Azure AD setup guide
This guide will walk you through the setup of ComplyCloud’s SSO solution. If you have questions or would like to schedule a support meeting, please do so by emailing us at [email protected]. To be able to migrate you as an AD client, you will need to setup a new Enterprise application in Azure AD. The enterprise application will manage two things:
1. Authentication through SAML A SAML certificate will handle the authentication (i.e who is allowed to access) between your AD users and the ComplyCloud application.
2. Provisioning through SCIM The provisioning (see reference below) is responsible for synchronizing users and roles between your Azure AD and our application. In other words, it will manage the creation, updates and deletion of users and determine what they are authorized to do in our application.
ComplyCloud Integration Page
During the setup steps later in the guide you will be asked to provide URLs and secrets that are specific to your ComplyCloud account. You can find the needed information in your ComplyCloud account (Settings > Integrations page), as shown in the screenshot below, from here on referred to as the ComplyCloud integration page.
Setup
1. Setup the Enterprise
application
a. Go to your Azure account
b. Navigate to “Enterprise applications”
c. Press “New Application”
d. Click “Create your own application” and in the pop-out on the right, name the application (eg. ComplyCloud SSO) and select “Integrate any other application…”
e. Click “Create”
2. Setup application roles for the enterprise application
a. Navigate to “App registrations”
b. Find the app registration of the enterprise app you created in step 1 and click it.
c. In the left sidepanel, select “App Roles”. At this point, the App roles list should be empty, but if there are app roles here that you want to delete, click the role, untick the “Do you want to enable this role” checkbox and press “Apply”. The Role can now be deleted.
d. In the left sidepanel, click “Manifest”
e. On the integrations page in ComplyCloud, click the “Download App roles” button and insert the downloaded list of roles under “appRoles” in the shown manifest. Only copy from opening square bracket([), to closing square bracket (]).
f. Click the “Save” button.
3. Generate SAML
a. Navigate to “Enterprise applications” and select the app you created in step 1.
b. In the left sidepanel, click “Single sign-on” and select the “SAML” box under “Select a sign-on method”.
c. Click “Edit” under “Basic SAML Configuration”.
d. Click “Add Identifier” add the “Entity id” value found on the ComplyCloud Integration page.
e. Click “Add Reply URL” add the “Redirect URL” value found on the ComplyCloud Integration page.
f. Click “Save”
4. Upload SAML
a. Still on the SAML page, under “SAML Signing Certificate” click “Download” where it says “Federation Metadata XML”.
b. On the ComplyCloud Integration page, click the “Upload SAML” button and upload the file downloaded in step 4a.
5. Add users and assign roles
a. Still on the Enterprise application page of created app, go to “Users and Groups” click “Add user/group”.
b. Select the user you would like to grant access and the role you would like to assign for that user.
c. Click the “Assign” button.
6. Setup provisioning
a. Still on the Enterprise application page of created app, go to “Provisioning”.
b. Click “Get started” and then choose the “Automatic” “Provisioning mode”.
c. Under “Admin Credentials” set the “Tenant URL” to the “Provision URL” found on the ComplyCloud integration page.
d. Under that, set the “Secret Token” to the “Provision Secret” found on the ComplyCloud integration page.
e. Test that the configuration is correct, by clicking the “Test Connection” button.
f. Under “Mappings” click the “Provision Azure Active Directory Groups” and disable it. It is not currently supported.
g. Click the “Provision Azure Active Directory Users” and setup the mapping so that it matches the screenshot below:
h. Tick the “Show advanced options” at the bottom of the page and tick the “Required” checkbox of the row called “emails[type eq “work”].value”
i. Add another row at the bottom named “roles” with “Type” set to “String” and tick the “Required” and “Multi-value”.
j. Back on the “Attribute Mapping” page click “Add New Mapping” and set the following values:
i. Mapping Type – Expression
ii. Expression – AppRoleAssignmentsComplex([appRoleAssignments])
iii. Target attribute – roles
k. Click “Ok” and click “Save” on the “Attribute Mapping” page.
7. Enabling the provisioning
a. Still on the Enterprise application page of created app, go to “Provisioning”.
b. Click the “Start provisioning” button to have Azure start provisioning your configured users with roles, as you set up in step 5.
c. If you want to run a more controlled test, click the “Provision on demand” button to force the provisioning of a specific user. Follow the on-screen instructions to check that everything works.
You are done! Provisioned users should now be directed to Microsoft to log in when they attempt to log in to ComplyCloud. Please contact us at [email protected] if you experience any issues following this guide.
