Listed below are the steps to configure SAML authentication in OpManager (SP) for Azure (IdP) with Single Sign-On.

1. Login to your Azure account. Expand the menu on the left hand side, and select Azure Active Directory.

 

2. Click on Enterprise applications.

 

3. Select New Application.

 

4. Enter the application name in the text box under 'What's the name of your app?' and click on Create at the end of that page.

 

5. On the left side menu, select Single sign-on and choose SAML. You will be navigated to the SAML based Sign-On page.

 

 

6. In Basic SAML configuration select the edit option. (The pencil icon).

 

7. In this window, the Entity ID, Assertion Consumer Service (ACS) URL, Sign on URL, and Logout URL from OpManager need to be specified.

    

8. Go to OpManager, navigate to Settings -> General Settings -> Authentication.

 

9. Under SAML, copy the Entity ID, Assertion Consumer Service URL, and the Logout URL from the Service Provider Details section.

 

10. Now, go back to Azure and enter those details in the Basic SAML Configuration section by selecting the edit option.

 

11. Under the Attributes & Claims section, click on the Edit option. (The pencil icon).

 

12. Click on user.displayname [nameid-format:persistent]

 

13. For OpManager versions,
    • Before version 126147, choose the Name Identifier format as Persistent. Choose the Source Attribute as Display Name, if you are trying to authenticate local users in OpManager. If you are trying to authenticate AD or Domain users, click on Transformation and configure the appropriate OGNL expression to send the NameID value in the format < domainname >\< username > . Click Save.

     

    ​

    Note: If your display name contains space or other special characters, user mapping issues might happen, so configure a different attribute like first name, or you can switch to Email NameID format.

    • For version 126147 and above, choose the Name Identifier format as Email address and Source Attribute as user.mail and click Save.

     

14. Now, download the Federation Metadata XML file from the SAML Signing Certificate section.

 

15. Open OpManager and go to Settings -> General Settings -> Authentication -> SAML. Upload the metadata file under Identity provider details and select the corresponding NameID format based on the OpManager version installed. Click on Save.

 

16. Now, Click on the Enable SAML SSO option.

 

17. Now go back to Azure and select Users and groups on the left side menu, then select Add user/group.

 

18. Click None selected and from the right hand side, select the Users and click Assign.

 

19. After assigning the users, please ensure the user profiles are created in OpManager and verify the following,
    • For Persistent NameID ( Before version 126147 ) the username in OpManager should match the user displayname in Azure.

     

     

    • For Email NameID ( For version 126147 and above ) the user Email in OpManager should match the user Email in Azure.

     

     

20. Now, login to OpManager using your Azure account from the login page.