SAML Authentication setup

Setting up SAML (Security Assertion Markup Language) will allow your team members to easily log in to the team CloudAMQP account using the credentials stored in your organization’s Identity Provider (IdP)

In the CloudAMQP Console under Team Settings and the tab SAML you will find the information needed to set this up, this is also where you upload your IdP metadata. https://customer.cloudamqp.com/team/saml

To enforce specific roles your IdP must send an extra '84codes.roles' attribute in the SAML response. You can see some examples at your SAML page above.

This guide will provide step by step instructions on how to configure SAML for the most popular IdPs: Okta and Azure AD.

Okta

  1. Click Admin Saml Okta Admin
  2. Switch to "Classic UI" in the top left dropdown
  3. Click Applications -> Add Application Saml Okta Add Application
  4. Click "Create New App"

    Saml Okta Create New app

  5. In the dialog that opens, select the "SAML 2.0" option, then click the green "Create" button. Create a "New Application Integration" Saml Okta Create app Next
  6. In Step 1 "General Settings", enter for example "CloudAMQP SAML Application" in the "App name" field, then click the green Next button. Saml Okta Create app next
  7. In Step 2A "SAML Setting" do the following.
    • In the "Single sign on URL" field, enter https://customer.cloudamqp.com/login/saml and check the box “Use this for Recipient URL and Destination URL”
    • For "Audience URI (SP Entity ID)", go to https://customer.cloudamqp.com/team/saml and copy your “SAML Audience URL/Audience URI/SP Entity ID/SAML Metadata” to this field.
    • In the field "Name ID format", pick EmailAddress from the drop down list Okta Create app settings
  8. If you wish to assign the users CloudAMQP roles in OKTA, do the following.
    • Continuing in the "SAML Settings" screen from the previous step; In the "Attribute statement" section enter 84codes.roles under name and appusers.roles under value. Saml Okta Atttibutes Roles Click Next and proceed with the following steps including step 12.
  9. In the step "Feedback", select "I'm an Okta customer adding an internal app", and "This is an internal app that we have created," then click Finish. Okta Create app finalize
  10. The IdP Metadata now has to be uploaded to https://customer.cloudamqp.com/team/saml.

    Download the file from Okta, under the menu option "Applications", click on your recently created application, and the tab "Sign On". From here you can download the file that you have to upload to CloudAMQP by clicking "Identity provider Metadata". Okta Create app Metadata
  11. Depending on your setup you might have to assign users to your new app. You can do this under Applications -> Applications. Click on your created app in the list, followed by the green button Assign, and assign to people. Choose the users that should have access to the app. Okta assign users
  12. If you wish to assign the users CloudAMQP roles in OKTA, and have done the setup in step 8, do the following to define your CloudAMQP Team roles in Okta.

    • Click Directory -> Profile Editor, and find the app you just created. Click the Profile button to the right of the app Okta setup Roles
    • In the Attributes screen that opens, click the Add Attribute button. Okta setup Roles
    • Enter the following information. Make sure the variable name is "roles", as this is what we used in the previous step (appname.roles). Under Attribute Members enter the roles you wish to be able to chose from. The Value field contains the teams unique code followed by / and the role name. The exact values to use are listed as examples in your CloudAMQP settings at: https://customer.cloudamqp.com/team/saml Okta setup Roles
    • Click save
    • To assign the roles to your members go to Applications -> Applications, click on your created app in the list and the pen symbol next to a team member. From the drop down you should now be able to chose a role for this user. Okta setup Roles
    • Click save

Azure AD

  1. Go to https://portal.azure.com > Enterprise applications > New application > Non-gallery application Azure SAML Setup
  2. Click New Application
  3. Azure SAML Setup
  4. Click Non-gallery Application. Enter the name of your new app in the right hand section, ie CloudAMQP and click Add. Azure SAML Setup The application is now created
  5. Go back to Home - Enterprise Applications - All applications, and search for your newly created app, if you dont see it in the list. Azure SAML Setup Click on the app to open it.
  6. Go to Single sign-on using the link on the left hand side Azure SAML Setup
  7. Select SAML Azure SAML Setup
  8. Click the edit pen for "Basic SAML Configuration"
  9. Add "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)", you find the values at https://customer.cloudamqp.com/team/saml, Save Azure SAML Setup
  10. Download the "Federation Metadata XML" and upload it at https://customer.cloudamqp.com/team/saml Azure SAML Setup
  11. Add users and/or groups that should have access Azure SAML Setup
  12. Enforce user roles via Azure SAML (optional)

    • Open the application, click single sign-on, and click the pen symbol at the "User attributes and Claims section" Azure SAML Setup
    • Click Add new claim and enter the following

      Name: 84codes.roles

      Source: Transformation, this opens the option to select Transformation: Join().

      Parameter 1: Enter the key found at https://customer.cloudamqp.com/team/saml

      Separator: "/"

      Parameter 2: select user.jobtitle, or any field from the Azure user profile you wish to use to specify the CloudAMQP role to assign.

      Click Save Azure SAML Setup
    • Go back to your application and click "users and groups".

      Click on one of the uses and in the field corresponding to the on chosen one in the previous step, in this case "jobtitle", enter any of the roles specified at https://customer.cloudamqp.com/team/saml Azure SAML Setup
    • Specify for each user what role they are to be assigned in CloudAMQP.