Configure SSO with Azure

This topic provides step-by-step instructions on creating an Azure Active Directory application.

Perform the following steps to create an Azure AD SSO:

1. Log in to Azure portal.

2. Under Azure services, click Azure Active Directory. If Azure Active Directory is not listed, click More Services and select Azure Active Directory.

   

3. On the left, click Enterprise applications.

4. Under All applications, click New Application.

   

5. On the Browse Azure AD Gallery page, click Create your own application.

   

6. In the What’s the name of your app, enter a display name for your application.

7. Select Integrate any other application you don’t find in the gallery (Non-gallery) and click Create.

   

8. On the <app> Overview page, under General Settings, on the Set up single sign on tile, click Get Started.

   

9. Under Select a single sign-on method, click the SAML tile.

10. Under Set up Single Sign-On with SAML, do the following:

    1. In the Basic SAML Configuration section, click the edit icon and do the following:

       1. Under Identifier (Entity ID), click Add identifier.

          For example,

          https://helios.cohesity.com/v2/mcm/idp/authenticate

       2. Under Reply URL (Assertion Consumer Service URL), click Add reply URL.

          For example,

          https://helios.cohesity.com/v2/mcm/idp/authenticate

       3. Click Save.

          If you have multiple Cohesity clusters and you want to use this Azure AD application for all of them, you can use the additional cluster FQDNs to enter multiple Identifiers and Reply URLs in this step.

          

    2. In the Attributes & Claims section, click the edit icon and do the following:

       1. Click Add new claim.

          The Manage claim page is displayed.

       2. Name: Enter a name for the attribute.

       3. Source: Select Attribute.

       4. Namespace: Optional. Enter a namespace URI.

       5. Source attribute: From the drop-down, select the source attribute.

       6. Click Save.

          

    3. If you plan to use user groups-based RBAC, you need to pass the “Groups” SAML attribute to Cohesity. Perform the following steps:

       1. Under User Attributes & Claims, click Add a group claim.

       2. For Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.

          Groups must be directly assigned to the application. Azure will not send the groups attribute that are a subgroup of a group which is assigned to the application.

       3. From the Source attribute drop-down, select the source attribute.

          

       4. Under Advanced options:

          1. Select the Customize the name of the group claim check box.

          2. Name: Enter a name as groups.

          3. Namespace: Enter the namespace URI. This is optional.

          4. Click Save.

             

          To use source attributes like sAMAccountName to pass the user group name in the “Groups” SAML attribute make sure that Azure AD groups are synchronized from an on-premises Active Directory using Azure AD Connect Sync 1.2.70.0 or above. For more information, see Azure AD Connect: Upgrade from a previous version to the latest.

          If you don’t have an on-prem Active Directory synced with Azure AD, in the Source attribute drop-down, select Group ID.

    4. Depending on the value of the Source attribute you selected, you need to create the corresponding users and groups. For example, if you use:

       1. sAMAccountName, you need to create groups with the SSO Group value as the AD groups name.

       2. Group ID, you need to create SSO groups using Azure AD’s Group ID. To obtain the Azure AD’s Group ID:

          1. Click the application name

          2. Under Manage, click Users and groups.

             

          3. Click Add user/group to assign a user or a group who should be able to access Cohesity DataProtect as a Service using this Azure AD application.

          4. From the list of users, click a user.

             Nested groups are not supported and will not be passed under the Groups SAML attributes.

Retrieve the SSO URL, Provider Issuer ID, and Certificate

You need to retrieve Azure AD information to configure SSO on Cohesity DataProtect as a Service for the IdP (Azure AD).

Perform the following steps to retrieve the SSO URL, Entity ID, and certificate from the Azure AD application:

1. Log in to Azure portal.

2. Under Azure services, click Azure Active Directory. If Azure Active Directory is not listed, click More Services and select Azure Active Directory.

3. On the left, click Enterprise applications.

4. Click the application name and under Manage, click Single sign-on.

5. Under Set up Single Sign-On with SAML, in the SAML Signing Certificate section, click the edit icon.

6. On the SAML Signing Certificate, click the ellipsis () icon and select PEM certificate download.

   

   Cohesity SSO only accepts *.pem format certificate.

7. Under Manage, click Single sign-on.

   

8. Under Set up Single Sign-On with SAML, in the Set up <application name> section, do the following:

   1. Copy the Login URL and save it for later use. You will use this URL to enter the Cohesity Single-Sign-On URL when you Configure SSO to Cohesity.

      

   2. Copy the Azure AD Identifier URL and save it for later use. You will use this URL to enter the Cohesity Provider Issuer ID when you Configure SSO to Cohesity.

      

You need to add the SSO provider in Cohesity DataProtect as a Service. For more information, see Configure SSO .