Single Sign-On (SSO)
      Back to home
      1. Help Center
      2. 3rd Party Integrations
      3. Single Sign-On (SSO)

      Single Sign-On with Azure and SAML

      How to allow Azure directory users to log in to Alcatraz Admin Portal over SAML

      Alcatraz Admin Portal allows you to configure Single Sign-on (SSO) using Azure as an Identity Provider (IdP) over the SAML 2.0 protocol.

      Availability

      SSO is available if you run Alcatraz Admin Portal using the following Alcatraz solutions:
      • Alcatraz Enterprise Cloud single-tenant
      • On-premises
      SSO is not available if you run the Alcatraz Cloud multi-tenant solution.

      Acquiring Redirect URL from Alcatraz Admin Portal

      As the first SSO setup step, go to Alcatraz Admin Portal and generate a Redirect URL that you will later use to set up your Microsoft Azure account.
      The following Alcatraz Admin Portal roles can set up SSO:
      • Account Administrator
      Take these steps to generate a Redirect URL in Alcatraz Admin Portal:
      1. Log in to Alcatraz Admin Portal as a supported role.
      2. In the left menu, go to Account > Account Settings.
      3. Under Login Configuration, expand SSO Configuration.
      4. In Enable Alcatraz login with, click SSO with SAML 2.0.
      5. In Provider, select Other.
      6. In Metadata URL, enter a temporary URL like https://.
        You will enter the actual URL after you set up Microsoft Azure.
      7. In Roles Mapping, map a dummy role:
        1. Click the plus sign next to Account Admin.
        2. In the text box that appears, enter a dummy group or role name, temp for example.
          You will make the actual mapping after you set up Microsoft Azure.
      8. Leave the rest of the options unchanged.
      9. Click Submit.
        The Redirect URL specific to your account or deployment appears in the Redirect URL box.
        p-saml-azure-redirecturi
      10. Copy the Redirect URL and store it for later.

      Setting Up Microsoft Azure for SAML SSO

      The next step after acquiring the Redirect URL is to set up a Microsoft Azure application for your Alcatraz SSO integration.
      Take the steps in the following subsections to create and set up an Azure application for an Alcatraz SSO integration.

      Creating the Azure Application

      Take these steps to create a Microsoft Azure application:
      1. Log in to your Microsoft Azure account.
      2. Click the Microsoft Entra ID service.
      3. In the left navigation, click Manage > Enterprise applications.
      4. Click New application.
      5. Click Create your own application and then do the following in the sidebar that appears:
        1. Enter a name for your Azure application.
          Example: Alcatraz SSO
        2. Click Integrate any other application you don't find in the gallery (Non-gallery).
        3. Click Create.

      Setting up the Azure Application

      Microsoft Azure can be set up in many different ways. Use the following steps as a guideline and then adapt them to your organization's needs and setup.

      Take these steps to set up the Microsoft Azure application that you created:
      1. In the application's left navigation, click Manage > Single sign-on.
      2. Click SAML.
      3. In Basic SAML Configuration, click Edit, and do the following:
        1. Click Add identifier and type https://saml.alcatraz.ai as an identifier (entity ID).
        2. Click Add reply URL and paste the Redirect URL that you acquired in Acquiring Redirect URL from Alcatraz Admin Portal.
        3. Under Sign on URL (Optional), type any URL like https://localhost.
        4. Click Save at the top of the sidebar.
          p-saml-azure-app-basic
      4. In Attributes & Claims, click Edit and then do the following:
        1. Create a group claim:
          1. Click Add a group claim.
          2. For Which groups associated with the user should be returned in the claim?, select the option that matches your organization's needs.
            For example, if you intend to limit the groups that can access this Azure application, click Groups assigned to the application. If unsure, click All groups.
          3. In Source attribute, select the Entra ID attribute that contains the user's group list in your organization.
            Example: Group ID or sAMAccountName.
          4. Under Advanced options, check Customize the name of the group claim.
          5. In Name, type group.
          6. Leave the rest of the settings with their default values.
          7. Click Save.
        2. Optionally, create a full name claim:
          This claim ensures that Azure will provide the user's Display Name to Alcatraz Admin Portal. If the claim is missing, Alcatraz Admin Portal shows the user's email address instead.
        3. Click Add new claim.
        4. In Name, type FullName.
        5. For Source, select Attribute.
        6. For Source attribute, select user.displayname or the attribute that stores the user's full name.
        7. Click Save.
          p-saml-azure-app-claims
      5. Optionally, remove all other claims.
        The Alcatraz SAML SSO integration does not take other claims into account.
      6. Close the Attributes & Claims settings.
      7. In the SAML Certificates section, copy the App Federation Metadata Url value and store it for later.
        Alternatively, download the Federation Metadata XML, which carries the same data but requires the extra steps of downloading it and then uploading it into Alcatraz Admin Portal.
        p-saml-azure-app-certs

      Finalizing SSO Setup in Alcatraz Admin Portal

      After setting up your Microsoft Azure application, you need to go back to Alcatraz Admin Portal and complete the SSO login setup using data from the Azure application.
      Take these steps to complete the SSO login setup in Alcatraz Admin Portal:
      1. Go back to Account > Account Settings and continue your SSO with SAML 2.0/Other configuration.
      2. In Metadata URL, replace the temporary URL with the App Federation Metadata Url URL that Azure generated for you.
        Alternatively, upload the Federation Metadata XML in Metadata file if you prefer using the downloaded file.
      3. In Assertion Key, enter the name of the group claim that you created in your Azure application (group).
      4. In Entity ID, enter https://saml.alcatraz.ai.
        This value must match the Identifier (Entity ID) value in your Azure application.
      5. With Separate local and SSO login pages, do the following:
        • Uncheck the box if you want to include an Alternate Log in link on the SSO login page that sends to the non-SSO login page. The non-SSO login page allows you to log in with user accounts managed by Alcatraz Admin Portal.
        • Check the box if you want only the SSO login option to appear on the default Alcatraz Admin Portal login page.
          In both cases, user accounts managed by Alcatraz Admin Portal can log in after visiting https://<alcatraz-admin-portal-url>/alternate` where <alcatraz-admin-portal-url> is the base URL of your Alcatraz Admin Portal instance.
      6. In Roles Mapping, map at least one role.
        The mapping determines the Alcatraz Admin Portal role that Azure users receive upon logging in with SSO.
        1. Click the plus sign next to the Alcatraz Admin Portal role.
        2. In the text box that appears, enter the Azure group identifier.
          Depending on your Azure setup, the identifier is either the Azure group name (ex: Technical Documentation) or the Azure group Object ID (ex: dc75115f-bf07-482e-b134-412ee35bd8cc). If unsure, try each until you achieve a working integration.
          You can map multiple Azure groups to a single Alcatraz Admin Portal role. Click the plus sign again to add another text field.
          See Role Mapping Considerations for further information on how role mapping behaves.
          p-saml-azure-aap-final
      7. Click Submit.

      Role Mapping Considerations

      Keep the following in mind when mapping Alcatraz Admin Portal roles to Microsoft Azure groups:
      • If you update the role mapping, the changes come into effect immediately, including for SSO users who are in the middle of a session.
      • If you map a single Azure group to multiple Alcatraz Admin Portal roles, the group's members receive the highest-privileged role.
      • Members of Azure groups that have access to the Azure application but are not mapped to an Alcatraz Admin Portal role receive the Account User (least-privileged) Alcatraz Admin Portal role upon logging in.

      Stopping the SSO Integration

      Stopping the SSO integration deletes the SSO provider's setting from Alcatraz Admin Portal and returns to only using the user accounts managed by Alcatraz Admin Portal.
      SSO users who were logged in at this time will remain logged in until their sessions expire.
      The following Alcatraz Admin Portal roles can stop SSO:
      • Account Administrator
      Take these steps to stop using SSO login:
      1. Log in to Alcatraz Admin Portal as a supported role.
      2. In the left menu, go to Account > Account Settings.
      3. Under Login Configuration, expand the SSO Configuration.
      4. Next to Provider, click Remove.
      5. In the dialog box that opens, click OK to confirm the removal.

      Troubleshooting

      Azure SSO login fails with an error after entering credentials


      Symptom
      SSO login fails for a user or all users with "AADSTS50105: Your administrator has configured the application `<Application Name>` (`'<Application ID>'`) to block users unless they are specifically granted (‘assigned’) access to the application."
      Possible Cause
      Failure to login could be a symptom of an unassigned Microsoft Azure application.
      Suggested Solution
      Do either of the following, depending on your preferences:
      • In the application's left navigation, click Manage > Properties and set Assignment required? to No. This action allows all your Microsoft Entra ID users to log in through this application.
      • Leave Assignment required? set to Yes, but then go to Manage > Users and groups and add the users or groups to be allowed to log in to the Alcatraz application.

      Email address appears instead of username


      Symptom
      Alcatraz Admin Portal shows email address instead of full name for SSO users
      Possible Cause
      Alcatraz Admin Portal expects a claim with the specific name of FullName mapped to the IdP directory attribute that stores the user's full name. If the claim is missing, Alcatraz Admin Portal replaces the missing full name with the user's email address.
      Suggested Solution
      Create the claim as described in Setting up the Azure Application.

      SSO user can log in but their Alcatraz Admin Portal role is wrong


      Symptom
      After logging in, the SSO user sees a restricted set of menus and settings.
      Possible Cause
      The role mapping is incorrect and the SSO user has been granted the least-privileged role because of that.
      Suggested Solution
      First verify that you have mapped the Azure group that the user is a member of. Members of unmapped groups receive the least-privileged role.
      Then ensure that you use the correct identifier for your Azure setup when entering the Microsoft Azure group identifier. If the user doesn't receive the correct role when you supply the group name, try with the group's Object ID (ex: dc75115f-bf07-482e-b134-412ee35bd8cc) and the other way around.