SSO integration is configured for both Azure Active Directory (Azure AD) and OpsRamp and sets up redirects to the custom URL.
Azure AD uses cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML2.0). SCIM uses REST APIs to communicate between Azure AD and OpsRamp. The SCIM schema is used to handle end-to-end user management such as creating, updating, and deleting user accounts.
Pre-requisites
- Register with OpsRamp to receive OpsRamp login credentials.
- Your custom URL (such as
<yourwebsitename>.opsramp.com
).
Azure AD configuration
Azure AD configuration provides the SSO setting details that are required to configure OpsRamp.
From the Azure AD console, select Azure Active Directory.
From Default Directory, select Enterprise applications > All applications > +New application.
From Add an application > Non-Gallery Application > Add your own application, provide a name and click Add. For example, OpsRampSSO.
Non-Gallery Application
From Single sign-on > SAML, enter the following settings in the Set up
section: - Identifier: Custom branding URL in OpsRamp. (For example,
https://<custom brand name>.opsramp.net/saml.do
) - Reply URL:
https://<OpsRamp Custom Brand URL>/samlResponse.do
(For example:https://azuread.opsramp.com/samlResponse.do
) - User Identifier:
user.userprincipalname
OpsRamp Single sign-on SAML
- Identifier: Custom branding URL in OpsRamp. (For example,
Copy the following information required for OpsRamp configuration:
- Login URL
- Azure AD Identifier
- Logout URL
Click Download on Certificate (Base64) field. The certificate is required for OpsRamp configuration.
From the SAML Signing Certificate screen, right-click the certificate name and select Make Certificate active from the certificate drop-down options.
Enter the following details and Save:
- Signing Option: Sign SAML Response and assertion
- Signing Algorithm: SHA-256
(Optional) Enable JIT user provisioning on the User Attributes & Claims tab.
From Provisioning, specify:
- Provisioning Mode: Automatic
- Admin Credentials: Token URL and Secret Token (These settings are copied from the OpsRamp configuration steps.)
- Notification Email: Valid email address to receive email notifications.
Click Test Connection to validate the Token settings. After successfully validating token settings, the Mappings section is automatically populated.
From Provisioning > Settings, specify the following:
- Provisioning Status: On. This is used to synchronize user data.
- Scope: Set for synchronizing the user data. OpsRamp recommends to Sync only assigned users and groups.
- Clear current data and restart synchronization: Select the option. This option is helpful during any data mismatch or data corruption.
OpsRamp configuration
OpsRamp configuration generates the URL and secret token that are required to complete configuration at Azure AD.
To configure SSO integration:
From All Clients, select a client.
Go to Setup > Integrations > Integrations.
From Available Integrations, select SSO > Azure AD and click Install.
Enter the following information in Install Azure_AD configuration:
- Issuer URL: Azure AD Identifier
- Redirection URL: Login URL
- Logout URL: Logout URL
- Certificate: x.509 Certificate The URL and certificate details are captured from the Azure AD configuration. 1. In the User Provision step, select the following details and click Save:
- Provision Type: SCIM.
- Default Role: The required user role.
Click Install.
Copy the URL and Token information. These details are used when configuring Azure AD Provisioning settings.
Define the following Map Attributes:
- OpsRamp Entity Depending on the type of OpsRamp Entity, select USER or USERGROUP.
- OpsRamp Property Depending on the selected type of OpsRamp Entity, select the corresponding OpsRamp Property. It is important to define Primary Email, First Name, Last Name, and Role.
Result of integration: User synchronization
To start the user synchronization between Azure AD and OpsRamp select Current Status > Refresh from the Azure AD Provisioning screen. Refresh executes a REST API call from Azure AD.
- If the REST-defined user attributes match with the OpsRamp user attributes, the user information is updated in OpsRamp.
- If the REST-defined user attributes do not match with the OpsRamp user attributes, those are matched when the attributes are defined in the OpsRamp Map Attributes step and updated.
- If the REST-defined user attributes do not match with the defined Map Attributes, the API response fails, user synchronization fails, and the user is not created in OpsRamp. Azure AD displays the progress of synchronization and the result is displayed.