# Microsoft Entra ID

This document describes setting up integration with Microsoft Entra ID (formerly Azure Active Directory) with SAML 2.0. This involves:

1. Creating an enterprise application from Microsoft Azure.
2. Adding an Auth System to your Access Anywhere organization.
## Create Azure Enterprise Application

As an administrative user, log into the Microsoft Azure portal: https://portal.azure.com/
## Create Enterprise Application

Search and enter the page for "Enterprise Applications", Add a New Application. Click "Create your own application". 

{{ :admin:saml:entra:azure-createapp.png?800 |}}

Input a name for the application, for example **Nasuni Access Anywhere**.

Select **Integrate any other application you don't find in the gallery** from the list of options.

Now that the application is created, select SAML for single sign-on. 

{{ :admin:saml:entra:enterprise_application_sso.png?600 |}}


### 1. Basic SAML Configuration

In "Basic SAML Configuration" enter the following URLs for your Access Anywhere instance. 

* Identifier (Entity ID): Server URL - ex: https://files.example.com/

* Reply URL (Assertion Consumer Service URL): ex: https://files.example.com/saml.htm

{{ :admin:saml:entra:basic-saml-configuration.png?600 |}}

The other settings are not required.
### 2. Attributes & Claims

Next we will set up two SAML claims.

Under **Attributes & Claims** click **Edit**. 

{{ :admin:saml:entra:attributes_and_claims.png?600 |}}

You will taken to the Attributes & Claims page.


#### Add Group Claim

Then select **Add a group claim**.

Select **All Groups** as which groups should be returned in the claim. 
**Source Attribute** should be set to **Group ID**.
#### Add Claim

In the "Attributes & Claims" section add a new claim and make sure all the claims below are entered: 

{{ ::azuread_saml_updatedattributeclaims.png?800| }}

Please note, in order to get the correct UPN local part for the user we will need to create a transformation for one of those attributes, like so:

Transformation: ExtractMailPrefix()

Paramater 1: user.userprincipalname

{{ ::azuread_saml_loginname.png?800| }}

<WRAP center round important 85%>
If a user is a member of more than 150 groups, and you are importing these on login (not recommended when using Nasuni storage) the Entra SAML assertion returns a link to Microsoft's Graph API instead of a list of the groups. If this is a possibility see the end of this document for "Users with than 150 groups".
</WRAP>

### 3. SAML Certificate

Now download the Certificate (Base64) from the "SAML Certificates" section. It will be used by Access Anywhere.

{{ :admin:saml:entra:azureadfs_downloadcert.png?600| }}

### 4. Set up <Nasuni Access Anywhere>

Also copy and save these three URLs:

{{ :admin:saml:entra:azure_app_setup_urls.png?600 |}}

### Users and Groups

Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups entered here will be able to log into the Access Anywhere server via this SAML integration)
 
{{ ::azureadfs_usersandgroups.png?600 |}}

### 5. Test single sign-on with <Nasuni Access Anywhere>

Return to the "Single sign-on" section and select "Test" to see if single sign-on is working for a specific user.

{{ :admin:saml:entra:test-sso.png?600 |}}
## Add SAML Auth System

As an Organization administrator, bring up the settings page from the menu Organization > **Auth Systems**.

Fill in the following details:

* __Auth system__ - Select "SAML"

* __Auth System Name__ - Azure SAML (for example)

* __Identifier (Entity ID)__  - As configured in your Azure enterprise app. Defaults to your appliance URL. 

* __Login button label__ - Displayed on the Access Anywhere login page. Use something that the users will understand like “Login with Microsoft Azure”

* __The service provider entity ID__ - Enter the "Microsoft Entra Identifier" you saved from the Azure Enterprise Application SAML App setup screen above

* __SSO entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above

* __Logout service endpoint__ - Enter the Logout URL you saved from the setup screen.

* __x509 Certificate__ - Enter the certificate text you downloaded from the setup screen above

Additional Options:

* __Force authentication__ - Disabled (recommended). When enabled users will be forced to re-authenticate rather than using any existing SSO sessions.

* __Sign AuthnRequest and LogoutRequest__  - Disabled. (We are not using verification certificates.)

* __Fetch User Role/Group Name by id__ - Disabled. (With Nasuni storage groups are not imported via Auth integration)

  * __Azure AD Application ID__ -  GraphAPI "Application (client) ID"

  * __Azure AD Application Key__ - Enter the "Clients Secrets" value 

User Login Settings:

* __Auto create user on login__ - Enabled. Required for users to be auto provisioned when logging in via SAML for the first time.

* __Refresh role/group membership on login__ - Disabled. Not required with Nasuni storage.

* __Update user info on login__ - Enable to update all user information on each SAML login including email.

SAML User Import Fields

* __Unique User Attribute Field__ - username

* __User Login Field__ - username

* __User Name Field__ - fullname

* __User Email Field__ - email

* __Role/Group Name Field__ - groups

* __User Phone Field__ - phone


### Enabling Identity Provider Initiated Flow

Once your Auth System has been created in Access Anywhere, you will then be able to obtain a Reply URL. From the Auth Systems screen, copy the URL supplied next to the **Reply URL** field. 

Go back to the Enterprise Application you created within Azure, and edit the **Basic SAML Configuration**. Replace the **Reply URL** with the URL from the Auth System screen. 

Azure provides mechanisms to test the integration. 

Your users will be then able to access the application from: 
https://myapplications.microsoft.com/

{{ :admin:saml:entra:my-apps.png?600 |}}
### Changing App Icon

The application icon shown in My Apps can be changed within the Azure Enterprise Application under 
Manage > Properties.

{{ :admin:saml:entra:app_properties.png?600 |}}


 The logo currently configured for your appliance can be found at 
```https://files.example.com/images/company/company_logo.png```.
## Set Up The Graph API

In order to map group identifiers to group names from Azure we will need to enable the Microsoft Graph API. 

In App Registrations, create a "New registration", naming it something like "NAA GraphAPI".

Once created, we will edit the API permissions, and "Add A Permission". 

From the list, select **Microsoft Graph**.

Select **Application permissions** when presented with the choice. 

Input "Directory.Read.All" into the search field and select the permission when returned. 

Click **Add permissions**

These permissions will need to be granted for the organisation, by clicking the **Grant admin contest for XX Directory**. 

Now we will gather the credentials. 
In "Overview", copy the "Application (client) ID".

In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "NAA" and decide when it expires. Now copy the new Value added in the Client Secrets section. 



## Users with more than 150 groups

If you have a user with more than 150 groups the SAML assertion returns a Microsoft Graph link instead of a list of groups. To resolve this you will need to update the Entra App to filter the groups just to the roles you would like to leverage in Access Anywhere. 

You can achieve this either by selecting an option like "Groups assigned to the application" and assign the relevant groups to the Entra App, or apply a filter to restrict based on a given prefix or suffix. 

{{ :admin:azuread_groupclaims_filter.png?400 |}}