Configure Azure AD to manage your directory of users in Banyan

  • Updated on Aug 18, 2022

This article describes features that are only available in the Banyan Business edition and Banyan Enterprise edition.

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. Banyan integrates with your organization’s Azure AD SSO to authenticate enterprise users that need access to Banyan-secured services.

Pre-requisites

In order to set up this integration, you need the following privileges:

  • administrative access to Azure AD;
  • the ability to add a new “non-gallery” Enterprise Application.

Steps

Step 1: In the Banyan Command Center, configure your User Identity Provider

1.1 Navigate from Settings > TrustProvider Settings > Identity Provider, and then set your User Identity Provider to SAML.

Fill out these Identity Provider configuration fields after you set up the new application integration in Azure AD.

1.2 Take note of the Redirect URL (ACS) provided in the configuration field. You will need it for the steps in Azure AD below.

Step 2: Add a New SAML Enterprise Application via the Azure Portal

2.1 Log into your Azure Portal, and navigate to the Azure Active Directory section.

2.2 Navigate to New Application, then select Non-gallery application to add a new Enterprise Application.

2.3 Name the Enterprise Application Banyan TrustProvider.

2.4 Select the Single Sign On tab to enter SAML parameters.

2.5 When asked for the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL), use the Redirect URL you obtained in Step 1.2.

2.6 Banyan requires your IDP’s returned SAML assertion to contain attributes can be mapped to a user’s Email, Username, and Groups.

Select Add a group claim to create Group claims.

Azure only transmits its Groups IDs and not Group Names via SAML attributes. You can use Banyan Roles to map Group IDs into human-readable constructs for use in Policies.

2.7 In the Properties section, upload our logo and change the User assignment required? and Visible to users? toggles to No.

This will allow Banyan to use the Banyan TrustProvider Enteprise Application just created to federate authentication of all users in your organization to your SAML IDP.

Note: You still need to apply Policies in the Banyan Command Center to manage which users can access specific internal applications.

2.8 Take note of your SAML Single Sign-On Service URL and download the Certificate (Base64).

3. Save the Azure fields in the Banyan Command Center

3.1 Return to the Identity Provider page in the Banyan Command Center (Settings > TrustProvider Settings > Identity Provider).

Ensure the User Identity Provider is set to SAML, and then enter the Banyan TrustProvider app parameters from Azure AD:

  • IDP SSO URL (from Step 2g)
  • Entity Issuer - Leave this optional field blank. It will default to the Redirect URL.
  • IDP CA Certificate (from Step 2g)
  • Username Attribute (from Step 2e) Typically set to “http://schemas.microsoft.com/identity/claims/displayname”
  • Email Attribute (from Step 2e) Typically set to “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
  • Groups Attribute (from Step 2e) Typically set to “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”
  • Groups Delimiter - Do not use this field. Entering an incorrect value may lead to configuration errors and behavior issues. Please contact Banyan Support for assistance.

3.2 Select Update Identity Provider Config to save the settings.

Can’t find what you’re looking for?

We’re happy to help. Contact our team