The following document details the process to implement Single Sign-on within SafeConsole using Azure AD. In this document, we utilize the User’s “Department” field to correspond to the SafeConsole Role to which the user will be assigned. Your Azure AD setup could differ from this configuration.
This document also details the process to add groups of users if this is your preferred method to configure Single Sign-On
to SafeConsole. This process begins at step
For more information about Active Directory User Objects and how to modify them see the link below:
https://www.windows-active-directory.com/active-directory-user-objects-management.html
NOTE 1: Ensure that 'Custom Roles' are enabled within the SafeConsole 'Admin' section
NOTE 2: You can review the Knowledge Base (KB) Article using the link below to set up your Azure AD security groups for SafeConsole roles (ADMINISTRATOR, MANAGER, and SUPPORT).
Configuring Azure AD
Creating a new application
1. Log in to the Azure AD portal and navigate to Enterprise Application within Azure Active Directory.
2. Click on New Application.
3. Click on Create your own application.
4. Enter the name of your Application and click on Create
Adding Users to the Application
5. Once the Application has been created, select Users & Groups from the left-hand side panel and click on Add User.
6. Click on the Users (None Selected) window to open the Users you can select. Add the Users you wish to access SafeConsole and click on Select.
7. Click on Assign.
8. The Users will appear.
Configuring Single Sign-on
9. Select Set-up single sign-on
10. Select SAML
11. In Step 1 of the SAML-based Sign-on, select Edit.
12. Enter the following information as detailed in the screenshot below:
13. In step 2 of the Claim-based Sign-on, select Edit.
14. Enter the name memberOf.
15. Enter the Source Attribute from the dropdown menu (in this case we will use user: Department but this may differ in your Azure AD environment).
NOTE: It is important that your ‘memberOf’ claim will correspond with a role that matches your SafeConsole Roles (ADMINISTRATOR, MANAGER, and SUPPORT are the default SafeConsole roles).
16. Click on Save.
17. Return to the SAML configuration Application
18. In step 3 of the Claim Based Sign-on, download the Federation Metadata XML
Configuring the SSO connector in SafeConsole
19. Login to SafeConsole and navigate to the Single Sign-on section in the Server Settings located on the left-hand side panel and Enable Single Sign-on.
20. Select SAML2 as the SSO Provider
21. Click the Upload a SAML Metadata file to import the settings automatically button and browse to the Metadata file downloaded in step 17.
22. Important: Change the Entity ID to what you set in Step 11.
23. Test the SSO connection in Step 5 of the SAML-based Sign-on.
Configuring Azure Single Sign-On using Groups
24. Access Microsoft Entra ID (formally Azure Active Directory) and create a new group or groups.
25. Create your new group with the following and then click 'Create' (Note: You can specify any preferred Group Name)
26. Return to 'Enterprise Applications and open the Application created in Steps 2, 3 and 4.
27. When the application 'Properties' screen launched, select Assign Users and Groups.
28. Click on 'Add User/Group'
29. Add the 'Assignment' by clicking on Users and Groups=>None Selected and select the group or groups you created in Microsoft Entra ID and click on 'Select'
30. Once the new screen appears, click on 'Assign'
31. Next, return to the 'SAML-based Sign on with SAML' section and click on 'Edit' in the Attributes and Claims section
32. Click on 'Add a Group Claim'
33. Apply the following Settings to the Group Claim and click on 'Save'
34. Confirm that the claim name: memberOf is now listed and the value equals 'users.groups'
Adding Users to Groups
35. Return to the 'All Applications' page and click on the Application you created and click on ' Assign Users and Groups'
36. Open the Group by clicking on the Display Name
37. To add Users to the Group or Groups, click on 'View group members"
38. Add the Users to the appropriate Group or Groups and click on 'Select'
39. Once completed, the Group Properties screen reappears.
Configuring the SafeConsole Interface
40. You will need to copy the Object ID of the Group in Azure which will be used to name 'Custom Role' described below.
41. A 'Custom Role' must be first created in SafeConsole that matches the Object ID of the Group
To enable 'Custom Roles' in SafeConsole, the Account Owner is required to login to SafeConsole and navigate to the Admin section of SafeConsole. Enable 'Custom Roles' by placing a check mark in the appropriate box as per the following screenshot.
42. A new button will appear in the Admin section named 'Roles'
43. Click on the 'Roles' button and then click on 'Add New'
44. Set the permissions you want to apply to the Group and paste the Object ID from step 40 in the Role Name and click 'Save'
45. Return to Azure and access Single Sign-On for your Application and download the 'Federation Metadata XML' file
46. Login to SafeConsole as the 'Account Owner' and enable Single Sign-On in the 'Server Settings' an upload the
Federation Metadata XML file.
47. Ensure that the Entity ID matches the the ID you set in Step 11.
48. Return to Single Sign-On and click on 'Edit' in the 'Basic SAML Configuration' and copy the Logout URL and paste it into the SLO Endpoint in the Single Sign-On settings (See screenshot in Step 46.
49. Click on 'Save' to complete the process. You and now have a user that is a member of the configured Group to use
SSO to login to SafeConsole. You can also test your SSO connection as performed in Step 23.
If you encounter problems, please contact Datalocker Support at support.datalocker.com