Skip to Content

Integrate SAML Authentication in Ezeelogin GUI using Microsoft Azure SSO and Azure Active Directory

326  admin September 28, 2023  Security Features

Note: SAML is an authentication mechanism for web applications. It’s based on web protocols and it cannot be used for user authentication over SSH.

Configure Microsoft Azure SSO SAML based Authentication  in Ezeelogin GUI 

1. Login into your Microsoft Azure account and Create an Active Directory service.

2. Add Users in AD. This user in turn would authenticate into the Ezeelogin GUI
To create a user in AD, click on User tab >>  New user >>  Provide the user name, name, password, etc, and click Create

3. Create an Enterprise Application. Click on Enterprise applications

     Click on All applications >> New application 

     Click on Create your own application >> Provide the name for your application >> Check Integrate any other application you don't find in the gallery(Non-gallery) >> Create.

4. Assign the user to the Enterprise application. Click on Assign users and groups.

     Click on Add user/group to assign the user to the application.

     Click on None Selected >> select the users who want to assign to the application >> select.

5. Configure Single Sign On ( SAML )

Identifier (Entity ID) -  You can find it from Ezeelogin GUI > Settings > SAML> Entity ID)

Reply URL (Assertion Consumer Service URL)  -  You can find it from Ezeelogin GUI > Settings > SAML>Assertion Consumer Service URL)

Logout Url (Optional)You can find it from Ezeelogin GUI > Settings > SAML>Single Logout Service URL

     Click on Single sign-on >> Basic SAML Configuration Edit >> Copy Entity IDAssertion Consumer Service URL, and Logout Url from Ezeelogin and paste in the specified fields.

6. Copy the Metadata URL and paste it to Metadata URL on Ezeelogin GUI > Settings > SAML Metadata URL and click on the fetch button, it will auto-fill the SAML setting and SAVE it.


If you want to add an existing user in Ezeelogin to authenticate with SSO, Add the user with the exact username, email, and address as follows. (Ezeelogin will verify with the email address of the users by default)

7. Add users in your Azure AD Directory into Ezeelogin GUI. Make sure the email ID entered in GUI is identical to the one in SAML.

8. Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User
 

9. Set Web Panel Authentication to SAML Under Settings -> General -> Authentication -> SAML

10. Login into the Ezeelogin GUI and you would be prompted with the Microsoft Azure Login Page where you would need to enter the login credentials to be authenticated into the Ezeelogin Application.

SSO Login

11. Finally, logged into the Ezeelogin GUI using SAML Authentication.

12. After logging into the GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to the Ezsh shell.

13. You can log in to Ezeelogin shell via Webssh shell or using any SSH client such as Putty or terminal etc.

WebSSH: Click on the 'Open Web SSH Console' icon to SSH via the browser

WebSSH terminal will open like below. Users can navigate the server group with the Up and Down arrow buttons and enter to login into the server.

 

Native SSH Client: After resetting the password and security code you can SSH to the Ezsh shell (using Terminal or Putty) with the SAML username.

14.  If you are SSHing with 2FA  enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA  step can be disabled for SAML Authentication under Settings -> Two Factor Authentication -> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise, if the user is not logged into the web panel it would prompt for the 2FA codes.

15. It is recommended to use the webssh shell for the SAML authentication. The webssh shell is more convenient as the user would not have to open an ssh client such as Putty/terminal and enter the username/password and 2FA codes. Using the webssh, the user can ssh from the web panel itself and 2fa will not be prompted if you have enabled the Skip Two factor Authentication for SAML.

SAML authentication is not supported for slave if the URL is IP based. If you want to authenticate the slave using SAML you have to use the domain name

Refer article to enable Token encryption in Microsoft Azure SSO with Ezeelogin

How to fetch UsernameFirstnameLastname, and Usergroup Attributes from Azure to Ezeelogin?

1. Click on Single sign-on -> Attributes & Claims Edit -> Copy Claim names and paste them into the advanced SAML setting in Ezeelogin.

2. Click on Add a group claim -> select All groups -> Save.

3. Copy the Claim names and paste them into the SAML setting of Ezeelogin.

To fetch the attributes from Azure AD, the user needs to be deleted from the Ezeelogin GUI and then re-login with Azure credentials.

4. Create the usergroup in Ezeelogin UI with group object ID from Azure.

Create the user group in Ezeelogin with the object ID and name as the description. Also, set the priority to import the user so that they will be imported into the group set with the highest priority.

5. Click on the Users tab, and it will list all users who have successfully logged in and been created in Ezeelogin.

 

 

Related Articles

 
Rating: 5 (1 Votes)