In this article:
Configure SSO With Microsoft Entra ID
To configure SSO with SecurityScorecard as the Service Provider (SP) and Microsoft Entra ID as the Identity Provider (IDP), follow these steps:
-
Create a New Application in Microsoft Entra ID:
-
Access the Microsoft Entra admin center.
-
Navigate to Enterprise Applications.
-
To Create a new Non-gallery application, In the Microsoft Entra App Gallery, click Create your own application.
- Under All Applications you may see the new application created
-
-
Set Up User Attributes & Claims:
- Map the appropriate user attributes between SecurityScorecard and Microsoft Entra ID.
-
Click on created new Custom Application and Configure Basic SAML Settings:
- Clicking the hyperlink of new Custom Application, you will be taken to Overview page > Click on 'Set Up Single Sign-On' > SAML >
-
In the Basic SAML Configuration section, enter the Entity ID and Assertion Consumer Service (ACS) URL provided by SecurityScorecard. Check out this for more details.
Metadata URL https://platform-api.securityscorecard.io/v1/saml/metadata/service-provider Assertion Consumer Service, sometimes referred to as Single sign on URL (Okta) https://platform-api.securityscorecard.io/v1/saml/responses (HTTP-POST) Entity ID, sometimes referred to as Audience URI (SP Entity ID) (Okta) https://platform-api.securityscorecard.io/saml2/service-provider
-
Download and Upload Federation Metadata:
-
Once completing the Basic SAML Configuration, you will be able to Download the Federation Metadata XML file from Microsoft Entra ID.
-
Upload this file to SecurityScorecard's SSO settings > Configure > Browse Files and continue as indicated on Guide.
-
-
Or Configure SecurityScorecard's SSO Manually:
-
Enter the ACS URL and Entity ID from Microsoft Entra ID in SecurityScorecard's SAML settings. You might want to review SecurityScorecard's own Guide for specific instructions.
-
-
Test SSO:
-
Verify the configuration by testing the SSO with a test user.
-
SCIM configuration
- On your SCIM Tool(Microsoft IntraID), Move to Enterprise application > Enter into the custom Application created > left sidebar of your app, go to Manage > Provisioning > Get started> Connect your application.
- Enter the Tenant(SecurityScorecard's) URL https://platform-api.securityscorecard.io/scim/v2/ and API Token created from our platform.
- Test the Settings.
- Once the test is successful, search for "App Registrations" either from the left-side panel or from the global search on the top and then select "Security Scorecard" application from the list:
- Under "Manage" click on "App roles" to create custom attribute and roles:
- Create the following Roles under App roles by using the "+ Create app role" button :
Name Value CUSTOMER_ADMIN CUSTOMER_ADMIN VRM VRM USER USER GUEST GUEST - To assign users the correct roles, browse to Enterprise Applications --> Select the SSC App --> Users and Group --> Put a check next to the user(s) that you want to assign a role to --> Edit Assignment --> Click on the link under "Select a Role" --> Click on Select --> Click on Assign.
- To create the Custom Attribute sscRoles, browse to Enterprise Applications --> SecurityScorecard --> Provisioning --> Get Started --> Add Scoping Filters --> Provision Microsoft Entra ID Users --> put check next to "Show advanced options" --> "Edit Attributed list for customappsso"
- Create a new attribute named as sscRoles and put a check next to "required":
- Click on "Save".
- Once saved, in the screen that opens click on "Add New Mapping" and populate with the following values and click on "ok"
Mapping Type Expression Expression SingleAppRoleAssignment([appRoleAssignments]) Target attribute sscRoles - Click on "Save" at the top on the next screen.
- You will need to remove all attributes except for the following:
- It is important to note that the SSC side expects to see the First/Last Name but on the Azure side, First/Last name of users is not compulsory, so it would be necessary to add the First/Last name to the users in Azure to ensure that SSC side provisions the user. To update the user, click on "All Users" under identity menu --> select a user --> Edit Properties --> Populate the First/Last Name fields:
- Once done, go back into the Provisioning menu of the App and --> Provision on demand --> Select the user that you want to provision --> click on "Provision at the bottom:
- Once the user has been provision, the following message will be displayed:
Comments
0 comments
Article is closed for comments.