
This article is intended for administrators wishing to configure Single Sign-on (SSO) for Edge Control using Microsoft Entra ID as the Identity Provider (IdPs).
Note: All images are clickable for enlarging, or can be opened in a new tab
Resolution/Information
It is important to ensure that the Attributes & Claims with Azure have been configured correctly otherwise the integration will fail.
Table of Contents
- Microsoft Entra Admin Center
- Assign users and groups
- Set up Single sign-on
- Basic SAML Configuration
- Attributes & Claims
- SAML Certificates
- Set up SSO in Edge Control
- Custom Roles
Create the integration with Edge Control
Microsoft Entra Admin Center
In the Microsoft Entra admin center select Enterprise apps and click on the + New application.
In the Browse Microsoft Entra Gallery select 'Create your own application.'
Fill in a unique name, here we're using 'Edge Control' and click Create.
Proceed to configure the application for Single Sign-on (SSO) by filling in the required fields.
1. Assign users and groups
Here the users and groups can be configured, in this example we will use users but the principals remain the same.
+ Add user/group
In this example Groups are not yet configured so Users are used.
Select the Users and click on Select (bottom left).
Then click on Assign (bottom left).
2. Set up Single sign-on
On the left menu click on Single sign-on and choose SAML
Now fill in the following sections using the required values.
Basic SAML Configuration
Click on Edit and fill in the following values, with the same workflow as the below OKTA integration:
Source: https://stormagic.com/doc/edge-control/Organization/saml-okta.htm
| Attribute | Value |
|---|---|
| Identifier (Entity ID) * | urn:amazon:cognito:sp:eu-west-1_o1jpolt0y |
| Reply URL * | https://auth.manage.stormagic.com/saml2/idpresponse |
| Sign on URL (Optional) | https://auth.manage.stormagic.com/saml2/idpresponse |
| Relay State (Optional) | |
| Logout Url (Optional) | https://auth.manage.stormagic.com/saml2/logout |
Then click on Save.
Attributes & Claims
This section needs to be correctly configured otherwise the Single Sign-on (SSO) integration will fail.
The standard config from Entra ID must be altered from the below:
Customized Attributes & Claims that work with Edge Control to the below:
This is done by clicking on Edit.
Change the Required Claim to the correct value and pressing Save.
Then delete all the Additional claims and recreate.
Ensure the names are the same as in the example above:
Customized Attributes & Claims that work with Edge Control
To Configure role mapping (optional) see the section below: Configure Role Mapping How this is setup needs to be determined by the Admin of the AD domain depending on whether using a hybrid model or just Entra ID.
SAML Certificates
Optional:
To allow Single Logout (SLO) request the prod-ec-edgecontrol-users.cer signing certificate, which is attached, at the bottom, to this KB or can be obtained from the StorMagic Support.
Note: Ensure "Verification certifications" is not selected, otherwise an error will be displayed
And upload the prod-ec-edgecontrol-users.cer
Select Allow requests signed with RSA-SHA1 and click on save.
Download the Federation Metadata XML
Configure Single Sign-On (SSO) in Edge Control
Log in with the administrator account
Click on the Profile top Right Corner
Select the Organization Configuration and this is where SSO can be configured.
Enter the domain or domains and click Enter on the Keyboard
Fill in the Default Role when role mapping is not set.
Upload the .XML file downloaded from Entra ID
Either choose Force Single Sign-ON (SSO) or leave unchecked (whilst verifying functionality it is advised to leave unchecked).
Select SAVE CHANGES.
Log out and then test SSO.
By Selecting SINGLE SIGN ON (SSO)
Select the account to be used and either log in or authenticate depending on how this has been set up.
This is using Multifactor Authentication (MFA), as such we need to use the authenticator app.
Agree to the terms.
Read only Dashboard (default is READ only).
Note: This current configuration will only map the user as the default role that has been set up with Edge Control. To map the users to the roles custom attributes have to be created.
Configure Role Mapping
Note: Roles are optional and this has been tested in the below way and how this is setup in the organisation falls out of scope of this document.
In order for the roles to MAP properly the following properties must be used and the name of the "claim" must be roles.
If using a Hybrid Domain Architecture there are two ways of setting this up:
- Modifying schemas and pushing this to Entra ID (note once the schema has been updated this is permanent),
- Using Extensions - this is the method we choose to use for testing.
| Display Name | Value |
| ADMIN | ADMIN |
| MODIFY | MODIFY |
| VIEW | VIEW |
In this example we used Microsoft Graph commands and API application to set up the Entra Extensions required to map the Roles.
## This is an example of how to map the ADMIN role for a user in Edge Control using Microsoft Graph API.
# Obtain access_token for Microsoft Graph API using client credentials flow.
# Replace [tenancy_id_here], [client_id_here], and [client_secret_here] with your actual values.
# This example uses cURL to make the HTTP requests.
# Ensure you have the necessary permissions to create extension properties and update user attributes.
curl --request POST \
--url https://login.microsoftonline.com/[tenancy_id_here]/oauth2/v2.0/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data client_id=[client_id_here]] \
--data scope=https://graph.microsoft.com/.default \
--data 'client_secret=[client_secret_here]' \
--data grant_type=client_credentials
# Create Extension Property for User Role
# Replace [tenanacy_id_here] with your actual tenancy ID and [auth_token_here] with the access token obtained from the previous step.
# The extension property will be used to store the user role for Edge Control.
# Replace [user_id_here] with the actual user ID you want to update.
curl --request POST \
--url https://graph.microsoft.com/v1.0/applications/[tenanacy_id_here]/extensionProperties \
--header 'authorization: Bearer [auth_token_here]' \
--header 'content-type: application/json' \
--data '{
"name": "EdgeControllRole",
"dataType": "String",
"targetObjects": [
"User"
]
}'
# Above will return extension desription for example: "extension_23n44j32h4j23g4jg2jgj4j2h2d4fsa2g4l2y4_EdgeControllRole"
# Setup extension value for user
# Update User Role for Edge Control
# Replace [user_id_here] with the actual user ID and [auth_token_here] with the access token.
curl --request PATCH \
--url https://graph.microsoft.com/v1.0/users/[user_id_here] \
--header 'authorization: Bearer [auth_token_here]' \
--header 'content-type: application/json' \
--data '{
"extension_description": "ADMIN"
}The final step is to then take the description returned when running the above and set up a Custom Claim:
Example: "extension_23n44j32h4j23g4jg2jgj4j2h2d4fsa2g4l2y4_EdgeControllRole"
As below:
| Claim name | Type | Value |
| role | SAML | This will be base on the output (as above). |
As before Edit the Attributes & Claims
+ Add new claim
- Name = roles
- Source = Directory schema extension
- Tick the API access Extension and click on Select.
Then choose the available extension - this should match the value from the command ran above in Microsoft Graph API
Then save the Claim
IMPORTANT: This "extension_description": "ADMIN" maps the user to the ADMIN Role in Edge Control. If the "extension_description": "MODIFY" will map the user to the MODIFY role in Edge Control. The default role is VIEW - note this is a choice and the default role can be ADMIN and role mapping does not have to be used.
See Also
https://stormagic.com/doc/edge-control/Organization/manage-org-saml.htm
https://support.stormagic.com/hc/en-gb/sections/9474717925149-Edge-Control-Supporting-SvSAN-SvHCI
Comments
0 comments
Article is closed for comments.