Team: Huntress SAT (Security Awareness Training)
Product: Azure SSO (SAML)
Environment: Azure and SAT management portals
Summary: Setting up Single Sign-On (SAML) integration with Microsoft Azure is easy using this guide.
Microsoft Azure Logging In
Visit the Azure Active Directory https://azure.microsoft.com/en-us/services/active-directory/ and Login using your Microsoft account.
After signing in you’ll be at the Azure dashboard.
Find the Application
Next, you’ll need to find the SAT SAML application (Curricula) in the Active Directory. Once logged
into the dashboard click on Azure Active Directory in the left menu.
Next, you’ll need to click on the Enterprise applications button.
On the next page you’ll want to click All applications. On that page you will see a search box where you can search for SAT SAML (Curricula)
Once you find the SAT SAML (Curricula) application, select it from the list.
Configure the Sign-on URL
Next, we need to sign-in to SAT and create a new Group (which will allow us to enable Single Sign-on for that particular group of users). Visit https://mycurricula.com/login, and login. Then, navigate to the Settings -- Learners -- then scroll down to the Group section and click on the purple 'Create Group' button:
Give your Group a unique name and description and then click 'Create'.
After creating this new group, you will now have access to some more information about that group by selecting 'Edit' on that Group. Click on the 'Access' tab and then from the Authentication Type dropdown select SAML Single Sign-on and click Update.
After you click on Update, you’ll see a few new fields displayed below. One of them is Service Provider Sign In URL.
Copy that URL and let's jump back over to the Azure Directory.
Back in the Azure Directory, we need to configure single sign-on for the SAT application. Click on the Single sign-on button in the left hand menu. Then click the edit button in the Basic SAML Configuration block.
On the Basic SAML Configuration section, enter the URL that you copied from the SAT Group page into the following fields:
After updating those fields click on the Save button.
Finally, we need to add the Microsoft Azure Sign-on URL to our Group page. Back at the Single Sign-on page, click on the properties option on the side, and copy the User access URL.
Then, jump back over to SAT and add that URL in the Identity Provider Single Sign-on URL field:
Adding the Certificate
Finally, in order for our application to talk to the Identity Service Provider we need to add a unique certificate to our user group. (you can think of this kind of like a password. In order for SAT to talk to Microsoft Azure the password or certificate needs to be verified)
Let’s not overcomplicate things, it’s a simple copy & paste and that’s all you’ll need to do with the certificate
Head back over to the SAT SAML application in Azure Active Directory and in step 3 (SAML Signing Certificate) you will need to download the Certificate (Base64) file. Click on the Download link next to this label.
After downloading that file you will need to open it up in a Plain Text editor. You can right click on the downloaded file and use the OPEN WITH feature and select a program like Word, Notepad, C++ editor, etc. You will see the contents of that file look similar to this:
REALLYLONGSTRING-THATDOESNTMAKESENSE THISISTHESCERTIFICATEORPASSWORDYOUWIL LNEEDTOCOPYANDPASTEINTOSAT
So, make sure to copy the contents of that whole string, including BEGIN CERTIFICATE and END CERTIFICATE, then jump back over to SAT and paste that into the Identity Provider X.509 Certificate field. Make sure you do not have any extra blank lines after ----END CERTIFICATE---- Then click Update:
(Note: after clicking update the field will probably go blank again, don’t worry it saved the Certificate string, it’s just not displaying it for security purposes)
Next, we can move on to testing our Single Sign-on functionality.
Testing Single Sign-on
Go back to the SAT SAML application in Microsoft where you can scroll to the bottom and click on the blue Test button. *Make sure you are testing with a Learner account that is listed in the GROUP you are setting up with SAML.
Once this is successful, users in your group will now have access to SAT via SAML!