Skip to main content
Skip table of contents

Configure Single Sign-On (SSO) with Microsoft Entra ID for the Mend Platform

Overview

This is a step-by-step guide for setting up our SAML Integration offering with the Identity Provider (IdP), Entra ID. Mend offers SAML integration for two purposes:

  1. Authentication for login 

  2. Role Management (optional)

This article covers SAML integration for Authentication only. Information regarding Role Management can be found here: SAML 2.0 Integration

Common SAML Terminology Referred to in Entra ID

  • Assertion Consumer Service (ACS) URL: This is referred to as the Reply URL within the “Set up Single Sign-On with SAML” page when creating the Entra Enterprise application.

  • Entity ID: This is referred to as the Identifier within the “Set up Single Sign-On with SAML” page when creating the Entra ID application.

  • Microsoft Entra Identifier: This information is provided in the 4th section of the “Set up Single Sign-On with SAML” page.

  • Metadata: For our purposes in this article, this information is provided in the 3rd section of the “Set up Single Sign-On with SAML” page.

Prerequisites

  • Please confirm you have the proper permissions in the Azure Portal to create an Entra Enterprise Application and assign users and groups to it appropriately.

  • Please confirm you are a Mend Admin in order to create the SAML integration within your Mend organization.

Getting it done

  1. In the Azure Portal, navigate or search for “Microsoft Entra ID”. Navigate to “Manage” on the left-hand side and click “Enterprise Applications”:

    image-20240820-133752.png

  2. Click “New Application” and select “Create your own application”:

    image-20240820-133850.png

    image-20240820-133949.png

  3. Give your application a name and select “Integrate any other application you don’t find in the gallery (Non-gallery)”:

    image-20240820-134041.png

  4. Select “Set up single sign on” and then “SAML”:

    image-20240807-211814.png
    image-20240807-211853.png

  5. Enter the following information:

    1. Identifier (Entity ID): urn:auth0:<environment>:wss-con-<orgUuid>

    2. Reply URL (Assertion Consumer Service URL): https://login-<environment>/login/callback?connection=wss-con-<orgUUid>

    3. If you would like to do role and group mapping, then set the appropriate claims in the “Attributes & Claims” section.

The Sign On URL is required when “IDP-Initiated SSO Behavior” is set to true. In this case, you should use your Mend Platform URL for the "Sign On URL" in Azure as the IdP Initiated login.

The Entity ID can be found in the SAML Integration page on the Mend Platform, labelled as ‘Callback URL'.

The Reply URL can also be found in the SAML Integration page on the Mend Platform, labelled as ‘Entity ID’.

  1. Copy the “App Federation Metadata URL” and save that in a spot for later.

  2. Now, heading over to the Mend Platform, access the Mend organization that you wish to integrate with SAML and navigate to Configure → Administration → SAML Integration sidebar option:

    image-20241103-130918.png

  3. Within the SAML Integration tab, you will see the following required settings:

    1. Signing Certificate URL: This is going to be the Metadata URL under the Sign On section of the SAML Application we have just created.

      image-20240326-132524.png

      The signing certificate URL will be in the format: https://login.microsoftonline.com/<tenant-id>/federationmetadata/<federation-version>/federationmetadata.xml?appid=<app-id>

    2. Email Domains section: In the Email Domains section add the email domain(s) used by your organization.

      image-20240820-160203.png

    3. Key Attributes section: In the Key Attributes section, add the attributes from your IdP that match the Mend Platform key attributes provided (Name, Email, Group, and Role). These were set earlier when creating the Enterprise Application. Below is a simple example:

      image-20240326-132537.png

      These fields would typically be set as follows:
      Name = givenname
      EmailAddress = emailaddress
      Group = <your group claim> (typically in the format of a URL)
      Role = <your role claim> (typically in the format of a URL)

    4. Group Claims: In Azure Entra ID, set up a group claim to emit your specific groups, and set the Source Attribute to the Group ID.

      After saving, you will get your claim name (in the format of a URL) which you would then put in the Key Attributes section above.

    5. Retrieve the group ID of group that would be sent in the SAML Assertion, and map that to a group in Mend:

    6. Role Mapping Section: In the Role Mapping Section, enter the group ID retrieved from the previous step and map them to the groups created inside the Mend Platform.

      image-20240820-170651.png

  4. Once finished, select Save in the top right-hand corner of the page and the settings will be applied, and a prompt informing you the settings have been successfully saved will appear, confirming the integration has been successful.

  5. An assigned user or group of the application will be able to use the Mend Platform by specifying hte relevant <environment> URL in the browser (e.g. https://saas.mend.io/app).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close