SAML Setup with Azure AD

Follow the Azure guide for a general understanding of creating an Azure AD (AAD) SSO application: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

1. In the Mist Web GUI, navigate to “Organization > Settings.” Under the Single Sign-on section, create an Identity Provider by clicking Add IPD.
Once you create an Identity the ACS URL and Single Logout URL will be created by default.

 

2. In Azure AD, configure with the appropriate values:

 

a. Identifier (Entity ID): Mist supports either a generic or an SSO-specific Entity ID.

  1. Generic: https://saml.mist.com
  2. SSO-specific: https://saml-<DOMAIN>.mist.com
    This can be obtained from https://api.mist.com/api/v1/orgs/:org_id/ssos/:sso_id/metadata (replacing the :object_id with the appropriate IDs).

b. Reply URL: Get the ACS URL directly from the UI.
ie: https://api.mist.com/api/v1/saml/<DOMAIN>/login

Both of these above values we need to set up under the Basic SAML Configuration.

 

c. User identifier: user.mail

d. SAML Token Attributes: Send the attributes with these names (case sensitive): FirstName, LastName, Name ID, Role where Role is your custom LDAP rule to pass Mist the appropriate administrator role

 

e. Mist requires the full Message to be signed: Under the Advanced Certificate Signing options, select “Sign SAML response and assertion”.

 

3. In the Mist Web GUI, finish configuring the SSO IdP:

a. Issuer: Obtain from the AAD Federation Metadata.

ie: https://sts.windows.net/01234567-89ab-cdef-0123-456789abcdef/

b. Certificate: Obtain from AAD.

Note: Please make sure to include the cert headers/footers.

c. SSO URL: Obtain from the AAD Federation Metadata.

We can get the Login URL from the AD owner.

 

4. In the Mist Web GUI, create the corresponding roles under the Single Sign-on section. The Role Name should match the Role being sent in the AAD SAML Assertion.