Azure AD uses cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML2.0). SCIM uses REST APIs to communicate between Azure AD and OpsRamp. The SCIM schema is used to handle end-to-end user management such as creating, updating, and deleting user accounts.
Prerequisites
Register with OpsRamp to get OpsRamp login credentials.
Your custom URL (such as <yourwebsitename>.opsramp.com).
Azure AD configuration
Azure AD configuration provides the SSO setting details that are required to configure OpsRamp.
Log in to Azure AD.
From the Azure AD console, select Azure Active Directory.
From Default Directory, select Enterprise applications > All applications > +New application.
Click Create your own application > Create your own application, provide a name, select the appropriate option, and click Create. For example, OpsRampSSO.
Non-Gallery Application
From method as Single sign-on > SAML, enter the following settings in the Set up section:
Identifier: Custom branding URL in OpsRamp. The URL in each case is formed from the custom branding configured in OpsRamp for the client or the standard partner URL appended with saml.do (For example, https://<OpsRamp Custom Brand URL>/saml.do)
Copy the following information required for OpsRamp configuration:
Login URL
Azure AD Identifier
Logout URL
Click Download on Certificate (Base64) field. The certificate is required for OpsRamp configuration.
From the SAML Signing Certificate screen, right-click the certificate name and select Make Certificate active from the certificate drop-down option, if the Status is Inactive.
Enter the following details and click Save:
Signing Option: Sign SAML Response and assertion
Signing Algorithm: SHA-256
Click Provisioning from the left hand navigation pane and click Get Started from the screen, and specify:
Provisioning Mode: Automatic
Provisioning mode
The Admin Credentials pane is displayed.
Admin Credentials: Enter Tenant URL and Secret Token (These settings are copied from the OpsRamp configuration steps.)
Admin Credentials
Provisioning screen
Click Test Connection to validate the Token settings. After validating the token settings, click Save. The Mappings and Settings pane are automatically populated.
Mappings: Mappings allow you to define how user data should flow between Azure Active Directory and OpsRamp. For more information on how to manage mappings, click here.
Settings: Notification Email: Valid email address to receive email notifications when a failure occurs. Scope: Set for synchronizing the user data. OpsRamp recommends to select Sync only assigned users and groups.
Set the Provisioning Status to On. This is used to synchronize user data.
Click Save to save the changes.
Users and Groups
The users and groups associated with the Azure AD Enterprise Application are synchronized with OpsRamp by the provisioning schedule.
Define Users and Groups and then add/assign these to the Enterprise Application.
In the below example, 2 groups have been defined and users assigned:
Groups are defined:
Users are assigned:
Note: The Group name can be used to assign the desired role in OpsRamp based on the Integration mapping.
The groups and users will be created in OpsRamp when provisioning occurs.
Provision a user
User Provisioning is an identity management process that ensures user accounts are created, given appropriate rights and permissions, modified, deleted, etc., to access an organization’s resources/applications.
To provision a user, follow the below steps:
After adding your application, on the Overview screen:
Click Users and groups using the left hand navigation pane. The Users and groups screen is displayed showing the existing users/groups, if any.
Click Add user/group. In Add Assignment screen, click None Selected under Users and groups. The Users and groups search window is displayed. Type the user name in the Search box and click Select. Note that only the first 50 search results are shown.
Once you click Select, the Users and groups under Add Assignment shows the number of users selected.
Click Assign. The user is assigned and displayed in the user/group list.
Provision a group
To provision a user group, follow the below steps:
After adding your application, on the Overview screen:
Click Users and groups using the left hand navigation pane. The Users and groups screen is displayed showing the existing users/groups, if any.
Click Add user/group. In Add Assignment screen, click None Selected under Users and groups. The Users and groups search window is displayed. Type the group name in the Search box and click Select. Note that only the first 50 search results are shown.
Once you click Select, the Users and groups under Add Assignment shows the number of groups selected.
Click Assign. The group is assigned and displayed in the user/group list.
Attribute Mapping
To map attributes (for users and groups), click the Provision Azure Active Directory Groups / Provision Azure Active Directory Users links from the Mappings pane. The Attribute Mapping screen is displayed. You can edit, add, or even delete an attribute mapping.
Edit:
To edit an attribute:
Click on the attribute. The Edit Attribute popup is displayed. Select the Mapping type, Source attribute, Target attribute and other options as appropriate.
Click Ok. The Attribute Mapping is saved.
Add:
To add an attribute:
Click Add New Mapping link. Select the options and click Ok. The Attribute is saved and added to the list.
Delete:
To delete an attribute, simply click Delete. Then click Save to save the changes. Click Discard to undo the delete operation.
By default, Azure will have mappings which are not supported by OpsRamp, which will cause multiple updates in case of SCIM. Following mappings are supported by OpsRamp:
OpsRamp configuration generates the URL and secret token that are required to complete configuration at Azure AD. To configure SSO integration:
From All Clients, select a client.
Navigate to Setup > Account.
Select the Integrations and Apps tab.
The Installed Integrations page, where all the installed applications are displayed.
Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
Search for Azure AD using the search option available. Alternatively, use the All Categories option to search.
Click +Add on the Azure AD tile.
Enter the following information in the Configuration page:
Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated. Alternatively, you can enter the information in the fields manually.
Issuer URL: Identity provider Issuer URL
Redirection URL: SAML EndPoints for HTTP
Logout URL: URL for logging out
Certificate: x.509 Certificate
Provision Username as: There are two ways to provision a user. Select the appropriate option:
Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.
Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:
Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
Install the same identity provider across multiple OpsRamp tenants. Note: Once you enable this option and install the integration, you cannot revert your changes. Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.
Click Next.
In the Inbound page: User Provision:
Select the following details and click Update User Provision:
Provision Type: SCIM. When configuring the integration it is necessary to select the Provision Type - SCIM to synchronize users and groups when provisioning occurs.
If you select provision type as JIT, JIT user is created during user login.
Default Role: The required user role.
Copy the URL and Token information. These details are used when configuring Azure AD Provisioning settings.
On clicking Update User Provision, the User Provision section will show the unique tenant prefix.
Define the following Map Attributes:
Note: The OpsRamp properties Primary Email, First Name, Last Name, and Role are required.
Click +Add in the Map Attributes section.
From the Add Map Attributes window, enter the following information:
User:
Select OpsRamp Entity as User and OpsRamp Property as Role. Role mapping is required for User and User Group.
Azure AD Entity: Enter the value.
Azure AD Property: Enter the value. Similarly, do the role mapping for Primary Email, First Name, and Last Name.. Under Property Values:
Azure AD Property Value: Enter the value that is coming from Azure AD side (from the payload).
Azure AD Property Value: Select the appropriate role corresponding to the Azure AD Property Value.
Click Save. The mapping is saved and displayed. To add more property values click +Property Value. User the Filter option to filter the map attributes.
Similarly, map attributes for other entities.
User Group:
Select OpsRamp Entity as User Group and OpsRamp Property as Role.
Azure AD Entity: Enter the value.
Azure AD Property: Enter the value. Similarly, do the role mapping for Primary Email, First Name, and Last Name.. Under Property Values:
Azure AD Property Value: Enter the value that is coming from Azure side (from the payload).
Azure AD Property Value: Select the appropriate role corresponding to the Azure AD Property Value.
Click Save. The mapping is saved and displayed. To add more property values click +Property Value.
Click Add Map Attributes.
Click the three dots (menu icon) available at the end of each row to edit or delete a map attribute.
If the Role is not configured in Map Attributes section,
the Default Role provided in the User Provision section is considered for SSO.
Click Finish. The integration is installed.
Synchronize with Azure AD
To synchronize with Azure AD, select Current Status > Refresh from the Azure AD Provisioning screen. Refresh executes a REST API call from Azure AD.
If the REST-defined user attributes match with the OpsRamp user attributes, the user information is updated in OpsRamp.
If the REST-defined user attributes do not match with the OpsRamp user attributes, those are matched when the attributes are defined in the OpsRamp Map Attributes step and updated.
If the REST-defined user attributes do not match with the defined Map Attributes, the API response fails, user synchronization fails, and the user is not created in OpsRamp. Azure AD displays the progress of synchronization and the result is displayed.
Users/Groups updated in OpsRamp after successful synchronization:
Limitations
Azure AD supports changing of login name, however, OpsRamp does not support changing of login name once a user is provisioned. Updating a login name in Azure AD causes the user to not be able to log in to OpsRamp.
OpsRamp does not support multiple role assignments for a user for SCIM provisioning. However, multiple roles are supported per JIT provisioning in Azure AD integration.
