Skip to main content

Privacera Documentation

Set up portal SSO for Privacera Platform with AAD using SAML

Privacera supports SAML, allowing you to authenticate users using single-sign on (SSO).

Using the Azure Active Directory (AAD) SAML Toolkit, you can set up single sign-on (SSO) in Privacera Manager for Active Directory users. After setting up SSO, an SSO sign-in button displays on the Privacera portal login page.

Prerequisites

To configure SSO with Azure Active Directory, you need to configure and enable SSL for the Privacera Portal. See Enable CA Signed Certificates or Enable self-signed certificates on Privacera Platform.

Configure SAML in Azure AD

To configure SAML in the Azure AD application:

  1. Log in to Azure portal.

  2. On the left navigation pane, select the Azure Active Directory service.

  3. Navigate to Enterprise Applications and then select All Applications.

  4. To add a new application, select New application.

    Note

    If you have an existing Azure AD SAML Toolkit application, select it, and then go to step 8 to continue with the rest of the configuration.

  5. in the search box.Azure AD SAML Toolkit In the Add from the gallery section, type Do the following:

  6. Select Azure AD SAML Toolkit from the results panel and then add the app.

  7. On the Azure AD SAML Toolkit application integration page, in the Manage section and select single sign-on.

  8. On the Select a single sign-on method page, select SAML.

  9. Click the pen icon for Basic SAML Configuration to edit the settings.

  10. On the Basic SAML Configuration page, enter the values for the following fields, and then click Save. You can assign a unique name for the Entity ID.

    • Entity ID = privacera-portal

    • Reply URL = https://${APP_HOSTNAME}:6868/saml/SSO

    • Sign-on URL = https://${APP_HOSTNAME}:6868/login.html

  11. In the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your virtual machine.

  12. On the Set up Azure AD SAML Toolkit section, copy the Azure AD Identifier URL.

  13. In the Manage section and select Users and groups.

  14. In the Users and groups dialog, select the user or user group who should be allowed to log in with SSO, then click the Select.

Set up portal SSO using SAML

  1. SSH to the instance where Privacera is installed.

  2. Run the following command:

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
  3. Edit the vars.portal.saml.aad.yml file.

    vi config/custom-vars/vars.portal.saml.aad.yml
  4. Modify SAML_ENTITY_ID and change the value of Entity ID. For property details and description, see SAML SSO configuration properties.

    SAML_ENTITY_ID: "privacera-portal"
    SAML_BASE_URL: "https://{{app_hostname}}:6868"
    PORTAL_UI_SSO_ENABLE: "true"
    PORTAL_UI_SSO_URL: "saml/login"
    PORTAL_UI_SSO_BUTTON_LABEL: "Azure AD Login"
    AAD_SSO_ENABLE: "true"
  5. Rename the downloaded Federation Metadata XML file as privacera-portal-aad-saml.xml. Copy this file to the ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/custom folder.

  6. Run the following command:

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
  7. If you are configuring the SSL in an Azure Kubernetes environment, then run the following command.

     ./privacera-manager.sh restart portal

Go to the login page of the Privacera Portal. You will see the Azure AD Login button.

SAML SSO configuration properties

Property

Description

Example

AAD_SSO_ENABLE

Enabled by default.

SAML_ENTITY_ID

Get the value from the Prerequisites section.

privacera-portal

SAML_BASE_URL

https://{{app_hostname}}:6868

PORTAL_UI_SSO_BUTTON_LABEL

Azure AD Login

PORTAL_UI_SSO_URL

saml/login

SAML_GLOBAL_LOGOUT

Enabled by default. The global logout for SAML is enabled. Once a logout is initiated, all the sessions you've accessed from the browser would be terminated from the Identity Provider (IDP).

META_DATA_XML

Browse and select the Federation Metadata XML, which you downloaded in the Prerequisites section.

Configure SAML assertion attributes

By default, the following assertion attributes are configured with predefined values:

  • Email

  • Username

  • Firstname

  • Lastname

To customize the values for the assertion attributes, follow these steps:

  1. Run the following commands.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.yml config/custom-vars/
    vi config/custom-vars/vars.portal.yml
  2. Add the following properties and assign your values. For more information on custom properties and its values, Custom Privacera Platform portal properties.

    SAML_EMAIL_ATTRIBUTE: ""
    SAML_USERNAME_ATTRIBUTE: ""
    SAML_LASTNAME_ATTRIBUTE: ""
    SAML_FIRSTNAME_ATTRIBUTE: ""
  3. Add the properties in the YAML file configured in the Configuration above.

     cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update