This article walks through the steps required to use Microsoft Entra ID (Azure AD) as your Single Sign On (SSO) authentication method in Cloud Control Center.
Three main components are required to successfully configure SSO using Microsoft Entra ID.
1. Adding Elisity Cloud Control Center Application in Azure AD
2. Create and Assign User Roles
3. Configure Azure SSO with Cloud Control Center (Two Methods)
Note: You can create custom mappings from groups within your SSO directory to user roles in Cloud Control Center. It is recommended to set up these role mapping configurations if you are planning on using Role-Based Access Control (RBAC) in Cloud Control Center, which enables powerful access control to various scopes such as Users, Devices, Policies, Virtual Edges, Settings, and more.
Create a New App Registration in Azure
Go to your Azure Active Directory Portal, and click on App Integrations on the left side menu. Click "New Registration"
Give your application a name, select "Accounts in this organizational directory only," and click "Register."
Copy the Application (Client) ID of your newly created App into a note.
Retrieve Issuer URL
In the "Overview" tab select "Endpoints" from the top menu. Copy the URL labeled "OpenID Connect metadata document" and paste in a new tab.
Copy the issuer link into a note, it should look like this: https://login.microsoftonline.com/XX...XX/v2.0
Create a Client Secret
From the "Overview" tab on your new Application, select "Add a Certificate or Secret"
Select "New Client Secret"
Enter suitable description, and choose when the secret will expire. We will choose 24 months, but longer expiration periods can be created if you set a custom range. Remember to create new secret after client secret expires and change the secret in CCC as well. Click Add.
Be sure to copy your client secret and paste into your note. It only appears once, and will be hidden if you do not copy it before leaving this page.
You should now have these three items copied into your notepad. You will need to enter these values into Cloud Control Center later.
Configure Optional Claims in Token Configuration
- Select "Token Configuration" in the left menu and click "Add Optional Claim."
- Select "Token Type = ID" and select the three following options: given_name, family_name, email
- Confirm your selections and click "Add"
You will get a warning that these claims (email, family_name, given_name) require OpenID Connect Scopes to be configured through the API Permissions Page. Don't worry, we will configure this in a later step.
Configuring Redirect URIs (Reply URL)
- Click on Authentication from the side tab
- Select Add a platform, and select the "Web" box.
- Enter redirect URI that is found in Cloud Control Center SSO Configuration dashboard.
- Leave front-channel logout URL empty.
- Select Access Token and ID tokens from the check boxes.
Verify Manifest Configuration
- Clink on manifest
- Ensure "accessTokenAcceptedVersion" is set to 2; if it is null change it to 2.
- Click save after changing the value.
Create an App Role
Here we will create user roles that can be used grant different permissions to users who log into Cloud Control Center based on their user group in AAD. Lets create App Roles for the two default Cloud Control Center User Roles in this example: TenantAdmin and TenantUser.
TenantAdmin – This default role in Cloud Control Center has full read/write access
TenantUser – This is default role in Cloud Control Center is only able to view data
Remember, you can create custom mappings for any SSO user groups to user roles within Cloud Control Center at any time. This requires the assigning the user groups (in Azure AD) to the CCC SSO application, as we are doing in the examples below.
For TenantAdmin:
- Display name: TenantAdmin
- Allowed member types: Users/Groups
- Value: TenantAdmin (be sure this is typed correctly)
- Description: Read/Write Privileges for Tenant Admins
- Do you want to enable this app role? *Checked
Apply, and create another App Role for TenantUser.
Create User Groups in Your Directory
Next we need to create the user groups that will give users permissions to log in to Cloud Control Center via Azure SSO.
Click on Azure Active Directory -> Groups -> New Group
Create Security Groups for each Application Role we created (TenantAdmin, TenantUser)
Example:
Group type: Security
Group name: TenantAdmin
Group description: Elisity CCC Tenant Admin with Read/Write privileges
Membership type: Assigned
Owners: Select an owner for this group; can be person creating the group or managing Azure AD
Members: Select appropriate members (Member assignments/removal can also be done later by viewing the group from the Groups page)
NOTE: Every group should have at least 1 owner.
Create a group for TenantUser or any additional user groups in the same fashion as above.
Assign user groups to Cloud Control Center Application in Azure
- Assign groups to CCC App
- Click on Azure Active Directory -> Enterprise Applications -> Search for CCC in the search box and select the application
- Go to the Users and Groups tab -> Assign users and groups
- Click on Users and Groups and select the appropriate group (TenantAdmin and TenantUser, or any other group you would like)
- Click on Select a role and select appropriate role (TenantAdmin or TenantUser)
- Click Assign
*No screenshots available for this step currently*
Configure Application Properties in AAD
Assignment Required Field
Assignment Required: This field determines whether user access to the Elisity Cloud Control Center (CCC) is controlled based on group assignments.
-
If "Assignment required" is unchecked:
- All Users Can Login: Any user within the Azure AD tenant can log in to the CCC regardless of their group assignment.
- No Access to Dashboards: Although users can log in, they will not have access to any dashboards or functionalities within CCC unless explicitly assigned to one of the pre-configured user groups.
-
If "Assignment required" is checked:
- Restricted Login Access: Only users who are explicitly assigned to the application (via group membership or direct user assignment) will be able to log in to CCC.
- Deny Unassigned Users: Users not assigned to the application will be denied login access entirely, providing a stricter level of access control and ensuring that only authorized users can access the CCC environment.
To change this configuration, navigate to the Enterprise Application, go to Properties, and change the the Assignment required? field to Yes.
Before finalizing our SSO integration, we can quickly add our Key-Value to User Role configurations within Cloud Control Center. Azure AD uses a Key-Value pair for these API calls where the key is "roles" and the value type is User Groups. Any groups that are assigned to the Application Integration for Cloud Control Center (within Azure AD) can be mapped to a role in Cloud Control Center. Creating these configurations is very simple.
Go to Settings > Admin > SSO Configuration > Role Configuration
For any and every user group that you would like to map to a role in Cloud Control Center, you need to create a mapping here. If you copied the syntax for the Key-Value pairs in this guide, the default User Roles should look exactly like this:
KEY | VALUE | USER ROLE (pre-defined) |
roles | TenantAdmin | Tenant Admin |
roles | TenantUser | Tenant User |
Any additional user groups you would like to map to custom roles can also be configured here. They should use the same key (Key = "roles") unless you configured your key-value differently. Note that the "Key" string in CCC is case-sensitive. The value field should also match exactly the syntax of user groups assigned to your CCC Application within your IDP. You can then assign to any custom role you have created to effectively enable Role-Based Access Control for Cloud Control Center. An example might look like this:
In this example we are restricting access for SSO users who are a member of the NetworkAdmin group to ONLY the Virtual Edge page.
Configure Azure SSO within Cloud Control Center
Method 1: Using the Discovery Endpoint for Azure SSO
Before using this method, you need to ensure that your Elisity Application and User Roles are already created in Azure SSO. If they are not, navigate to the respective sections to fulfill these requirements first.
Accessing SSO Configuration in CCC:
- Sign into Cloud Control Center (CCC) with an admin account that has permissions to make SSO configuration changes.
- Navigate to the settings page, then go to the Admin dropdown and select the SSO configuration tab. Make sure that "Use discovery endpoint" is toggled to use this method.
Obtaining the Discovery Endpoint:
- The Discovery Endpoint for Azure SSO can be obtained by appending “.well-known/openid-configuration” to the Azure issuer URL.
- Example: If the Azure issuer URL is
https://<Azure-Domain>/idp
, then the Discovery Endpoint would behttps://<Azure-Domain>/idp/.well-known/openid-configuration
.
Populating Metadata Automatically:
- Click on the "DISCOVER" button within the CCC SSO configuration page. This action will automatically populate all the Metadata fields required for Azure SSO integration.
Acquiring Client ID and Secret:
- Obtain the Client ID and Secret from your Azure SSO setup. These are essential credentials for the integration.
Setting up Redirect URI (Reply URL):
- The Redirect URI needed for Azure SSO configuration will be displayed in the Redirect URI box within Cloud Control Center.
- This URI must be configured in your Azure SSO setup to ensure proper redirection after authentication.
By following these steps, users can easily configure Azure SSO with Elisity's Cloud Control Center using the Discovery Endpoint method. This method simplifies the process by automating the metadata population, reducing the potential for errors during manual entry. It's important that the user verifies the correctness of the automatically populated fields to ensure a seamless integration with Azure SSO.
Method 2: Manually Entering Metadata
You can optionally choose to bypass the Discovery Endpoint method and manually enter all the required configurations in Cloud Control Center. Toggle off the "Use discovery endpoint" button, and you will have access to manually enter the following fields:
- Redirect URI (Reply URL): The callback location where the SSO provider will send the user after authentication. This can be found in Cloud Control Center.
- Client ID: The unique identifier assigned to your application by the SSO provider. This value can be found by following the guide above.
- Client Secret: A confidential secret used by your application to authenticate with the SSO provider. This value can be found by following the guide above.
- Token Endpoint: The URL used by the application to exchange an authorization code for an access token.
- Authorization Endpoint: The URL used to initiate the user authorization process.\
- JSON Web Key Set (JWKS) URI: The URL pointing to a set of public keys used to verify the signature of JSON Web Tokens.
- User Information Endpoint: The URL from which the application can retrieve user profile information.
- Issuer: The URL that uniquely identifies the authorization server that issued the token. This value can be found by following the guide above.
Refer to Azure Identity documentation on how to retrieve the values for manual configuration that are not covered in this document.
Azure SSO Integration Completed
You should now be able to login to Cloud Control Center using SSO with Azure for users who have the appropriate attributes applied. Simply click "Login with SSO" and input user your credentials from Azure.