Creating a trust relationship in AzureAD
- Login to Microsoft Azure
- Select the Directory you wish to integrate with RightScale from the picker in the upper right corner.
- Select Azure Active Directory from the left hand navigation pane. Note: It may be found under More services.
- In the Azure Active Directory blade, under Manage, select Enterprise Applications.
- Select New Application.
- Under Categories select All and search for RightScale within the Add an application blade.
- Select the RightScale application and give it a custom name, or accept the default, and select Add
- Open the App and select Configure single sign-on.
- Select the option SAML-based Sign-On
- In the Identifier field, input
https://login.rightscale.com/login/saml2/metadata/
- In the Reply URL field, input
https://login.rightscale.com/login/saml2/consume
- Fill out the User Attributes section with the appropriate user field mappings, if the defaults are not sufficient.
- Click Save
- Under the Single sign-on tab of the application click the Configure RightScale link at the bottom. Scroll down to the Quick Reference section and copy the Azure AD Single Sign-On Service URL and Azure AD SAML Entity ID values, and download the Azure AD Signing Certificate.
Microsoft Tutorial: Azure Active Directory integration with RightScale
Creating a trust relationship in RightScale
In this section, we will set up a trust relationship for AzureAD within RightScale. As a result, RightScale will know your identity provider's information, which permits your IdP to initiate logins.
You must have the enterprise_manager
role for the RightScale account you wish to associate with AzureAD.
- In a new tab in your browser, navigate to the account you wish to administer in RightScale.
- In the blue nav menu at the top of the screen, select Settings and navigate to Single Sign-on under the Enterprise section. (If you do not see this option, then you do not have the
enterprise_manager
role for the current account.) - On the resulting page, you should see a list of existing SAML Identity Providers near the top and, above the list, you should see a New button. Click the New button.
In the resulting form, enter the following values:
Input Name Value Display Name Your choice, e.g. MyCompany AzureAD
Login Method Leave Allow RightScale-initiated SSO using a discovery hint unchecked for IdP initiated login SAML SSO Endpoint Enter AzureADs' Single Sign-On Service URL e.g. https://login.microsoftonline.com/xxxxx
SAML EntityID Enter AzureADs' SAML Entity ID e.g. https://sts.windows.net/xxxxx
SAML Signing Certificate Upload the x509 certificate that AzureAD uses to sign its SAML assertions Click the Save button and you will be returned to the Identity Provider list page. You should see your newly created IdP in this list.
Click the pencil button on the right to edit your SSO configuration. Check the box for Compress SAML Requests and click Save.
Next, click the button to the right to test your IdP configuration. You should be redirected to your IdP where you can log in and complete the SSO login.
Finally, if you wish to have users provisioned via SSO then you will need to Enable authority for your new IdP over the SAML-asserted email domains.
This concludes configuration of your SAML Identity Provider in RightScale. Please continue on to Step 3: Test IdP-Initiated Single Sign-On.