Introduction

SSO integration is configured for both Azure Active Directory (Azure AD) and OpsRamp and sets up redirects to the custom URL.

Azure AD uses cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML2.0). SCIM uses REST APIs to communicate between Azure AD and OpsRamp. The SCIM schema is used to handle end-to-end user management such as creating, updating, and deleting user accounts.

Prerequisite

  • Register with OpsRamp to receive OpsRamp login credentials.
  • Your custom URL (such as <yourwebsitename>.opsramp.com).

Azure AD configuration

Azure AD configuration provides the SSO setting details that are required to configure OpsRamp.
To configure SSO integration:

  1. From the Azure AD console, select Azure Active Directory.
  2. From Default Directory, select Enterprise applications > All applications > +New application.
    Create New Application

    Create New Application

  3. From Add an application > Non-Gallery Application > Add your own application, provide a name and click Add. For example, OpsRampSSO.
    Non-Gallery Application

    Non-Gallery Application

  4. From Single sign-on > SAML, provide the following settings in the Set up section:
    • Identifier: Custom branding URL in OpsRamp. (For example, https://<custom brand name>.opsramp.net/saml.do)
    • Reply URL: https://<OpsRamp Custom Brand URL>/samlResponse.do (For example: https://azuread.opsramp.com/samlResponse.do)
    • User Identifier: user.userprincipalname
      OpsRamp Single sign-on SAML

      OpsRamp Single sign-on SAML

  5. Copy the following information:
    Note: The Information is required for OpsRamp configuration.
    • Login URL
    • Azure AD Identifier
    • Logout URL
  6. Click Download on Certificate (Base64) field.
    Note: The certificate is required for OpsRamp configuration.
  7. From the SAML Signing Certificate screen, right-click the certificate name and select Make Certificate active from the certificate drop-down options.
  8. Provide the following details and Save:
    • Signing Option: Sign SAML Response and assertion
    • Signing Algorithm: SHA-256
  9. (Optional) Enable JIT user provisioning on the User Attributes & Claims tab.
  10. From Provisioning, specify the following:
    • Provisioning Mode: Automatic
    • Admin Credentials: Token URL and Secret Token (These settings are copied from the OpsRamp configuration steps.)
    • Notification Email: Valid email address to receive email notifications.
  11. Click Test Connection to validate the Token settings. After successful validation of Token settings, the Mappings section is automatically populated.
  12. From Provisioning > Settings, specify the following:
    • Provisioning Status: On. This is used to synchronize user data.
    • Scope: Set for synchronizing the user data.
      OpsRamp recommends to Sync only assigned users and groups.
    • Clear current data and restart synchronization: Select the option. This option is helpful during any data mismatch or data corruption.

OpsRamp configuration

OpsRamp configuration generates the URL and secret token that are required to complete configuration at Azure AD.
To configure SSO integration:

  1. From All Clients, select a client.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select SSO > Azure AD and click Install.
  4. Provide the following details in Install Azure_AD configuration and click Install:
    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: Sign-out URL as required
    • Certificate: x.509 Certificate
      Note: The URL and certificate details are captured from the Azure AD configuration.
      The Configuration page of Azure AD Integration is displayed.
  5. In the User Provision step, select the following details and click Save:
    • Provision Type: SCIM.
    • Default Role: The required user role.
  6. Copy the URL and Token information.
    These details are used when configuring Azure AD Provisioning settings.
  7. Do the following to Map Attributes:
    • Define the OpsRamp Entity.
      Depending on the type of OpsRamp Entity, select USER or USERGROUP.
    • Define OpsRamp Property.
      Depending on the selected type of OpsRamp Entity, select the corresponding OpsRamp Property.
      Important! Define Primary Email, First Name, Last Name, and Role.

Result of integration: User synchronization

To start the user synchronization between Azure AD and OpsRamp select Current Status > Refresh from the Azure AD Provisioning screen. Refresh executes a REST API call from Azure AD.

  • If the REST-defined user attributes match with the OpsRamp user attributes, the user information is updated in OpsRamp.
  • If the REST-defined user attributes do not match with the OpsRamp user attributes, those are matched when the attributes are defined in the OpsRamp Map Attributes step and then updated.
  • If the REST-defined user attributes do not match with the defined Map Attributes, the API response fails, user synchronization fails, and the user is not created in OpsRamp.
    Azure AD displays the progress of synchronization and the result is displayed.