Configure SAML with Azure AD

Last modified: Tuesday June 15, 2021.

Configure Microsoft Azure Active Directory (Azure AD) as your SAML IdP for Alta Video.

For detailed information on configuring Azure AD as your SAML IdP, see
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml,
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal, and
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.

Task — Create an Alta Video Cloud Enterprise application

  1. Log in to your Azure Active Directory portal.
  2. In the Azure Manage section, click Enterprise applications.
  3. At the top of the page, click New application.
  4. Click Create your own application.
  5. In the Name field, type a name for your Alta Video Cloud deployment.
  6. Click Add.

Task — Create Groups for your Alta Video Cloud users

You can create multiple Azure Groups that correspond to the Alta Video Cloud User groups.

You can create one group for your Alta Video Cloud Administrators, another for your Alta Video Cloud Operators, plus further groups for any other Alta Video Cloud User groups used within your Avigilon Alta deployment.

  1. In Azure, search for and open Groups.
  2. Click New group.
  3. Set Group type to Security.
  4. Type a name for the Group name.
  5. Optionally, enter a description for the group.
  6. Set Membership type to Assigned.
  7. From beneath Owners, click No owners selected. Pick your user name and click Select.
  8. From beneath Members, click No members selected. Pick all users to be given SSO access to your Alta Video Cloud deployment.
  9. Click Create.

Task — Declare an App role for Alta Video Cloud

  1. In Azure, search for and open App registrations.
  2. Select All applications.
  3. Locate and select your application.
  4. From the left hand menu, select App roles.
  5. Click Create app role.
  6. Type a display name, for example, Aware_Admins.
  7. Select Users/Groups.
  8. In the Value field, enter the name of the relevant Alta Video Cloud User group, for example, Administrators.

    The entry in the Value field must exactly match the name of the relevant Alta Video Cloud User group.

  9. Enter a description for this app role.
  10. Ensure Do you want to enable this app role? is enabled.
  11. Click Apply.

    You can repeat these steps to create additional App roles, for example, for Operators that use Alta Video Cloud, but that cannot change configurations.

Task — Assign the Users and groups that can access Alta Video Cloud

  1. From Enterprise application > <your Aware Cloud application>, select Users and groups.
  2. Click Add user/group.
  3. From beneath Users and groups, click None selected.
  4. Select the previously created Groups, or add individual users to be given SSO access to Alta Video Cloud.
  5. Click Select.
  6. From beneath Select a role, click None selected.
  7. Select the previously defined role for this user (or group).
  8. Click Select.
  9. Click Assign.

Task — Configure Basic SAML Configuration

  1. In the Getting started section, click Assign users and groups, and then add the Alta Video Cloud users that you want to authenticate via SAML.
  2. In the left-hand panel, click Single sign-on.
  3. Click SAML.
  4. In the Basic SAML Configuration panel, click Azure Edit icon Edit.
    Azure Basic SAML configuration
  5. In the Identifier (Entity ID) field, paste the Entity ID you obtained from Alta Video Cloud.
  6. In the Reply URL (Assertion Consumer Service URL) field, paste the ACS URL you obtained from Alta Video Cloud.
  7. At the top of the Basic SAML Configuration panel, click Save.

Task — Configure User Attributes & Claims

  1. In the User Attributes & Claims panel, click Azure Edit icon Edit.
    Azure AD User Attributes & Claims
  2. Configure your attributes, which are known as claims in Azure:
    1. To configure an email attribute:
      1. At the top of the User Attributes & Claims panel, click Add new claim.
      2. In the Name field, type AvaAwareEmail.
      3. In the Source attribute menu, select user.mail

        Ensure that your Azure <users> profiles all include the Email address in the Contact info section.

      4. Click Save.
    2. To configure the username attribute:
      1. Click Add new claim again.
      2. In the Name field, type AvaAwareUsername.
      3. In the Source attribute menu, select user.userprincipalname.
      4. Click Save.
    3. To configure the role attribute:
      1. Click Add new claim again.
      2. In the Name field, type AvaAwareUserGroup.
      3. In the Source attribute menu, select user.assignedroles.
      4. Click Save.
  3. In the Additional claims section, delete all other default claims, so only the AvaAwareEmail, AvaAwareUsername, and AvaAwareUserGroup remain.
    Azure AD Required and Additional claims
  4. Click SAML-based Sign-on.

Task — Configure SAML Signing Certificate

  1. From Enterprise application > <your Aware Cloud application> > 2. Set up single sign on, select the SAML Signing Certificate section.
    Azure AD Signing certificate
  2. In the Signing Option menu, select Sign SAML response and assertion.
  3. Click Save.

Task — Download the metadata needed by Alta Video Cloud

  1. In the SAML Signing Certificate section, beside Federation Metadata XML, click Download.
    You will need to upload this information to your Alta Video Cloud deployment.

Return to the task in Configure Alta Video to enable SAML single sign-on to complete setting up your Alta Video Cloud deployment for single sign-on.