Configuring Damstra Safety For Single Sign On - Azure AD

Overview       
Damstra provides integration with Azure Active Directory (AAD) to enable your users to have a Single Sign-On experience when they access your organisation’s Web-based Damstra Safety application.

As well as giving users a single sign-on capability, AAD also gives you the security control and management of the access credentials of your users without having to share these with a third party.  

In its simplest form, AAD operates in the following manner

1. Your user attempts to log into Damstra Safety
2. Damstra Safety refers the request to your Single Sign-On server
3. Your Single Sign-On servers verify the user against your Active Directory credentials
4. The user's details are passed back to Damstra Safety for authorisation
5. If the user exists in Damstra Safety, the user is presented with the Damstra Safety home page

Responsibilities
Damstra are responsible for;

• Providing the SAML interface in Damstra Safety
• Configuring the Damstra Safety interface with details supplied by you

You are responsible for;

• Provision and configuration of all Azure AD components
• Provision of appropriately skilled resources for the above
• Maintaining a valid token signing certificate and notifying Damstra of any changes to the certificate used prior to rollover
  
  

Damstra will assist with the integration of your Azure AD services with Damstra Safety, however, the skills and resources to configure AAD / SAML are your responsibility. 

Procedure

1. Open Azure Portal
2. Select Azure Active Directory from the left-hand side
3. Add new Enterprise application
   
   
   
4. Select Non-gallery application
   
   
   
5. Name the Application
   
   
   
6. Select Single sign-on from left side menu
   
   
   
7. Select SAML as the authentication method
   
   
   
8. Download and send the Federation metadata XML to vaultsupport@damstratechnology.com
   
   
   
9. Damstra will install the federation metadata against your Damstra Safety domain and once this is complete you can then update the Damstra Safety Metadata. Your URL will be in the following format:
   https://companyid-00.vaultgrc.com/sso/module.php/saml/sp/metadata.php/COMPANYID 
   Download the metadata and save this to a file.
   
   
   
10. Click on the edit icon on right-hand side of the Basic SAML Configuration box
    
    
    
11. Press the upload metadata file and select the metadata from Damstra Safety that was previously downloaded. This will populate the Identifier and the Reply URL with the correct values. Save this information
    
    
    
12. Press the edit icon on the User Attributes
    
    
    
13. Decide on what the userid to be displayed within Damstra Safety. The default value Damstra Safety will use everything up to the @ sign in the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Claim which is the person’s email address.
    
    If you would like to use something different create a property called “principal” and select the custom claim value to be used. E.g. SamAccountName
    
    
    
    
14. Test the claim in a private or incognito window enter the following URL replacing [companyid-0x] and [COMPANYID] with the correct values
    
    https://[companyid-0x].vaultgrc.com/sso/module.php/core/authenticate.php?as=[COMPANYID]
    
    After entering your network username and password it will redirect to an informational page detailing the information sent to Damstra Safety. Check that the claim values are successfully sent to Damstra
    
    
    If you get any other page then recheck the settings and contact Damstra support with the error message.