Skip to Content

Integrate SAML Authentication in Ezeelogin GUI using Microsoft Azure SSO and Azure Active Directory

326  admin November 13, 2023  Security Features

Note: SAML is an authentication mechanism for web applications. It’s based on web protocols and it cannot be used for user authentication over SSH.

Configure Microsoft Azure SSO SAML based Authentication  in Ezeelogin GUI 

1. Login into your Microsoft Azure account and Create an Active Directory service.

2. Add Users in AD. This user in turn would authenticate into the Ezeelogin GUI
To create a user in AD, click on User tab >>  New user >>  Provide the user name, name, password, etc, and click Create

3. Create an Enterprise Application. Click on Enterprise applications

     Click on All applications >> New application 

     Click on Create your own application >> Provide the name for your application >> Check Integrate any other application you don't find in the gallery(Non-gallery) >> Create.

4. Assign the user to the Enterprise application. Click on Assign users and groups.

     Click on Add user/group to assign the user to the application.

     Click on None Selected >> select the users who want to assign to the application >> select.

5. Configure Single Sign On ( SAML )

Identifier (Entity ID) -  You can find it from Ezeelogin GUI > Settings > SAML> Entity ID)

Reply URL (Assertion Consumer Service URL)  -  You can find it from Ezeelogin GUI > Settings > SAML>Assertion Consumer Service URL)

Logout Url (Optional)You can find it from Ezeelogin GUI > Settings > SAML>Single Logout Service URL

     Click on Single sign-on >> Basic SAML Configuration Edit >> Copy Entity IDAssertion Consumer Service URL, and Logout Url from Ezeelogin and paste in the specified fields.

6. Copy the Metadata URL and paste it to Metadata URL on Ezeelogin GUI > Settings > SAML Metadata URL and click on the fetch button, it will auto-fill the SAML setting and SAVE it.


If you want to add an existing user in Ezeelogin to authenticate with SSO, Add the user with the exact username, email, and address as follows. (Ezeelogin will verify with the email address of the users by default)

7. Add users in your Azure AD Directory into Ezeelogin GUI. Make sure the email ID entered in GUI is identical to the one in SAML.

8. Enable Auto Create User from Ezeelogin GUI -> Settings -> General -> Security -> Enable Auto Create User, so the user will automatically created after successful authentication from Azure SSO.
 

9. Set Web Panel Authentication to SAML Under Settings -> General -> Authentication -> SAML

10. Login into the Ezeelogin GUI and you will be prompted with the Microsoft Azure Login Page where you would need to enter the login credentials to be authenticated into the Ezeelogin Application.

SSO Login

11. Finally, you will be logged into the Ezeelogin GUI using SAML Authentication. The user will be created automatically on Ezeelogin after successful authentication from Azure SSO.

12. After logging into the GUI, you need to reset the password and security code of the SAML user under Account -> Password in order to SSH to the Ezsh shell.

13. You can log in to Ezeelogin shell via Webssh shell or using any SSH client such as Putty or terminal etc.

WebSSH: Click on the 'Open Web SSH Console' icon to SSH via the browser

WebSSH terminal will open like below. Users can navigate the server group with the Up and Down arrow buttons and enter to login into the server.

Native SSH Client: After resetting the password and security code you can SSH to the Ezsh shell (using Terminal or Putty) with the SAML username.

14.  If you are SSHing with 2FA  enabled using Putty or Terminal it would prompt you to enter the 2FA codes, The 2FA  step can be disabled for SAML Authentication under Settings -> Two Factor Authentication -> Skip Two Factor Authentication for SAML. The user will be able to ssh without being prompted for the 2FA codes only if the user is logged into the web panel, otherwise, if the user is not logged into the web panel it would prompt for the 2FA codes.

15. It is recommended to use the webssh shell for the SAML authentication. The webssh shell is more convenient as the user would not have to open an ssh client such as Putty/terminal and enter the username/password and 2FA codes. Using the webssh, the user can ssh from the web panel itself and 2fa will not be prompted if you have enabled the Skip Two factor Authentication for SAML.

SAML authentication is not supported for slave if the URL is IP based. If you want to authenticate the slave using SAML you have to use the domain name

Refer article to enable Token encryption in Microsoft Azure SSO with Ezeelogin

How to fetch UsernameFirstnameLastname, and Usergroup Attributes from Azure to Ezeelogin?

Delete and login again with Azure credentials after configuring the steps below to fetch details from Azure AD to Ezeelogin.

1. Click on Single sign-on -> Attributes & Claims Edit -> Copy Claim names and paste them into the advanced SAML setting in Ezeelogin.

2. Copy the Claim names and paste them into the SAML setting of Ezeelogin.

Note: Please review the attributes listed below if you encounter the following error while attempting to log in as a SAML user.
Could not get username from SAML response

3. Refer detailed article to create users in Ezeelogin with the same user group in Azure AD

How to auto-create the Azure SSO user to the same group in Ezeelogin?

 

Refer to the article to  map the existing user group from SAML Provider(AZURE) to Ezeelogin as the Ezeelogin user group

 

Related Articles

 
Rating: 5 (1 Votes)