Setup Azure AD based SSO for Zentral

Preparations in Azure

  1. Log into your Azure account
  2. Locate the Azure Active Directory (AAD) service
  3. Scroll down to Enterprise application
  4. Click on Enterprise Application and create a new Enterprise App and pick a useful name (i.e. Zentral AAD)
  5. Next choose the SAML Single sign-on method
Create new Enterprise application
We will use SAML as SSO method

1. Basic SAML Configuration

Identifier (Entity ID) — (the metadata URL):
https://zentral.example.com/saml2/metadata/
Reply URL (Assertion Consumer Service URL) (also known as ACS)
https://zentral.example.com/saml2/metadata/
Sign on URL
https://zentral.example.com/saml2/login/
Setup URLs with your own FQDN

2. User Attributes & Claims

  1. For editing you can click on the “nameidentifier”entry (highlighted in the screenshot)
  2. The default Source attribute assignment here is set to user.userprincipalname, we want to change this to user.mail
    (scroll down the Source attributes)
  3. Now apply the change, click the Save button
Change Unique User Identifier value
Manage and change the user claim
should look like this after change

3. SAML Signing Certificate

  1. Click on the Federation Metadata XML download link
  2. Keep the downloaded .xml file around for later
    (you‘ll need to copy/paste the content soon)

4. Users and groups

  1. Click the Users and Groups section
  2. Add your user(s)
  3. Save your setting

Setup in Zentral

  1. Connect via Terminal to your Zentral instance
    (via ssh or tools like awscli, gcloud etc.)
  2. Copy the content of the local Federation Metadata .xml file into your pasteboard (yes this is one previously downloaded from Azure)
  3. Next create a new file on the Zentral server, paste in the content copied from .xml file and then save the new file
sudo vim /home/zentral/conf/AzureAD_zentral.example.com.xml
  • Environment=ZENTRAL_SAML2_IDP_NAME
  • Environment=ZENTRAL_SAML2_IDP_METADATA_FILE
sudo vim /etc/systemd/system/zentral_web_app.service
Environment=ZENTRAL_SAML2_IDP_NAME=Azure-ADEnvironment=ZENTRAL_SAML2_IDP_METADATA_FILE=/home/zentral/conf/AzureAD_zentral.example.com.xml
After the edit it should look like this
sudo systemctl daemon-reload
sudo systemctl restart zentral_web_app

Wrap up

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
zentral

zentral

We’re the developers behind Zentral. We operate a consultancy business, provide expertise and services all around Mac management. Contact: https://zentral.pro