Note: Azure AD is currently not an official supported IDP method. this post describes the way I have been able to get Azure AD working as a SAML IDP. Please do not raise support tickets with Nutanix if you have issues configuring this as it is not an official IDP so they will not be able to help.
Using an external Identity Provider (IDP) is a great way to further secure your Prism Central deployment. In a previous post, I detailed how to integrate your on-premises ADFS with Prism Central. However what if you have Azure AD and only want to use Azure AD for authentication purposes?
In this post I’ll be guiding you through configuring an Identity Provider within Prism Central to leverage Azure AD authentication. So let’s get to it!
The first thing we need to do is create a Non-Gallery Application in your Azure Portal.
- Navigate to https://portal.azure.com/
- When logged into Azure, go to the Azure Active Directory tab on the left hand menu.
- Select the Enterprise applications service.
- Click on the New application button.
- Select the Non-gallery application.
- Name it (e.g Prism_Central).
- Click on Add.
With the Non-gallery Application (Called Prism_Central-2FA in this example) successfully added we can now configure the Single Sign On mode.
- Select Single sign-on within the Non-gallery Application.
- Select SAML as Single Sign-on Mode.
Now you need to switch to your Prism Central interface to gather some info.
- Login to Prism Central and go to Settings.
- Select Authentication.
- Click on Download Metadata.
Now that you have the Prism Central specific URLs, switch back to the Azure Non-gallery Application configuration
- Edit the Basic SAML Configuration.
- Enter the EntityID captured earlier in the Identity field.
- Enter the AssertionConsumerService Location captured earlier in the ReplyURL field.
- For the User Attributes & Claims section, ensure Unique User Identifier is mapped to user.userprincipalname.
- On the SAML Signing Certificate section, download the Certificate (Base64). We’ll need this a bit later.
- Copy the Azure AD Identifier, Logout URL as we will need these to configure Prism Central.
- Go to the Properties of the App on the left hand side and copy the User Access URL. We will need this for the Prism Central config too.
Prism Central Configuration
Now it’s time to configure Prism Central to use the newly created Enterprise App.
- Login to Prism Central and go to Settings and select Authentication
- Click on New IDP
- Give the configuration a name (AzureAD, for example) and select Enter Configuration Manually.
This is now where we need the info from Azure.
- In the Identity Provider URL, enter the Azure AD Identifier from the Single-Sign on section of the Azure Enterprise App.
- In the Login URL, enter the User Access URL from the Properties section of the Azure Enterprise App
- In the Logout URL, enter the Logout URL from the Single-Sign on section of the Azure Enterprise App.
- Open up the certificate you downloaded earlier in a text editor and paste that into the Certificate section.
- Click Save to add the Identity Provider.
With the Identity Provider now configured we need to map roles in Prism Central to the new Identity Provider.
- In Prism Central settings, go to Role Mapping and select New Mapping.
- Select the name of your Identity Provider that you configured earlier (in my case, AzureAD).
- Select the Role.
- In the Values field, enter the UPN for each user that will use the new Identity Provider to login to Prism Central.
NOTE: The UPN is case sensitive. So if your UPN in Azure AD has capitol letters, you must use capitol letters here. It’s best to just copy/paste the UPN from Azure AD.
Now that the configuration is done on both the Azure and Prisnm Central sides, it’s time to test.
Log out of Azure and Prism Central and a new browser to your Prism Central URL. Click the Login with AzureAD (or whatever you called your Identity Provider in Prism Central).
You should now be redirected to Microsoft Online to login with your Azure AD credentials (and MFA as well if you have that enabled).
You now have access to Prism Central through Azure AD (with MFA capabilities). 😀