Example: SAML Based Authentication with Microsoft Entra ID

The following example describes how to enable SAML-based authentication in Axonius with Microsoft Entra ID (formerly Azure AD).

Do the following in Axonius:

1. Download the metadata file provided by Axonius in the link: https://<axonius_hostname>/api/login/saml/metadata/
   Remember where you save this file. It will be needed later.

Do the following in Microsoft Entra ID:

1. Log in to the Entra ID portal, go to Azure Active Directory, and click Enterprise Applications.

2. Click All applications.
   

3. On the top toolbar, click New application to create an application for Axonius.
   

The Cloud application gallery is displayed.

3. Click Create your own application.
   

4. Enter a name for your application and select the option Integrate with any other application you don’t find in the gallery (Non-gallery) click Create.
   

5. After your application is created, go to Users and groups to configure the access policy.
   

6. Click Add user.
   

7. Search for and select the users and groups who will be authorized to use Axonius. Each user or group selected appears in the Selected list to the right. After you finish, click Select at the bottom of the pane and then Assign.
   

8. Under Manage click Single sign-on and then SAML.
   

9. Click Upload metadata file and then the file folder to the right. Select the metadata file you downloaded from Axonius in the first step above and click Add.
   

The URLs are populated into the Identifier, Reply URL, and Logout URL fields.

10. Optionally, show advanced URL settings and set the Sign on URL if you would like to configure identity-provider initiated SSO. If you choose to enable this, the Axonius app will be listed in the applications portal for all the authorized users.
    The Sign on URL is always : https://<axonius_hostname>/api/login/saml

11. In Attributes and Claims, verify that givenname, surname, and name are listed. If not, click Edit to add them so that Axonius can get the ID, given name and surname of any user that signs in.
    

12. Click Save.

13. Copy the App Federation Metadata Url in SAML Signing Certificate.
    

    Note:

    If you need the PEM-encoded signing certificate:
    1. In EntraID, go to SAML Certificates and click Edit.
    

    2. From the 3-dot menu, select PEM certificate download.
    

Do the following in Axonius:
See SAML-Based Login Settings for a description of these fields.

1. Log in to Axonius as an administrator, then go to Settings -> Access Management -> LDAP & SAML, and toggle on Allow SAML- based logins.
2. Enter Entra ID in Name of the identity provider.
3. In Unique name of IDP, enter a unique name for this SAML configuration. See Unique Name of IDP below.
4. Paste the metadata URL into Metadata URL.
5. Under User Assignment Settings:
   • In Default role for new SAML user only user, select a default role. This role is assigned when there is no matching assignment rule.
   • In Default Data Scope for new SAML user only, select the Data Scope to assign to new users. This Data Scope is assigned when there is no matching assignment rule.
   • In Evaluate user assignment on, select to which users the role assignment setting will apply.
     • New users - The selected role is assigned to new users logging in with SAML for the first time.
     • New and existing users - The selected role is assigned to all users when they log in with SAML.
6. Click Save.

Do the following in Microsoft Entra ID:

1. In Entra ID, under Manage, click Single sign-on.
2. in Basic SAML Configuration, click Edit.
3. In Identifier (Entity ID), append ?idp=XX to the end of the URL where XX is the IDP.
4. In Reply URL, add the IDP into the URL just before acs. For example, configurl/XX/acs.
5. Click Save.

The user should now be able to log in to Axonius with AzureAD.

Verify the configuration works both ways - Axonius to AzureAD and AzureAD to Axonius

1. Log in to Axonius using AzureAD and log out just to confirm it works.
2. In AzureAD, under Manage, click Properties.
3. Copy the User access URL and paste it into a new browser tab to confirm it takes you to Axonius.