Documentation is now available for the Fall 2020 Update release!

Azure Active Directory

Describes how to how to set up and configure an SSO integration for Azure Active Directory (AD).

Leave Feedback

Introduction

SSO integration is configured with both Azure AD and OpsRamp. The configuration sets up redirects to the custom URL.

Azure AD uses cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML2.0).  SCIM uses REST APIs to communicate between Azure AD and OpsRamp. The SCIM schema is used to handle end-to-end user management such as creating, updating, and deleting user accounts.

Prerequisite

  • Register with OpsRamp to receive OpsRamp login credentials.
  • Your custom URL (such as <yourwebsitename>.opsramp.com).

Azure AD configuration

To configure SSO integration:

  1. From the Azure AD console, select Azure Active Directory.
  2. From Default Directory, select Enterprise applications > All applications > +New application.
    Create New Application

    Create New Application

  3. From Add an application > Non-Gallery Application > Add your own application, provide a name and click Add. For example, OpsRampSSO.
    Non-Gallery Application

    Non-Gallery Application

  4. From Single sign-on > SAML, provide the following settings in the Set up section:
    • Identifier: Custom branding URL in OpsRamp. (For example, https://<custom brand name>.opsramp.net/saml.do)
    • Reply URL: https://<OpsRamp Custom Brand URL>/samlResponse.do (For example: https://azuread.opsramp.com/samlResponse.do)
    • User Identifier: user.userprincipalname
      OpsRamp Single sign-on SAML

      OpsRamp Single sign-on SAML

  5. Copy the following information: (Required for OpsRamp configuration)
    • Login URL
    • Azure AD Identifier
    • Logout URL
  6. Click Download on Certificate (Base64) field. (Required for OpsRamp configuration)
  7. From the SAML Signing Certificate screen, right-click on the certificate name and select Make Certificate active from the certificate drop-down options.
  8. Provide the following settings and Save:
    • Signing Option: Sign SAML Response and assertion
    • Signing Algorithm: SHA-256
  9. (Optional) Enable JIT user provisioning on the User Attributes & Claims tab.
  10. From Provisioning, specify the following:
    • Provisioning: Automatic
    • Admin Credentials: Token URL and Secret Token (These settings are copied from the OpsRamp configuration steps.)
    • Notification Email: Valid email address for receiving email notifications.
  11. Click Test Connection to validate the Token settings. After successful validation of Token settings, the Mappings section is automatically populated.
  12. From Provisioning > Settings, specify the following:
    • Provisioning Status: On. This is used to synchronize user data.
    • Scope: for synchronizing the user data. Sync only assigned users and groups is recommended.
    • Clear current data and restart synchronization: Check this box. This option is helpful during any data mismatch or data corruption.

OpsRamp configuration

To configure SSO integration:

  1. From All Clients, select a client.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select SSO > Azure AD and click Install.
  4. Provide the following settings:
    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: Sign-out URL as required
    • Certificate: x.509 Certificate
  5. Click Install.
  6. In the User Provision step, provide the following settings and click Save:
    • Provision Type: SCIM.
    • Default Role: the required user role.
  7. Copy the URL and Token information. These settings are used when configuring Azure AD Provisioning settings.
  8. In the Map Attributes step:
    • Define the OpsRamp Entity. Depending on the type of OpsRamp Entity, select USER or USERGROUP.
    • Define OpsRamp Property. Depending on the selected type of OpsRamp Entity, select the corresponding OpsRamp Property.

User synchronization

To start the user synchronization between Azure AD and OpsRamp:

  • From the Azure AD Provisioning screen, select Current Status > Refresh. Refresh executes a REST API call from Azure AD.
    • If the REST-defined user attributes match with the OpsRamp user attributes, the user information is updated in OpsRamp.
    • If the REST-defined user attributes do not match with the OpsRamp user attributes, those are matched when the attributes are defined in the OpsRamp Map Attributes step and then updated.
    • If the REST-defined user attributes do not match with the defined Map Attributes, the API response fails, user synchronization fails, and the user is not created in OpsRamp.
  • Azure AD displays the progress of synchronization and the result is displayed.