Azure Active Directory

Azure AD uses cross-domain Identity Management (SCIM) and Security Assertion Markup Language (SAML2.0). SCIM uses REST APIs to communicate between Azure AD and OpsRamp. The SCIM schema is used to handle end-to-end user management such as creating, updating, and deleting user accounts.

Prerequisites

Register with OpsRamp to get OpsRamp login credentials.
Your custom URL (such as <yourwebsitename>.opsramp.com).

Azure AD configuration

Azure AD configuration provides the SSO setting details that are required to configure OpsRamp.

Log in to Azure AD.
From the Azure AD console, select Azure Active Directory.
From Default Directory, select Enterprise applications > All applications > +New application.
Click Create your own application > Create your own application, provide a name, select the appropriate option, and click Create. For example, OpsRampSSO.
Non-Gallery Application
From method as Single sign-on > SAML, enter the following settings in the Set up section:
- Identifier: Custom branding URL in OpsRamp. The URL in each case is formed from the custom branding configured in OpsRamp for the client or the standard partner URL appended with saml.do
  (For example, https://<OpsRamp Custom Brand URL>/saml.do)
- Reply URL: https://<OpsRamp Custom Brand URL>/samlResponse.do (For example: https://azuread.opsramp.com/samlResponse.do)
- User Identifier: user.userprincipalname
Copy the following information required for OpsRamp configuration:
- Login URL
- Azure AD Identifier
- Logout URL
Click Download on Certificate (Base64) field. The certificate is required for OpsRamp configuration.
From the SAML Signing Certificate screen, right-click the certificate name and select Make Certificate active from the certificate drop-down option, if the Status is Inactive.
Enter the following details and click Save:
- Signing Option: Sign SAML Response and assertion
- Signing Algorithm: SHA-256
Click Provisioning from the left hand navigation pane and click Get Started from the screen, and specify:
- Provisioning Mode: Automatic
Provisioning mode
The Admin Credentials pane is displayed.
- Admin Credentials: Enter Tenant URL and Secret Token (These settings are copied from the OpsRamp configuration steps.)
Admin Credentials
Provisioning screen
- Click Test Connection to validate the Token settings. After validating the token settings, click Save. The Mappings and Settings pane are automatically populated.
- Mappings: Mappings allow you to define how user data should flow between Azure Active Directory and OpsRamp. For more information on how to manage mappings, click here.
- Settings: Notification Email: Valid email address to receive email notifications when a failure occurs. Scope: Set for synchronizing the user data. OpsRamp recommends to select Sync only assigned users and groups.
Set the Provisioning Status to On. This is used to synchronize user data.
Click Save to save the changes.

Users and Groups

The users and groups associated with the Azure AD Enterprise Application are synchronized with OpsRamp by the provisioning schedule.

Define Users and Groups and then add/assign these to the Enterprise Application.

In the below example, 2 groups have been defined and users assigned:

Groups are defined:

Users are assigned:

Note: The Group name can be used to assign the desired role in OpsRamp based on the Integration mapping.

The groups and users will be created in OpsRamp when provisioning occurs.

Provision a user

User Provisioning is an identity management process that ensures user accounts are created, given appropriate rights and permissions, modified, deleted, etc., to access an organization’s resources/applications.

To provision a user, follow the below steps:

After adding your application, on the Overview screen:

Click Users and groups using the left hand navigation pane. The Users and groups screen is displayed showing the existing users/groups, if any.
Click Add user/group. In Add Assignment screen, click None Selected under Users and groups. The Users and groups search window is displayed. Type the user name in the Search box and click Select. Note that only the first 50 search results are shown.
Once you click Select, the Users and groups under Add Assignment shows the number of users selected.
Click Assign. The user is assigned and displayed in the user/group list.

Provision a group

To provision a user group, follow the below steps:

After adding your application, on the Overview screen:

Click Users and groups using the left hand navigation pane. The Users and groups screen is displayed showing the existing users/groups, if any.
Click Add user/group. In Add Assignment screen, click None Selected under Users and groups. The Users and groups search window is displayed. Type the group name in the Search box and click Select. Note that only the first 50 search results are shown.
Once you click Select, the Users and groups under Add Assignment shows the number of groups selected.
Click Assign. The group is assigned and displayed in the user/group list.

Attribute Mapping

To map attributes (for users and groups), click the Provision Azure Active Directory Groups / Provision Azure Active Directory Users links from the Mappings pane. The Attribute Mapping screen is displayed. You can edit, add, or even delete an attribute mapping.

Edit:

To edit an attribute:

Click on the attribute. The Edit Attribute popup is displayed. Select the Mapping type, Source attribute, Target attribute and other options as appropriate.
Click Ok. The Attribute Mapping is saved.

Add:

To add an attribute:

Click Add New Mapping link. Select the options and click Ok. The Attribute is saved and added to the list.

Delete:

To delete an attribute, simply click Delete. Then click Save to save the changes. Click Discard to undo the delete operation.

By default, Azure will have mappings which are not supported by OpsRamp, which will cause multiple updates in case of SCIM. Following mappings are supported by OpsRamp:

OpsRamp supports only the below mappings:


Azure Active Directory Attribute	customappsso Attribute	OpsRamp Attribute
userPrincipalName	userName	Login Name
Switch([IsSoftDeleted], , "False", "True", "True", "False")	active	active
jobTitle	title	Designation
mail	emails[type eq "work"].value	Primary Email
givenName	name.givenName	First Name
surname	name.familyName	Last Name
Join("", [givenName], [surName])	name.formatted	name.formatted
streetAddress	addresses[type eq "work"].streetAddress	Address
city	addresses[type eq "work"].locality	City
state	addresses[type eq "work"].region	State
postalCode	addresses[type eq "work"].postalCode	ZipCode
country	addresses[type eq "work"].country	Country
mobile	phoneNumbers[type eq "work"].value	Mobile Number
telephoneNumber	phoneNumbers[type eq "mobile"].value	Phone
otherMails	emails[type eq "home"].value	Alternate Email

OpsRamp configuration

OpsRamp configuration generates the URL and secret token that are required to complete configuration at Azure AD.
To configure SSO integration:

From All Clients, select a client.
Go to Setup > Integrations > Integrations.
From Available Integrations, select SSO > Azure AD and click Install.
Enter the following information in Install Azure AD Integration screen:
Properties:
- Issuer URL: Azure AD Identifier
- Redirection URL: Login URL (SAML Single Sign-On Service URL)
- Logout URL: Logout URL
- Certificate: Certificate (Base64) The URL and certificate details are captured from the Azure AD configuration. Click Install. You can use the Browse button to select and then click Import to download the metadata file.
Provision Username as: There are two ways to provision a user:
- Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.
- Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:
  - Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
  - Install the same identity provider across multiple OpsRamp tenants.
    Note: Once you enable this option and install the integration, you cannot revert your changes.
    Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.
  After installing the integration, when you click the integration name in the Configuration tab, the User Provision section will show the unique tenant prefix.
Click Install.
User Provision:
- Select the following details and click Save:
- Provision Type: SCIM. When configuring the integration it is necessary to select the Provision Type - SCIM to synchronize users and groups when provisioning occurs. If you select provision type as JIT, JIT user is created during user login.
- Default Role: The required user role.
Copy the URL and Token information. These details are used when configuring Azure AD Provisioning settings.
Define the following Map Attributes:
Role mapping is required for groups and users.
User:
1. Select OpsRamp Entity as User and OpsRamp Property as Role.
1. Click +. The Create User Mapping on Role popup is displayed.
a. Third-party Entity: Enter the value.
b. Third-party Property: Enter the value.
OpsRamp Entity and OpsRamp Property are populated automatically.
Under Add Property Values:
c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
e. Click Save. The mapping is saved and displayed.
Similarly, map attributes for other entities like First Name, Last Name, Mobile Number, Phone, Email, etc.
User Group:
1. Select OpsRamp Entity as User Group and OpsRamp Property as Role.
1. Click +. The Create User Group Mapping on Role popup is displayed.
a. Third-party Entity: Enter the value.
b. Third-party Property: Enter the value.
OpsRamp Entity and OpsRamp Property are populated automatically.
Under Add Property Values:
c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
e. Click Save. The mapping is saved and displayed.

If the Role is not configured in Map Attributes section, the Default Role provided in User Provision is considered for SSO.

Synchronize with Azure AD

To synchronize with Azure AD, select Current Status > Refresh from the Azure AD Provisioning screen. Refresh executes a REST API call from Azure AD.

If the REST-defined user attributes match with the OpsRamp user attributes, the user information is updated in OpsRamp.
If the REST-defined user attributes do not match with the OpsRamp user attributes, those are matched when the attributes are defined in the OpsRamp Map Attributes step and updated.
If the REST-defined user attributes do not match with the defined Map Attributes, the API response fails, user synchronization fails, and the user is not created in OpsRamp. Azure AD displays the progress of synchronization and the result is displayed.

Users/Groups updated in OpsRamp after successful synchronization:

Limitations

Azure AD supports changing of login name, however, OpsRamp does not support changing of login name once a user is provisioned. Updating a login name in Azure AD causes the user to not be able to log in to OpsRamp.
OpsRamp does not support multiple role assignments for a user for SCIM provisioning. However, multiple roles are supported per JIT provisioning in Azure AD integration.

Prerequisites

Azure AD configuration

Non-Gallery Application

Provisioning mode

Admin Credentials

Provisioning screen