Configure SSO with Azure AD

ZPE Cloud offers a user-friendly solution for integrating Azure Active Directory (Azure AD) as a Single Sign-On Identity Provider. This seamless integration enables users to access ZPE Cloud effortlessly while enforcing all security policies established in Azure Active Directory, including the Multi-Factor Authentication (MFA).

In this article, you'll learn how to:

• Configure ZPE Cloud app in Azure

• Configure Azure SSO on ZPE Cloud

• Optional - Configure the SSO to a remote device

Configure ZPE Cloud App in Azure - Part 1

The following configuration steps are the guidelines on how an SSO provider can be created on Microsoft Azure.

1. Log in to the Microsoft Azure Portal.

2. Navigate to Entra ID.

3. Navigate to Enterprise applications.
   

   

4. Click New application to create a new application.
   

   

5. Click Create your own application to create a ZPE Cloud SSO application.

6. Provide a Name for the application, the recommended names are ZPE Cloud or ZPECloud EU.

7. Select Integrate any other application you don't find in the gallery (Nongallery).

   

   1. Assign users and groups

      1. Click Option.

      2. Assign specific Users or User Groups that can log in using this app. These users can only log in to ZPE Cloud.

   2. Set up a single sign-on

      1. Click the option Single Sign-on.

      2. Select SAML.
         

         

   3. Click to edit the Basic SAML Configuration.
      

      

   4. Add the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL).
      

      

      Note:

      The Reply URL is a temporary placeholder. Once we generate the Metadata XML file, we'll retrieve the correct value from ZPE Cloud.

   5. Click to edit Attributes & Claims.

      1. Click the Add New Claim option and add the following claims:

         1. Name : firstName , Source Attribute: user.givenname

         2. Name : lastName , Source Attribute: user.surname

         3. Name : memberOf , Source Attribute: “Administrator“

         4. Name : timeout, Source Attribute: 600

         5. Name : emailaddress, Source Attribute: user.mail
            

            Note:

            • All the fields are case-sensitive, ensure that you specify the same way as they are mentioned here. For example, firstName, lastName, memberOf

            • The memberOf value must correspond to an existing group name in ZPE Cloud. By default, a new organization includes two groups: Administrator and User. If a user is not assigned a valid group through SSO, or if no group is specified, they will be placed into the User group.

   6. Download the Federation Metadata XML.
      
      

Configure Azure SSO on ZPE Cloud

1. Log in to the ZPE Cloud account with an Administrator account.

2. (Optional) SSO providers require a signed Logout request. For this, a certificate needs to be created. This can be a self-sign certificate or can be a signed certificate.

3. To create a Certificate:

   1. navigate to Settings > SSO >Certificate and provide the following values:

      1. Country Code: 2-letter country code for your company location

      2. State: state for your company location

      3. Location: location for your company location

      4. Organization: typically company name

      5. Organization Unit: additional OU

      6. Common Name: recommended value: zpecloud.com or zpecloud.eu.

      7. Email Address: email address of the Administrator.

      8. Subject Alternative Name: same as Common Name, recommended value: zpecloud.com or zpecloud.eu.

      9. For a Self-Signed Certificate, enable Self-Sign Certificate. Provide a value for Certificate Validity (days)

      10. To create the SSO, navigate to Settings > SSO, and click Add.

      

   2. Name: use the same value that was used in the Reply URL on Azure, the recommended value is azure

   3. Entity ID: use the same value that was used in the Entity ID on Azure, the recommended value is zpe-cloud or zpe-cloud-eu.

   4. Click LOAD METADATA and select the downloaded Federation MetadataXML file from Azure.

   5. Select Enable Single Logout.

   6. Click Save.

      

   7. Copy the ACS URL.

      

Configure ZPE Cloud app in Azure - Part 2

1. Access the Azure portal again, and go to your ZPE Cloud Enterprise Application Single Sign-on tab.

2. Add the ACS URL.

3. Click Add Reply URL and add a secondary URL with https://proxy-access.zpecloud.com.
   The https://proxy-access.zpecloud.com is used to set up the remote access SSO option.

4. Click Save. The configuration is now complete, you should be able to access ZPE Cloud using SSO.

Completing Azure Configuration for ZPE Cloud Integration

1. Log in to the Azure portal, and go to your ZPE Cloud Enterprise Application Single Sign-on tab.

2. Add the ACS URL.

3. Click Add Reply URL and add a secondary with https://proxy-access.zpecloud.com or https://proxy-access.zpecloud.eu
   The https://proxy-access.zpecloud.com or https://proxy-access.zpecloud.eu is used to set up the remote access SSO option.

4. Click Save. The configuration is complete, you should be able to access ZPE Cloud using SSO.
   

(Optional) Configure ZPE Cloud SSO for Remote Access to Devices

1. Log in to your Nodegrid device and navigate to Security :: Authentication ::SSO.

2. Click Import Metadata.

   1. Add the Name.

   2. Change the Status to Enabled

   3. Add the Entity ID, same from Azure.

   4. Select the Metadata file, same as downloaded previously from Azure.

   5. Add the Icon and click Save.
      

3. Configure a local group on the Nodegrid device:

   1. [Preferred] The name should match the one defined above in "memberOf". In this example, it is 'Administrator'.
      

   2. Or, alternatively, for the field "remote group" having the value defined in "memberOf". In this example, it is 'Administrator'.
      

   NOTE

   In Azure SSO URL, copy the ACS URL of the specific Nodegrid device. This enables SSO of the individual Nodegrid devices in the Azure environment.