Configuring Microsoft Entra ID (formerly Azure Active Directory) Single Sign On (SSO)¶
Observe supports using Microsoft Entra ID using Security Authentication Markup Language (SAML 2.0). Use the following steps to configure SSO for Microsoft Entra ID.
Note
Use of stem names instead of Observe Customer IDs is possible, but you cannot configure Entra to support both at the same time.
Configuring Microsoft Entra ID¶
From the Microsoft Entra ID portal, navigate to the Enterprise applications page and click New Application.
Click Create your own application.
Select Integrate any other application you don’t find in the gallery, and enter Observe as the Input Name.
Click Set up single sign-on, and then click SAML.
Click Edit on the Basic SAML Configuration tile, and add the URL:
https://${OBSERVE_CUSTOMER_ID}.observeinc.com/auth/saml2/callback
to the following fields, replacing ${OBSERVE_CUSTOMER_ID} with your Observe tenant ID:
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL (Optional)
Figure 1 - Basic SAML Configuration
Claims Configuration - Default Attributes vs Custom Attributes¶
Default Attributes¶
If your users have email addresses assigned in Entra ID, you can use the default User Attributes & Claims.
Note
To check if you have assigned email addresses, click Users in the Entra ID portal and select a name. The emails fields display under the Contact Info section, and either contain values or not.
Custom Attributes¶
If the email
User property is not populated in Entra ID, the SAML login will fail. You need to add the email addresses to the Users Properties, or update the emailaddress
claim to use user.userprincipalname
(UPN) instead of the default user.mail
.
Note
If the UPN login names do not match the user’s email address, add the email address to the user’s Entra ID profile. Please contact your Observe Data Engineer for further assistance.
To update the attribute value for emailaddress
navigate to the Attributes & Claims area of your Observe Enterprise App:
Click the claim name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Change the Source attribute field from
user.mail
touser.userprincipalname
.Click Save and then exit from the configuration.
Group Membership Attributes¶
Observe supports the sending of group membership claims via SAML. In the Attributes & Claims area, select Add a group claim and select Customize the name of the group claim and in the Name (required) field, type groups
(note this is case sensitive).
Note
Observe has tested the All groups
and Security Groups
with both the Group ID
and sAMAccountName
settings. In all cases, Entra ID will pass the GUID of the group, not the human readable name.
Figure 2 - Entra ID Group Claim Configuration
Additional Configuration Settings¶
6. You can add the Observe SSO logo on the Properties page by downloading it from here.
7. Download the Base64 version of the SAML Signing Certificate. This is located in the Single sign-on > SAML Certificates section of your Observe Enterprise App.
Figure 3 - Entra ID Certificate Download
8. Copy the Login URL from the Single sign-on page of Entra ID. It has the format https://login.microsoftonline.com/${GUID}/saml2
, where ${GUID}
will be a GUID specific to your Entra ID subscription.
Figure 3 - Entra ID Login URL
Configuring Observe¶
9. Navigate to https://${OBSERVE_CUSTOMER_ID}.observeinc.com/settings/customer
.
Figure 4 - Observe Settings
10.Scroll down to Add SAML, and Paste the Login URL that you copied in Step 8, into the ENTRY POINT field of Observe’s SAML configuration.
11. Open X.509 certificate from Step 7 in a text editor and paste the Base64 certificate into the CERT field.
12. Click Add SAML Provider.