# Azure AD Configuration ## Steps to follow * [Create a new Enterprise Application](#create-a-new-enterprise-application) * [Set up Single Sign-On](#set-up-single-sign-on) * Option 1: Upload metadata XML file * Option 2: Enter metadata manually * [Configure Attributes & Claims](#configure-attributes-and-claims) * [Enter Azure's metadata into Sleuth](#enter-azures-metadata-into-sleuth) * Option 1: Link to metadata file * Option 2: Input metadata manually * [Assign Users/Groups to the Enterprise Application](#assign-users-groups-to-the-enterprise-application) ## Create a new Enterprise Application Sign into Azure as an administrator and click on the "**Azure Active Directory**" tile. ![](https://2832637360-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M1bR_-Od0islbiOl4G0%2Fuploads%2F3ukKggvWPWETFfu1N17k%2Fimage.png?alt=media\&token=46656a8b-599c-4b80-8d46-759a8d4bcc0e) In the left-hand menu click on "**Enterprise Applications**" and then click "**New application**". On the next page click "**Create your own application**". Name your application (*e.g., Sleuth*), select the "**Integrate any other application you don't find in the gallery (Non-gallery)**" option, and click "**Create**":

## Set up Single Sign-On Once the application is created, you'll be taken to its homepage. Click the "**2. Set up single sign on**" tile (*alternatively, you can click the "**Single sign-on**" link in the left-hand navigation*):

When prompted, select "**SAML**" as the **single sign-on method**, then proceed with one of the 2 options explained below: {% tabs %} {% tab title="Option 1: Upload metadata XML file" %} Click the "**Upload metadata file**" button to trigger the file import modal, **select the file** to upload, and click "**Add**":

Once the file is uploaded, you'll see a preview of the imported metadata. If needed/desired, you can still make changes, although it generally shouldn't be necessary. One **optional field** that doesn't get populated automatically is "**Relay State**"; you can specify it manually by inputting your **Sleuth org slug** (*find it in your URL -> `https://app.sleuth.io/`**``***) and clicking "**Save**" at the top:

{% endtab %} {% tab title="Option 2: Enter metadata manually" %} On the "**Basic SAML Configuration**" tile click "**Edit**":

**Fill in the necessary metadata** (*found in Sleuth*), using the following reference, and click "**Save**":

AZURE AD	SLEUTH	EXAMPLE
Identifier (Entity ID)	SAML Entity ID	`https://app.sleuth.io/saml/metadata/`
Reply URL (Assertion Consumer Service URL)	Assertion Consumer Service	`https://app.sleuth.io/complete/saml/`
Relay State (Optional)	Default Relay State	`sleuth` (should be your org slug)
Logout Url (Optional)	Single Logout Service	`https://app.sleuth.io/saml/sls/`

{% endtab %} {% endtabs %} ### Configure Attributes & Claims Leave the **Attributes & Claims** section configured as it is, the settings should look like this:

{% hint style="danger" %} Keeping the **Unique User Identifier** claim set to `user.userprincipalname` is a **prerequisite** for your SAML configuration to work with Sleuth. {% endhint %} ## Enter Azure's metadata into Sleuth Similarly as before, you can again choose between **pointing Sleuth to a URL** where the IdP's metadata is now available, or **entering the metadata into Sleuth manually**. {% tabs %} {% tab title="Option 1: Link to metadata file" %} In Azure on the "**SAML Certificates**" tile under your Enterprise Application, **copy the value** of the "**App Federation Metadata Url**" field:

In Sleuth, click the "**point Sleuth to metadata file URL**" link to trigger the input modal and **paste the copied URL** into the field, then click "**Save**":

The remaining fields in Sleuth will get **populated automatically**, just click "**Test Metadata and Save**":

{% hint style="info" %} Sleuth defaults all of the Advanced configuration to the most commonly used values, but depending on your IdP configuration you might need to adjust "**Advanced settings**". {% endhint %} ## Assign Users/Groups to the Enterprise Application On the Application's homepage click the "**1. Assign users and groups**" tile (*alternatively, you can click the "**Users and groups**" link in the left-hand navigation*):

Click the "**+Add user/group**" button and **assign Users/Groups** as needed:

{% endtab %} {% tab title="Option 2: Input metadata manually" %} **Fill in the necessary metadata** (*found in Azure AD*), using the following reference, and click "**Test Metadata and Save**":

SLEUTH	AZURE AD	EXAMPLE
Entity ID	Azure AD Identifier	`https://sts.windows.net/<...>`
SSO URL	Login URL	`https://login.microsoftonline.com/<...>`
SLO URL	Logout URL	`https://login.microsoftonline.com/<...>`
Certificate	On the "SAML Certificates" tile click "Edit", then click the 3 ellipses at the right end of the Active certificate and select "PEM certificate download".	`-----BEGIN CERTIFICATE-----` `<...>` `-----END CERTIFICATE-----`

Open the downloaded file with a text-/code editor and copy the contents to be pasted into the "Certificate" field in Sleuth.

{% endtab %} {% endtabs %}