Azure Single Sign On Configuration Guide

This guide will walk you through setting up single sign-on (SSO) for Egnyte using Azure Active Directory.  

 

Create a new custom application

Configure Azure AD Single Sign-On (SSO)

Test Azure AD SSO

Additional Resources

Prerequisites

1. Microsoft Azure  plan allows for a custom, non-gallery application (if groups are to be provisioned, the plan should allow for this as well)
2. If you have a local Active Directory present, it should be synced with Azure. Please refer to this Microsoft article. 
3. Do not add the Egnyte App from the Azure App Gallery; add a custom app as described below.
4. Egnyte recommends setting up a separate application for every Egnyte domain you have:
   Example:
   

   Name of application	Provisioning for	Single Sign-On for
   Egnyte US West	acmeusw	acmeusw
   Egnyte US East	acmeuse	acmeuse
   Egnyte EMEA	acmeemea	acmeemea

   
   Although it is possible to set up SSO within one application, we do not recommend it.

Step-by-step guide

Creating Enterprise application for provisioning

1. Log in to Azure Portal.
2. Go to Enterprise Applications in the Azure AD section.
   
   
   
   
3. Hit the "+ New application" button and then "+ Create your own application." This can require a specific plan that might include additional costs.
   
   
   
4. Choose the name of App so you can easily identify and choose the option.
   "Integrate any other application you don't find in the gallery."
5. Click on the newly created app, select "Provisioning Section," and click the "Get started" button.

 

Configure Azure AD Single Sign-On (SSO)

This section will show you how to enable Azure AD SSO in the Azure portal and configure it in your Egnyte application.

1. In the Azure portal, open the Egnyte application integration page and click Single sign-on.
   
   
   
   
2. On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable SSO.
   
   
   
   

   Note: On the top of the page you can switch between old and new experience. Both of those options will work correctly with Egnyte; however, there are certain differences in how they are handled.

In step 1, select the Edit icon in the top right corner.

• Fill in Identifier (Entity ID) with https://saml-auth.egnyte.com/.
  If you have more than one Egnyte Domain and you want to set up a separate application for all of them within the same tenant, please navigate to Egnyte WebUI-> Settings -> Security & authentication and enable switch "Use domain-specific Issuer value" (Please see Egnyte Configuration section by scrolling down) and set Identifier (Entity ID) to https://<domainname>.egnyte.com or custom access URL (if any).
• Fill in Reply URL (Assertion Consumer Service URL) with the following pattern:
  • If your domain had been configured for SAML Single Sign-On before February 20th, 2019:
    https://*.egnyte.com/samlconsumer/AzureAD or https://<domainname>.egnyte.com/samlconsumer/AzureAD
    or https://custom-url/samlconsumer/AzureAD
  • If your domain has never been configured for SAML Single Sign-On OR if it has been created after February 20th, 2019
    https://*.egnyte.com/samlconsumer or
    https://<domainname>.egnyte.com/samlconsumer
    or https://custom-url/samlconsumer
• Fill in Sign-on URL with the URL of your domain: https://<domainname>.egnyte.com/
  or the custom access URL if your Egnyte domain is tied to one.
  
  

• Click the Save icon on the top and after the changes are saved, go back to Set up Single Sign-On. 
  
  

  Note: Before changes take effect on Azure side a couple of minutes may pass.

  
  
• In step 4, download the Federation Metadata XML.
  
  
  
  
  
• Continue to the Egnyte Configuration section.

•  

Egnyte Configuration

1. In a different web browser window, log in to Egnyte as an Administrator, open the menu, and click Settings. Click the Configuration tab, and then click Security & authentication.
   
   
   
   
2. In the Single Sign-On Authentication section in Egnyte, perform the following steps:
   • Single sign-on authentication: SAML 2.0
   • Identity provider: AzureAD
   • Click on import metadata XML file and choose the downloaded file from Azure.
   • Default user mapping: Email address
   • Use domain-specific issuer value: disable if you are not going to configure multiple Egnyte domains within one Azure Tenant.
     
     
3. Click Save

 

Test Azure AD SSO

In this section, you'll test Azure AD SSO with Egnyte with a test user called "Britta Simon."

For SSO to work, Azure AD needs to know what the counterpart user in Egnyte is to Azure AD. In other words, a relationship between an Azure AD user and the related user in Egnyte needs to be established.

In Egnyte, assign the Username value (also known as UPN) in Azure AD as the value of the idpusername to establish the link relationship.

To configure and test Azure AD SSO with Egnyte, you need to complete the following steps:

1. Create an Azure AD Test User: To test Azure AD SSO with Britta Simon.
2. Create an Egnyte Test User: To have a counterpart of Britta Simon in Egnyte linked to the Azure AD representation of the user.
3. Assign the Azure AD Test User: To enable Britta Simon to use Azure AD SSO.
4. Test Single Sign-On: To verify the configuration was set up properly.

Create an Azure AD Test User

The objective of this section is to create a test user in the Azure portal called Britta Simon.

1. In the Azure portal on the left navigation pane, click the Azure Active Directory icon.
   
   
   
   
2. Go to Users, and click New user on the top of the screen.
   
   
   
   
3. On the User Dialog page, perform the following steps:
   
   
   
   a. Name: BrittaSimon (without spaces)
   b. User name: Email address of Britta Simon.
   c. Select Show Password and write down the value of the password.
4. Click Create.

 

Create an Egnyte Test User

To enable Azure AD users to log into Egnyte, they must be provisioned in Egnyte. With Egnyte, you can manually enter your users or use a CSV file to import them. We'll show you how to add a user manually, but you can read more about importing users here.

1. Log into Egnyte as an Administrator, open the menu, and click Settings. Click the Users & Groups tab, and then click Add New Account.
   
   
   
   
2. From the drop-down, select the type of user you want to add. In our example, we'll add Britta as a Power User.
3. In the New Power User section, perform the following steps:
   a. Type the First and Last Name, Email, Username of the Azure Active Directory account you want to provision.
   b. Authentication Type: Single Sign-On
   c. Set Idp Username to match UPN from Azure
   
4. Click Save.
   
   

   Note: For existing users, find the user in the Users & Groups tab, hover over the user and click Details, and click Edit user profile. Make sure all of the details match the user in Azure Active Directory, change the Authentication type to Single Sign-On, set IdP Username, and click Save.

Assign the Azure AD Test User

In this section, you'll enable Britta Simon to use Azure SSO.

1. In the Azure portal, open the created application.
2. In the menu on the left, click Users and groups.
   
   
   
   
3. Click the + Add User/Group button. Then select None selected:
4. In the search box, search for Britta Simon and select the user.
5. Click Select at the bottom
6. Click Assign to confirm your choice.
   
   

Test Single Sign-On

Test the setup by having a user log in to Egnyte with their Azure AD credentials.

Note: All SSO authenticated users will be re-directed to your SSO page when attempting to log in on Egnyte.

Best Practices and Additional Notes:

1. Egnyte recommends having at least one admin account with Egnyte authentication in case of SSO provider failure
2. By default, Single Sign-On is available only for Admins and Power Users.