SSO - SAML

A-Ops supports SSO using SAML allowing users of your tenant to login using a SSO provider instead of the local A-Ops user. Supporting multiple authentication types means that A-Ops does not require all users to be SSO users and Admin users within A-Ops can therefore pick and choose. Additional, multiple SSO providers are supported.

Authorization remains unchanged and users must still be added into the account management pages along with their assigned groups just like local users.

Tenant Configuration

  1. Open Model Editor -> Settings
  2. Create a new setting called web-auth if it does not exist otherwise open the existing one
  3. Within values we need to create an sso key
  4. Insert the required SSO provider details using the sample below

Sample

Sample value json - please append this to your existing settings within web-auth if it already exited.

{ 
    "sso" : { 
        "[sso_name]" : {
            "certificate":"[provider_cert]",
            "issuer":"https://prod-eu-west-1.a-ops.cloud/sso/saml2/[tenant_id]/[token]",
            "login_url":"[login_url]",
            "token":"[token]",
            "type":"SAML2"
        }
    }
}
Parameter Description
[sso_name] A key name given to this SSO provider, the name can be anything
[provider_cert] The public certificate from your SSO provider. The certificate must have the new lines replaced with \n
[tenant_id] Tenant ID that can be found within the license section of the A-Ops protal
[token] A secure token value we reconmend atleast 32 charators
[login_url] The login url provided by your SSO provider
{
    "sso" : { 
        "azure":{
            "certificate":"-----BEGIN CERTIFICATE-----\nMIIC8DCCAdigAwIBAgIQn1/zXzkdwpeF7zP9t9nXie7ap2PcmWab3qdixE1qR8kge5QEJZzyxVmF\nk80iVCZkCCVgfnExXsgWW0zWOSzAuMJxu1hN27jQNz5jdbUWGCjnNs08Ps8iHKI4v8RucsJclXYS\nm3rolZYjFeHAHvnwq398\n-----END CERTIFICATE-----\n",
            "issuer":"https://prod-eu-west-1.a-ops.cloud/sso/saml2/6405d17bb432ab8cf184eec4/edfdgdfn32488sdmnlzmsdjeqwodjsdf3234382fnladaoew",
            "login_url":"https://login.microsoftonline.com/18bv3dea-54bd-465a-9eb8-f2bg75e346f/saml2",
            "token":"edfdgdfn32488sdmnlzmsdjeqwodjsdf3234382fnladaoew",
            "type":"SAML2"
        }
    }
}

Microsoft Entra

Within the Entra console we need to create a new Enterprise Application which can be done following these steps.

  1. Applications -> Enterprise Applications
  2. New Application
  3. Create your own application
  4. Enter a name for the application e.g. A-Ops and press Create

alt text

  1. Select Single sign-on and then SAML

alt text

  1. Edit Basic SAML Configuration
  2. Enter into Identifer and Reply URL the following value https://prod-eu-west-1.a-ops.cloud/sso/saml2/[tenant_id]/[token]

alt text

  1. Copy and make a note of the Login URL
  2. Download Certificate (Base64)
  3. Populate the SSO SAML template
{
    "sso" : { 
        "entra":{
            "certificate":"-----BEGIN CERTIFICATE-----\nMIIC8DCCAdigAwIBAgIQn1/zXzkdwpeF7zP9t9nXie7ap2PcmWab3qdixE1qR8kge5QEJZzyxVmF\nk80iVCZkCCVgfnExXsgWW0zWOSzAuMJxu1hN27jQNz5jdbUWGCjnNs08Ps8iHKI4v8RucsJclXYS\nm3rolZYjFeHAHvnwq398\n-----END CERTIFICATE-----\n",
            "issuer":"https://prod-eu-west-1.a-ops.cloud/sso/saml2/6405d17bb432ab8cf184eec4/gsdfsdfbui423ur98sd7yfsddjdnvnfdbdnsd",
            "login_url":"https://login.microsoftonline.com/185bbdda-41bd-481a-9fb8-f2bc75ef2c54/saml2",
            "token":"gsdfsdfbui423ur98sd7yfsddjdnvnfdbdnsd",
            "type":"SAML2"
        }
    }
}

Enable SSO for Users

  1. Within Account Management in A-Ops edit or create a new user that you wish to enable SSO
  2. Ensure the username matches your SSO SPN normally your email
  3. Edit the user and update the Login Type to sso-'[sso_name]'

alt text

  1. Press Update User