Azure Active Directory SSO

An overview of the process to configure SSO connections between ChaosSearch and Azure AD

Azure Active Directory is a Microsoft Azure service that provides identity and access management. ChaosSearch supports single sign-on with Azure AD, which means your organization can incorporate ChaosSearch into your application base in Azure AD and let your users securely access ChaosSearch.

The Azure AD support includes steps for an SP-initiated bookmark-based authentication, as well as a bookmark-style IdP authentication method. The following is an outline of the process to configure Azure AD; the steps could vary with updated versions or your organization's policies.

πŸ“˜

IMPORTANT:

Confirm that you have Microsoft's Azure Active Directory (Azure AD) for these instructions. If you are using Active Directory Federation Services (ADFS), there are different instructions for the SSO setup.

Overview of the SP-Initiated Configuration Methods

To configure Azure AD authentication for ChaosSearch, ChaosSearch must configure its Auth0 broker with the information for the customer's Azure AD service. The customer administrators must register ChaosSearch as an application in their Azure AD implementation with the URL information provided by ChaosSearch.

There are two supported methods for configuring Azure AD authentication support with ChaosSearch:

Cloud Connector Method

To configure Azure AD authentication for ChaosSearch using the cloud connector, the customer administrators must provide the following information to ChaosSearch Customer Success:

  • Microsoft Azure AD domain name
  • Application (Client) ID
  • Client secret

πŸ“˜

NOTE

Detailed instructions for configuring Azure AD are in the Microsoft help at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Work with your Customer Success representative during this process to ensure the correct configuration.

To register the ChaosSearch application in Azure AD and obtain the information:

  1. Register the ChaosSearch application with Azure AD as described in the Microsoft help topic linked above.

    • To specify a Redirect URI for the ChaosSearch application, discuss the endpoint name to use with your ChaosSearch Customer Success representative.
    • Follow the steps in the section for "Add a client secret" to complete that task for the setup.

πŸ‘

Information:

Make sure that you have the three values: the Azure AD domain, the application (client) ID, and the client secret.

  1. ChaosSearch administrators create an enterprise connection in Auth0 with the supplied Azure AD domain, Application (client) ID, and client secret.

  2. ChaosSearch administrators enable the enterprise connection in Auth0.

  3. Test the connection.

SAML 2 Configuration Method

For customers who want to establish Azure AD authentication for ChaosSearch using the SAML 2 connector:

  1. ChaosSearch will register the application in the Auth0 broker and provide the following information to the customer administrators:

    • A post-back URL(also called Assertion Consumer Service URL) such as https://*customer*-chaossearch.auth0.com/login/callback?connection=*customer*-azure.
    • An Entity ID (ID or the service provider) such as urn:auth0:*customer*-chaossearch:*customer*-azure
  2. The customer administrators must provide the following information to ChaosSearch Customer Success:

    • Sign in URL
    • X.509 token signing certificate in PEM or CER format

πŸ“˜

NOTE:

Detailed information about using SAML 2.0 as an IdP for Azure AD single sign-on is available at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp.

Azure AD Linked SSO Applications

This section describes the steps to configure linked-based SSO as an IdP authentication method for ChaosSearch in Azure AD.

Overview of the Linked-Based SSO Process

The linked-based SSO option lets you configure the target location when a user selects an application such as ChaosSearch in your organization's My Apps or Microsoft 365 portal.

To create a linked-based application:

  1. The customer administrator must sign in to the Azure portal with an appropriate administrator role.

  2. Select Azure Active Directory in Azure Services, and then select Enterprise applications.

  3. Click New application to create a new application for ChaosSearch.

🚧

Transitioning existing Azure AD integrations?

Existing customers who have previously configured Azure AD connections to ChaosSearch using the steps earlier in this topic can, if desired, transition from the SP-initiated method to the IdP linked model described in this section.

Keep the existing application defined for ChaosSearch to maintain the existing SSO connections as a backup. DO NOT DELETE THE EXISTING APPLICATION.

Add a new Azure AD application for the IdP-initiated application settings. Grant your users access to the new application to transition users to the new model. Contact ChaosSearch for assistance with this type of changeover.

  1. When creating the new application, make sure that you select the option to create an application that does not appear in the application catalog.

  2. Select Single sign-on in the left menu.

  3. Select Linked (the last option).

  4. Enter the URL for the sign-in page of the application.

🚧

Check the URL

For the URL, specify the correct domain and URL for the ChaosSearch customer portal. The Customer Success team can help you to make sure that you have the correct URL, for example: https://customer.chaossearch.io/#?sso_login=true.

  1. Click Users and groups to assign the users and groups that require access to the new ChaosSearch application.
  2. Click Save.

Connecting to ChaosSearch

Permitted users should now have a link to access ChaosSearch in their Microsoft My Apps or 365 portals.