Configuring Vault For Single Sign On - Azure AD

Overview       
Vault provides integration with Azure Active Directory (AAD) to enable your users to have a Single Sign-On experience when they access your organisation’s Web-based Vault application.

As well as giving users a single sign-on capability, AAD also gives you the security control and management of the access credentials of your users without having to share these with a third party.  

In its simplest form, AAD operates in the following manner

1. Your user attempts to log into Vault
2. Vault refers the request to your Single Sign-On server
3. Your Single Sign-On servers verify the user against your Active Directory credentials
4. The user's details are passed back to Vault for Vault authorisation
5. If the user exists in Vault, the user is presented with the Vault home page

Responsibilities
Vault are responsible for;

• Providing the SAML interface in Vault
• Configuring the Vault interface with details supplied by you

You are responsible for;

• Provision and configuration of all Azure AD components
• Provision of appropriately skilled resources for the above
• Maintaining a valid token signing certificate and notifying Vault of any changes to the certificate used prior to rollover
  
  

Vault will assist with the integration of your Azure AD services with Vault, however, the skills and resources to configure AAD / SAML are your responsibility. 

Procedure

1. Open Azure Portal
2. Select Azure Active Directory from the left-hand side
3. Add new Enterprise application
   
   
   
4. Select Non-gallery application
   
   
   
5. Name the Application
   
   
   
6. Select Single sign-on from left side menu
   
   
   
7. Select SAML as the authentication method
   
   
   
8. Download and send the Federation metadata XML to support@vaultintel.com
   
   
   
9. Vault will install the federation metadata against your Vault domain and once this is complete you can then update the Vault Metadata. Your URL will be in the following format:
   https://companyid-00.vaultgrc.com/sso/module.php/saml/sp/metadata.php/COMPANYID 
   Download the metadata and save this to a file.
   
   
   
10. Click on the edit icon on right-hand side of the Basic SAML Configuration box
    
    
    
11. Press the upload metadata file and select the metadata from Vault that was previously downloaded. This will populate the Identifier and the Reply URL with the correct values. Save this information
    
    
    
12. Press the edit icon on the User Attributes
    
    
    
13. Decide on what the userid to be displayed within Vault. The default value Vault will use everything up to the @ sign in the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Claim which is the person’s email address.
    
    If you would like to use something different create a property called “principal” and select the custom claim value to be used. E.g. SamAccountName
    
    
    
    
14. Test the claim in a private or incognito window enter the following URL replacing [companyid-0x] and [COMPANYID] with the correct values
    
    https://[companyid-0x].vaultgrc.com/sso/module.php/core/authenticate.php?as=[COMPANYID]
    
    After entering your network username and password it will redirect to an informational page detailing the information sent to Vault. Check that the claim values are successfully sent to Vault
    
    
    If you get any other page then recheck the settings and contact Vault IQ support with the error message.