Set up SSO with Azure Active Directory

This is a tutorial for configuring SAML-2.0 based Single Sign-on (SSO) with Azure Active Directory (Azure AD).

Prerequisites

  1. TigerGraph must be configured with SSL.

  2. GSQL authentication must be enabled by changing the password of the GSQL default user.

  3. An Azure AD Tenant must be granted Application Administrator to follow the tutorial.

  4. An Azure AD Tenant must be granted Conditional Access Administrator to take the next step to configure two-factor authentication (2FA).

Configure Azure AD SSO

  1. Log in to Azure Active Directory as an admin user: Azure AAD Portal Login

  2. Create a new application by selecting Enterprise Applications in the left sidebar menu and clicking All applications > New application > Create your own application.

  3. Enter a name and ensure that you are using a non-gallery application.

aad create your own application
  1. In the sidebar for your new application, choose Single sign-on under Manage, then click the SAML button.

aad single sign on setup
  1. Enter this information in the Basic SAML Configuration section. Replace <tigergraph-machine-hostname> with your TigerGraph machine hostname.

    1. Identifier (Entity ID): https://<tigergraph-machine-hostname>:14240/gsqlserver/gsql/saml/meta

    2. Reply URL: https://<tigergraph-machine-hostname>:14240/api/auth/saml/acs

  2. Go to Section 3: SAML Signing Certificate and click Edit.

  3. Set the Signing Option to "Set SAML Response and Assertion", then click Save.

  4. Also in Section 3, click the Download link to download the certificate in Base64 format. This will be used to connect to TigerGraph.

  5. In Section 4, copy the following information for later use to configure SSO in TigerGraph’s Admin Portal:

    1. Login URL (TigerGraph calls this the "Identity Provider Single Sign-On URL")

    2. Azure AD Identifier (TigerGraph calls this the Identity Provider Entity Id in TigerGraph)

Enable single sign-on in TigerGraph

First, use the SSO documentation to set up SSO in Admin Portal. This is where you will upload the certificate you downloaded from Azure.

Next, follow these steps:

  1. Enter the Identity Provider’s Entity ID and Identity Provider SSO URL you copied in Step 9 of the previous section.

  2. At the bottom of the screen, for the Authentication Context section, use urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Before Azure and TigerGraph can successfully communicate, the Azure AD groups need to be correctly mapped to TigerGraph proxy groups with the appropriate roles. The TigerGraph proxy group is created with the key=value proxy rule. The key and value should match the SSO user claims in the SAML response.

For example, you could add a Name key with a value of in_group1 and a Member group attribute value of True for a certain group, in this example TestGroup1.

aad manage claim

This will return in_group1 = True in the SSO SAML response only if the Azure user is part of TestGroup1.

See Microsoft’s official documentation for instructions on setting up the SAML tokens on the Azure side: Customize Claims issued in the SAML token for enterprise applications

Create a TigerGraph proxy group

  1. In AdminPortal, select Management > Users from the left sidebar menu.

  2. At the top of the Users page, select All Users and click on Proxy Group.

  3. Click the + Add Group button to add a new group.

  4. Enter a name for your proxy group and use the same attribute name and value from Azure. In this example, the attribute-value pair is in_group1 and True.

add new proxy group

  1. Navigate to the Role Management tab at the top.

  2. Select a graph and role on the graph for the proxy group, then click Save.

apply proxy group

  1. Go to Users > My Profile and check to see that your profile has the correct role.