Configuring SSO with Azure

IBM® NS1 Connect® supports SAML 2.0 single sign-on (SSO) with Microsoft Azure Active Directory for logins initiated by both the identity provider (IdP) or the service provider (SP)

Before you begin

You must have the relevant permissions in your organization's Azure Active Directory account to set up the integration with NS1 Connect.

Step 1 - Locate your SSO ID in NS1 Connect

Refer to the instructions in Locating your SSO ID.

Step 2 - Add NS1 Connect to your enterprise applications

  1. Log in to the Azure portal, and navigate to Enterprise Applications.
  2. Click New Application.
  3. In the Enter a Name field, search for NS1.

  4. Click NS1 SSO For Azure from the search results.

  5. Optionally, you can rename the application. Review the information, and click Add. This adds NS1 Connect to your list of Azure SSO enterprise applications.

Step 3 - Add your SSO ID to the NS1 Connect application in Azure

  1. In the Azure portal, navigate to the NS1 SSO for Azure > Overview page. From the sidebar menu, click Properties.

  2. Under Getting Started, click Set up single sign on.

  3. Under Select a single sign-on method, select SAML.

  4. Under Set up Single Sign-on with SAML, click the edit icon (pencil) next to option 1, Basic SAML Configuration.

  5. Under Identifier (Entity ID), enter the following: https://api.nsone.net/saml/metadata
  6. Enter the Reply URL using the following format: https://api.nsone.net/saml/sso/<sso_id>

    where <sso_id> is the alphanumeric string provided to you by NS1 Connect.

    Note: Do not enter a Sign on URL. Leave this field blank.
  7. Review the information, or click Save.

    Keep the browser window open as you will return to it in the next step.

Step 4: Configure user mappings

An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account — either a basic text string (for example, jdoe33) or an email address (jdoe33@example.com). This is indicated in the leftmost column in the list of NS1 Connect account users.

  1. Navigate to NS1 Connect.
  2. Click the User Settings icon and select User & teams.
  3. Click the Users tab.
  4. In the User column, verify the username format.
  5. Return to the Azure portal. Continuing from Set up Single sign-on with SAML, click the edit icon next to option 2, User Attributes & Claims.

  6. Under Required claim > Claim name, click Unique User Identifier (Name ID).

  7. If mapping users based on the email, select Email address as the name identifier, set the source to Attribute, and select user.mail as the source attribute. Click Save to confirm configuration changes.

    If mapping users based on a basic username, set the source to Transformation. A new Manage Transformation pane appears on the right. Enter the following information:

    Transformation: ExtractMailPrefix()

    Parameter 1: user.userprincipalname



    Ensure the information is accurate, and click Add. Click Save to confirm configuration changes.

Step 5 - Send the metadata URL to NS1 Connect

To enable SSO for all NS1 Connect users within your organization, you must provide the metadata URL to IBM support.

  1. Continuing from the Set up Single Sign-on with SAML page, navigate to option 3: SAML signing Certificate. Copy the App Federation Metadata Url, and provide it to IBM support.

Step 6 - Adding users to the NS1 Connect application

  1. Under Manage, click Users and Groups from the sidebar menu.

  2. Click Add user.

  3. Back in the Add Assignment screen, you can see the number of users you’ve selected.

  4. Click Assign.

Users can log in using SSO from the NS1 Connect login page or from within the Azure portal.