groups that should have access to this application.If you prefer to access your application by all users, navigate to properties from left hand panel and toggle Assignment Required to No , then Save .
    • Note that authorization is not automatically granted to users unless auto-provision for users is enabled from Apptio Domain Management or if the users are actively assigned a role within Apptio Access Administration.
  7. Navigate to Single sign-on from the left-hand pane.
  8. Select SAML from single sign-on method .
  9. Select Upload metadata file and upload the SAML metadata file downloaded from Frontdoor Domain Management (step 1).
  10. Basic SAML Configuration module will be displayed after SAML file is uploaded successfully. Select Save .
  11. Select Edit next to Attribute & Claims section after initial single sign-on configuration is saved successfully.
  12. Select Add new claim from the Attributes & Claims page.
    • Enter displayname as name.
    • Select user.displayname as source attribute and then Save. This new claim will be the user's full name.
  13. After saving, return to SAML-based Sign-on page for this enterprise application.
  14. From the SAML Certificates section, Download the Federation Metadata XML file and save a copy of this file to later be uploaded to Apptio Domain Management .

    Return to Apptio Domain Management to complete Configuring SSO Connections .

  15. If your SAML attribute name follows a URL format, as http://schemas.microsoft.com/identity/claims/displayname, specify the value after the final /, such as 'displayname' in this example.
Note:

Here, Domain Managment maps incoming IdP attribute name http://schemas.microsoft.com/ws/2008/06/identity/claims/role to groupids as shown in the table below (groupIds is also acceptable)

Equivalent attribute name
to input in Domain
Management connection 		Microsoft Entra SAML assertion attribute name
displayname http://schemas.microsoft.com/identity/claims/displayname
emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
groupIds http://schemas.microsoft.com/ws/2008/06/identity/claims/role