Overview

This guide will help you integrate and configure AzureAD/EntraID with Cyolo using SSO via the SAML protocol.

Pre-requisites

• Have already created groups and users in Microsoft 365 Admin/EntraID/AzureAD.

Further possibilities

• Configuring user provisioning (SCIM); see Configuring AzureAD/EntraID - SAML - SCIM\
  

Configuration

EntraID

Create a new Enterprise Application

1. Go to the following URL and sign in with your Microsoft account: Microsoft Entra admin center.
2. Navigate to Applications → Enterprise Applications → All Applications.
3. Click the New Application button and then click on the Create Your Own Application button to create a new application.
4. Enter a Name for this application, then select the Include any other application you don't find in the Gallery (Non-Gallery) option and click the Create button.

Pre-configure the SSO

1. In the new application settings, navigate to Single sign-on and select SAML.

Basic SAML Configuration

1. In the Basic SAML Configuration section, click the Edit button.
2. In the Identifier (Entity ID) section, click the Add Identifier button and enter a unique name.
   • Identifier (Entity ID) → Entity issuer field in Cyolo
     It should match this field in Cyolo, no matter what name you enter.
3. In the Reply URL (Assertion Consumer Service URL) section, click the Add reply URL button and enter a dummy URL like: https://cyolo.io (we will change it later).
   • Reply URL (Assertion Consumer Service URL) ← Redirect URI from Cyolo
4. Click on the Save button.

SAML Certificates

1. In the SAML Certificates section, download the Certificate (Base64) certificate.

2. If you open the link of the App Federation Metadata URL field in a new tab, you will see all the attributes that the EntraID application can send to Cyolo. Later, we will use the URI of some attributes:

   XML

   <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
       <auth:DisplayName>Name</auth:DisplayName>
       <auth:Description>The mutable display name of the user.</auth:Description>
   </auth:ClaimType>

Set up

In the Set up section, save the following values on the side:

• Login URL → SSO URL field in Cyolo
• Microsoft Entra Identifier → SSO Issuer field in Cyolo

Cyolo

Create a new SAML IDP integration

1. Open the Cyolo Console: https://console.YOURTENANTNAME.cyolo.io/
2. Navigate to Integrations → Identity providers.
3. Click the New button to create a new integration.

Identity Provider Type

1. In the Identity Provider Type section, enter a Name for the integration.
2. Select the SAML type and click Next.

Identity Provider Details

1. In the Identity Provider Details section, fill in the fields as follows:

• Entity issuer ← Identifier (Entity ID) from EntraID
• SSO URL ← Login URL from EntraID
• SSO Issuer ← Microsoft Entra Identifier from EntraID
• CA trusted certificate ← Certificate (Base64) from EntraID

2. In the Attributes mapping section, fill the IdP attribute vales of each desired Cyolo attribute fields as follows:

3. Click Next to continue.

• Since the Email Address (/claims/emailaddress) attribute is optional when creating a user in AzureAd, we recommend using the User Principal Name(/claims/name) attribute for the Email field instead.
• In order to use the Phone number & Personal desktop attributes, you must create a custom claim attribute in the EntraID application.
• The authentication process will fail if a configured IdP attribute is missing from the user object in AzureAD during authentication. Therefore, ensure that all users have the attributes configured.

MFA Parameter

1. Select the MFA provider and methods you want to configure.
2. Click Next.

• External provider means Cyolo will trust the MFA of the IdP for user enrollment.

Enrollment Method

1. Click the Create button after selecting your desired options:

• Personal Desktop
  The user will be prompted to enter their Personal Desktop IPs.

  Uncheck if the Personal Desktop IDP attribute has already been configured in the Identity Provider Details section.

• Admin rollout
  Admin must create the user in Cyolo before authentication is attempted.

• Self-service enrollment
  The user is automatically created in Cyolo (if not already present) upon first authentication.

2. Save the Redirect URI value provided by Cyolo.

EntraID Configuration

Configure the SSO

1. Go to Microsoft Entra admin center and sign in.
2. Navigate to:
   Applications → Enterprise Applications → All Applications
3. Open the previously created Enterprise Application.
4. In the Basic SAML Configuration section of the Single sign-on tab, click Edit.
5. In the Reply URL (Assertion Consumer Service URL) field, replace the dummy URL with the Redirect URI saved from Cyolo.

Assign Users and Groups to the Application

1. Navigate to the Users and groups tab.
2. Click Add user/group.
3. In the Users and groups field, click None Selected.
4. Add all users and groups that need to authenticate to your Cyolo tenant using this IDP.

Now your AzureAD/EntraID SSO integration with Cyolo is ready!

Testing

EntraID

1. Open the Microsoft Entra admin center.
2. Navigate to:
   Applications → Enterprise Applications → All Applications
3. Open the previously created Enterprise Application.
4. In the Test single sign-on section of the Single sign-on tab, click Test.
5. In the Testing sign in section, click Test sign in.
6. Log in using a user credential assigned to the application.

IF successful, you are now redirected to the tenant portal and logged in.

Cyolo

1. Open the Cyolo Portal:
   https://users.YOURTENANTNAME.cyolo.io/
2. Log in using a user credential assigned in the EntraID Enterprise Application.

🎉

If everything went well, you'll be logged into the tenant portal.

Logs

EntraID

1. Open the Microsoft Entra admin center.
2. Navigate to:
   Applications → Enterprise Applications → All Applications
3. Open the previously created Enterprise Application.
4. Go to the Sign-in logs tab to view user login logs.

Cyolo

Tenant Console

1. Open the Cyolo Console:
   https://console.YOURTENANTNAME.cyolo.io
2. Navigate to: Monitoring → Activity

Idac Console

1. SSH into one of your Idacs.
2. Run the following command:

sudo docker logs -f config_idac_1 --since 1h 2>&1 | sudo grep -i user