Entra ID

Follow the steps documented below to integrate your Rafay Org with Microsoft Entra ID (formerly Azure AD) for Single Sign On (SSO) of users to the Rafay Platform.

Important

Only users with "Organization Admin" privileges can configure IdP Integrations

---

Step 1: Create IdP

1. Login into the Web Console as an Organization Admin.
2. Click on System and Identity Providers.
3. Click on New Identity Provider.
4. Provide a name, select "Custom" from the IdP Type drop down.
5. Enter the "Domain" for which you would like to enable SSO.

Important

Within an org, the domain of an IdP cannot be used for another IdP. A domain existing in an org can be used in multiple orgs (for one IdP in each org)

1. Enter an email for the Admin Email.
2. Optionally, toggle Encrypted SAML Assertion if you wish to send/receive encrypted SAML assertions.
3. Provide a name for the Group Attribute Name, for this exercise we are using "RafayRoles" and will use this value later.
4. Optionally, toggle Include Authentication Context if you wish to send/receive auth context information in assertion.
5. Click on Update & Continue.

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Org) can decrypt the SAML assertion.

---

Step 2: View SP Details

The IdP configuration wizard will display critical information that you need to copy/paste into your Entra ID Enterprise Application. Provide the following information to your Entra ID administrator.

• Assertion Consumer Service (ACS) URL
• SP Entity ID
• Name ID Format

---

Step 3: Create the Rafay Application in Entra

1. Login into your Entra admin center as an Administrator.
2. Browse to Identity > Applications > Enterprise applications and then select New application.
3. Select Create your own application.

---

1. Select Non-gallery application and select Create to create a new application.

---

Step 4: Configure SAML

In the application configuration page

1. Go to Single sign-on and select SAML.

---

1. Click Edit for Basic SAML Configuration.

---

1. Copy/Paste the Entity ID from Step 2 into the Identifier.
2. Copy/Paste the ACS URL from Step 2 into the Reply URL.
3. Click Save to save the configuration.

---

6.. Click Edit User Attributes & Claims.

---

1. Click on Add new claim.
2. Enter the Group Attribute Name we entered in Step 1 as the Name.
3. Select "user.assignedroles" for the Source attribute.
4. Click on Save to save the settings.

---

Step 5: Assign Users an App Role

The controller will manange permissions for a given role or group name. The "Group" configuration step is critical because it will ensure that Entra ID will send the groups or roles the user belongs to as part of the SSO process. The controller uses the group information to transparently map users to the correct group/role.

If you are utilizing App Roles and a roles claim follow step 5.1.

Otherwise, follow Step 6.2 to use a group claim for the Group Attribute to send to the controller.

---

Step 5.1: Configure an App Role

Create App Role

1. Login into your Entra admin center as an Administrator.
2. Browse to Identity > Applications > App registrations and then select All applications.
3. Select the Rafay application.
4. Select App roles and then + Create app role.
5. Enter a Display name such as "rafay-org-admins".
6. Select "Users/Groups" as the Allowed member types.
7. Set the Value to "rafay-org-admins".
8. Enter a Description.
9. Enable the app role.
10. Select Apply.

Assign the Application an Owner

1. In your app registration, under Manage, select Owners, and Add owners.
2. In the new window, find and select the owner(s) that you want to assign to the application. Selected owners appear in the right panel. Once done, confirm with Select and the app owner(s) appear in the owner's list.

Assign App Role to the Application

1. Browse to Identity > Applications > App registrations and then select All applications.
2. Select All applications to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the All applications list to restrict the list, or scroll down the list to locate your application.
3. Select the application to which you want to assign an app role.
4. Select API permissions > Add a permission.
5. Select the My APIs tab, and then select the "Rafay" app.
6. Under Permission, select the roles you want to assign.
7. Select the Add permissions button complete addition of the roles.

Grant admin consent

1. In the app registration's API permissions pane, select Grant admin consent for Rafay.
2. Select Yes when prompted to grant consent for the requested permissions.

The Status column should reflect that consent has been Granted for Rafay.

Assign User to App Role

1. Browse to Identity > Applications > Enterprise applications.
2. Select All applications to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the All applications list to restrict the list, or scroll down the list to locate your application.
3. Select the application in which you want to assign users or security group to roles.
4. Under Manage, select Users and groups.
5. Select Add user to open the Add Assignment pane.
6. Select the Users and groups selector from the Add Assignment pane. A list of users and security groups is displayed. You can search for a certain user or group and select multiple users and groups that appear in the list. Select the Select button to proceed.
7. Select Select a role in the Add assignment pane. All the roles that you defined for the application are displayed.
8. Choose a role and select the Select button.
9. Select the Assign button to finish the assignment of users and groups to the app.
10. Browse to the Applications page for the User we just added.

Confirm that the users and groups you added appear in the Users and groups list.

---

Step 5.2: Configure Group Claim for Users and Groups Synced from Active Directory

Assign Active Directory Users and Groups to the App:

1. Go to Enterprise applications > Rafay > Users and groups and select Add user/group.

1. Select the Users and/or Groups synced from Active Directory to allow access to the Web Console.

1. Assign the User Role for the selected groups.

---

Add Group Claims Using Active Directory Group Names:

1. Go to Enterprise applications > Rafay > Single sign-on.
2. Click Edit for User Attributes & Claims.
3. Select Add a group claim.
4. Select the Source attribute as "sAMAccountName" from your Active Directory group name/memberships of the users to send in the group claim.
5. Provide the name for the__Name__ to the same group attribute name that was configured in Step 1.
6. Save the settings.

---

Groups Configuration In Web Console

Identical named groups with the Active Directory group names need to be created in your Org. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

It is important to emphasize that because of SSO via Entra ID, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "OrgAdmin" group because they are all managed in the attached Entra tenant.

---

Step 6: Specify IdP Metadata

1. In the Entra Admin Center browse to the Enterprise applications > Rafay > Single sign-on configuration page.
2. Copy the "App Federation Metadata Url" URL from the App > SAML Certificates section.

1. Navigate back to the Web Console's IdP configuration wizard.
2. Paste the App Federation Metadata Url from Entra to the Identity Provider Metadata URL.
3. Complete IdP Registration.

• Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
• You can also edit and update the configuration if required.

---