How to Configure Netreo to Use SAML 2.0 and Azure Active Directory for User Management
  • 02 Apr 2024
  • 8 Minutes to read
  • Dark
    Light
  • PDF

How to Configure Netreo to Use SAML 2.0 and Azure Active Directory for User Management

  • Dark
    Light
  • PDF

Article summary

This page explains how to configure Netreo to use Azure Active Directory for user management if you are using SAML 2.0 to manage SSO logins to Azure Active Directory.

To use Active Directory (LDAP) without SAML 2.0, see How to Configure Netreo to Use Active Directory (LDAP) for User Management.

Once SAML 2.0 is enabled, you will only be able log in to Netreo using Azure Active Directory usernames and passwords (except for the default Netreo administrator local account). To log in to Netreo using the default administrator local account, use the username/password “omnicenter/administrator” which will indicate to Netreo that you wish to bypass Active Directory. This is useful if your active directory server is down or unreachable for some reason.

Warning
If SAML 2.0 is enabled and you delete the preconfigured Netreo local account "administrator", you will not have access to Netreo if your Active Directory server becomes unreachable.

Configuring Netreo to use Azure Active Directory and SAML 2.0 for user management requires you to make configuration changes to the Azure Active Directory service in your Microsoft Azure account before making configuration changes in Netreo.

Procedure

While performing the procedure below you will need to have administrative access to both Netreo and your Microsoft Azure account. It is recommended to have both of those open in separate tabs in your browser as you perform the steps below, switching back and forth between each as necessary.

  1. In Netreo:
    1. Log in to Netreo as a user with the SuperAdmin access level.
    2. From the main menu, select Administration >> Users >> Authentication Settings.
    3. On the Authentication Settings page, in the Authentication panel, in the TYPE field, use the pull-down menu to select SAML (2.0). The SAML configuration options now appear.
    4. At this point, you will need to configure the Active Directory settings in your Azure account. Leave this page open and return when instructed.
  2. In Azure:
    1. Log in to your Microsoft Azure account.
    2. Click on your Azure Active Directory service. (If you have not already added this service to your Azure account, you must do so before continuing.)
    3. On the Azure Active Directory service management page, from the Manage menu on the left, select Enterprise Applications.
    4. On the All applications page, click New application at the top to add a new application.
    5. From the Azure AD Gallery, select the Azure AD SAML Toolkit. (You can use the search field to find this application quickly.)
    6. In the side panel that opens:
      1. In the Name field, change the name to something more easily identifiable (for example, "Netreo Services SAML" or something similar).
      2. Click the Create button to add the new application to your Azure Active Directory service.
      3. You are taken to the Overview page of your new application.
    7. On the Overview page under Getting Started, click on step 2 Set up single sign on.
    8. On the Single sign on page, click SAML to open the SAML-based Sign on page.
  3. In Netreo:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the AUDIENCE (ENTITYID) URI field.
  4. In Azure:
    1. On the SAML-based Sign on page, in the Basic SAML Configuration panel, click Edit.
    2. In the Basic SAML Configuration side panel that opens:
      1. In the "Identifier (Entity ID)" section of the edit area, click Add identifier.
      2. In the new empty field that appears, paste the value that you copied from Netreo.
      3. Select the checkbox to make that value the default.
      4. Delete the previous default value so that only the value pasted from Netreo remains.
  5. In Netreo:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the ACS (CONSUMER) URL field.
  6. In Azure:
    1. In the Basic SAML Configuration side panel:
      1. In the "Reply URL (Assertion Consumer Service URL)" section of the edit area, click Add reply URL.
      2. In the new empty field that appears, paste the value that you copied from Netreo.
  7. In Netreo:
    1. On the Authentication Settings page, in the Service URLs for your Identity Provider panel, copy the value from the SINGLE LOGOUT URL field.
  8. In Azure:
    1. In the Basic SAML Configuration side panel:
      1. In the "Sign on URL" section of the edit area, paste the value that you copied from Netreo.
      2. Edit the "logout" portion of the pasted value to "login".
      3. In the "Logout URL" section of the edit area, again paste the value that you copied from Netreo (leave the value unedited).
      4. Click Save at the top of the side panel.
      5. On the SAML-based Sign on page, the configuration values will update in the Basic SAML Configuration panel.
    2. On the SAML-based Sign on page, in the Attributes & Claims panel, click Edit.
    3. On the Attributes & Claims page, click Add a group claim.
    4. In the Group Claims side panel that opens:
      1. Select the All groups radio button.
      2. Click the down arrow to open the Advanced Options area.
      3. Click the checkbox next to "Customize the name of the group claim"
      4. In the Name field, enter an easily identifiable name for your group (for example, something like Netreo_Groups). Then copy the value that you entered.
      5. Click Save.
  9. In Netreo:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the ATTRIBUTE NAME field, paste the value that you copied from Azure.
  10. In Azure:
    1. Navigate back to your Azure Active Directory service management page.
    2. From the Manage menu on the left, select Groups.
      1. We will now create four new primary Active Directory groups to match the Netreo user types (User, Power User, Administrator and SuperAdmin). If you require more granular organization for your Active Directory user groups, you may add subgroups to any of the primary groups. Users in a subgroup will be logged in at the primary group access level.
      2. For each Netreo user type:
        1. On the All groups page, click New group.
        2. On the New Group page:
          1. In the Group name field, enter an appropriate name for this group (such as Netreo_Users, Netreo_Power_Users, etc.).
          2. Click Create.
        3. On the All groups page, locate your new group and click on it.
          1. On the group management page, from the Manage menu on the left, select Members.
          2. On the Members page, select Add members.
          3. In the Add members side panel that appears, select the members to add to the group.
          4. Click Select.
    3. Navigate back to the All groups page and:
      1. Locate the group that contains the basic Netreo Users.
      2. In the Object ID column copy the object ID for that group.
  11. In Netreo:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the Netreo Access Levels area, in the USER field, paste the value that you copied from Azure.
  12. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the Netreo Power Users.
      2. In the Object ID column copy the object ID for that group.
  13. In Netreo:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the Netreo Access Levels area, in the POWER USER field, paste the value that you copied from Azure.
  14. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the Netreo Administrator users.
      2. In the Object ID column copy the object ID for that group.
  15. In Netreo:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the Netreo Access Levels area, in the ADMIN field, paste the value that you copied from Azure.
  16. In Azure:
    1. On the All groups page:
      1. Locate the group that contains the Netreo SuperAdmin users.
      2. In the Object ID column copy the object ID for that group.
  17. In Netreo:
    1. On the Authentication Settings page, in the User Permission Mapping panel, in the Netreo Access Levels area, in the SUPERADMIN field, paste the value that you copied from Azure.
  18. In Azure:
    1. Navigate back to the SAML-based Sign on page for your application.
    2. On the SAML-based Sign on page, in the SAML Certificates panel, download either the Base64 or Raw certificate (your choice, Netreo will accept either).
    3. Open the downloaded certificate in a basic text editor (one that does not add hidden formatting to the text) and copy the contents of the certificate.
  19. In Netreo:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, in the X509 CERTIFICATE STRING field, paste the contents copied from the certificate.
  20. In Azure:
    1. On the SAML-based Sign on page, in the Set up "your application" panel, copy the value from the Azure AD Identifier field.
  21. In Netreo:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, in the ENTITY ID field, paste the value that you copied from Azure.
  22. In Azure:
    1. On the SAML-based Sign on page, in the Set up "your application" panel, copy the value from the Login URL field.
  23. In Netreo:
    1. On the Authentication Settings page, in the Identity Provider Configuration panel, in the LOG IN URL field, paste the value that you copied from Azure.
    2. For the INCLUDE SUBJECT IN REQUEST field, switch the selector to OFF.
    3. Click Save.
  24. You are finished configuring Netreo to use Active Directory and SAML 2.0 for user login.

All current users must log out and log back in again using their Active Directory credentials.

Troubleshooting

Authentication Settings

If, after configuring Netreo to use Active Directory and SAML 2.0, you find that your users are unable to log in; Azure provides a tool to test your authentication settings to determine if they work, and if not, where the problem lies. To access the tool, follow the steps below.

  1. Log in to your Microsoft Azure account.
  2. On the Microsoft Azure homepage, under Azure services, click Active Directory.
  3. On the Azure Active Directory service management page, from the menu on the left, under Manage, select Enterprise applications.
  4. On the All applications page, locate the SAML application that you would like to test and click its name.
  5. On your application's Overview page, click Set up single sign on.
  6. On the SAML-based Sign on page, at the top, click Test this application.
  7. In the side panel that opens:
    1. Select the radio button for how you would like to test the settings.
    2. Click Test sign in.

The test generates an XML response that contains information about what data is being passed to Netreo during the sign on.

The primary information to check for errors are the values found on the SAML-based Sign on page (from where you ran the test), in the Set up "your application" panel. Those values are:

  • Login URL
  • Azure AD identifier
  • Logout URL

Using Netreo SaaS in a Sandbox Environment

If you intend to use Active Directory and SAML 2.0 to manage users in a Netreo SaaS sandbox environment, make sure that you configure a CNAME in your DNS for the domain of the users logging in before attempting to use SAML.


Was this article helpful?