Configuring SAML Single Sign-on

Microsoft Entra ID requires MetaDefender Core to enable HTTPS for connections. Please follow these steps to first enable HTTPS on MetaDefender Core.

Register a new application in Azure

Access Azure portal and sign in.
On the homepage, select Microsoft Entra ID under Azure services.

Select Enterprise applications in the left sidebar.

On All applications page, click New application.

On Browse Azure AD Gallery page, search for "Microsoft Entra SAML Toolkit" and click on Microsoft Entra SAML Toolkit in the result panel.

Fill in Name field with MDCore-SAML, for example, and click Create in the right sidebar.

Navigate to Single sign-on on the left sidebar and click SAML.

Go to SAML Certificates section, click the copy button at the far right of App Federation Metadata Url and store as metadata_uri.

Navigate to Users and groups in the left sidebar, click Add user/group.

On Add Assignment screen, click Non Selected and add users who are allowed to log in to the app, then click Select in the right panel.

Finally, click Assign to complete.

Create SAML directory in MetaDefender Core

Sign in to MetaDefender Core management console.
On the dashboard, click User Management in the left sidebar.
In User Management page, select Directories tab and click on Add directory in the top right corner.

In Add Directory page, choose SAML in Directory type, enter a name for the new directory, such as MDCore-SAML and click Fetch URL.

Paste the URI stored in metadata_uri into the box under Fetch URL, then click OK and wait a moment for MetaDefender Core to set Microsoft Entra ID as its IDP.

In Service Provider section, fill in Host or IP with the address where MetaDefender Core is hosted, for example https://127.0.0.1:8008.
Copy the Login URL and store in reply_uri for the later steps.

Complete configuration in Entra ID

Switch back to Microsoft Entra ID, on SAML-based Sign-on page, navigate to Basic SAML Configuration and click Edit in the top right corner.

Navigate to Identifier (Entity ID) in the right sidebar, click Add identifier, then enter a unique ID to identify MDCore, such as MDCore-SAML. Store the identifier to identifier.
Navigate to Reply URL(Assertion Consumer Service URL), click Add reply URL and fill in the URI with the value stored in reply_uri and click Save.

Navigate to Attributes & Claims, then click Edit.

In Attributes & Claims page, go to Additional claims, and click on any item under Claim name to change its name.

Change value of Name field, leave Namespace empty and click Save to complete. In this instruction, the claim name is changed to given_name, which will be used later to identify the logged-in user on MetaDefender Core.

If the names of attributes and claims provided by Microsoft Entra ID are sufficient, the customers are recommended for direct use in identifying the logged-in user in MetaDefender Core.

Complete configuration in MetaDefender Core

Switch back to MetaDefender Core screen. Under Service Provider, go to Use custom entity ID and fill in it with value stored in identifier, MDCore-SAML in this example.
Fill in User identified by with ${given_name}.

If the namespace is not removed from the claim name in step 6 of the previous section, the full claim name including the namespace must be used here to build user identity.

For example, if the claim of http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name is added to Microsoft Entra ID, then ${http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name} should be used by MetaDefender Core to build user identity.

Select appropriate role for the user under User Role.
Click Add to complete the settings.

In User Management screen of MetaDefender Core, toggle the new directory named MDCORE-SAML. A dialog box appears to confirm the action. Once Enable is clicked, all sessions are expired immediately.

Test the integration

At the home screen of MetaDefender Core, click Login; the user is redirected to Microsoft Entra ID sign-in page.

Sign in using the account registered with Microsoft Entra ID.
If everything goes correctly, MetaDefender Core dashboard is displayed with user's identity shown in the top right corner.
Otherwise, access backup login page at <mdcore-host>#/public/backuplogin for trouble shooting.

Setup pseudo IdP-initiated SSO

Microsoft Entra ID does not support IdP-initiated SSO in the same way as other Identity Providers. It actually accesses the login page of its SP and does initiate Single Sign-in from there; so basically, it is SP-initiated.

Sign in to Azure management page.
Navigate to Azure services section, click on Microsoft Entra ID.

In the left sidebar, click on Enterprise applications.

Select Azure AD SAML Toolkit from the list of enterprise applications.

Choose Single sign-on in the left sidebar, go to Basic SAML Configuration section, and click Edit at the top right of the section.

In Basic SAML Configuration right sidebar, enter Core login URL in the field under Sign on URL.

Click Save to complete.

Test IdP-initiated SSO

Sign in to Azure management page.
Navigate to Azure services section, and select Microsoft Entra ID.
In the left sidebar, click on Enterprise applications.
Choose Azure AD SAML Toolkit from the list of enterprise applications.
Go to Properties tab.

Copy the URL next to User access URL.
Paste the copied URL into your browser and sign in.

If everything goes well, MetaDefender Core dashboard will appear with the user identity displayed in the top right corner.

Otherwise, access backup login page at <mdcore-host>#/public/backuplogin for trouble shooting.

Last updated on

Was this page helpful?