Skip to content

Azure SAML Configuration

Use this guide to create a new SAML integration with Azure for user authentication.

Requirements

  • Administrator access to the Azure tenant to create a new Enterprise Application and App Registration to support this configuration.
  • Administrator or Configuration Manager access to 12Port Horizon to create this configuration.

Creating a new Azure SAML Integration

Create your Azure Enterprise Application

The first step is to create an Azure Enterprise Application that is used for single sign-in user authentication.

  1. Log in to your Azure tenant and open the Enterprise Applications page and from here, click the New application button.
  2. From the Microsoft Entra Gallery page, select the Create your own application option.
  3. In the Create your own application form, enter a name for this new application and select the option Integrate any other application you don't find in the gallery (Non-gallery). Click the Create button.
  4. After this new application is created, from its Overview page, select the Get Started option within the Set up single sign on box.
  5. On the next page, choose the SAML option.
  6. Next, we will configure your SAML Enterprise Application for integration. In Step 1 labeled Basic SAML Configuration click the Edit button. For the first two parameters, enter the URL of your integration tenant followed by /root. For example, if your tenant URL is /production then the URL you would enter would look like this: https://ztna.company.com:6443/ztna/production/root. The remaining three optional parameters may be left blank. Click the Save button.

  7. Navigate down to Step 3 labeled SAML Certificates, locate the parameter named Federation Metadata XML and click its Download button.

    Federated Metadata XML Download

  8. Navigate to the Manage > Users and groups page and use the Add user/group option to add all the users or groups that you wish to authenticate into Horizon using this SAML application.


Create your Azure App Registration

The next step is to create an Azure App Registration that is used for user and group search.

  1. In your Azure tenant, open the App registration page and from here, locate and click on the Enterprise Application that was created in the previous section.
  2. On the Overview page of this application, click on Add a certificate or secret for the Client credentials parameter then click the New client secret button. Enter a Description and select an Expires option. Click Add to continue.

  3. After the secret is created, copy the value of the secret by selecting and copying the full string from the Value column. Securely save this Value string to a save location and please note that this value is only visible once from this screen. Once you close this page, the value cannot be viewed again.

    Azure App Registration Value String

  4. Next, we will add API Permissions to this app. Navigate to Manage > API Permissions and click the Add a permission button.

  5. From the Request API permissions page, select Microsoft Graph and then Application permissions. For the selected permissions, include each of the following:

    • Application.Read.All
    • Directory.Read.All
    • Group.Read.All
    • GroupMember.Read.All
    • User.Read.All

  6. From the Request API permissions page, select Microsoft Graph and then Delegated permissions. For the selected permissions, include the following:

    • User.Read

  7. When all have been selected, click the Add Permissions button to complete this operation.

  8. Finally, click the Grant admin consent button to finalize the API Permissions for this App.

Azure App Registration API Permissions

Do not exit your App Registration yet, as we will return during the next section to copy additional parameters.


Configure your Azure App Registration

The next step is to configure your App Registration.

  1. Log in to this Horizon tenant with a System Administrator or Configuration Manager role.
  2. Navigate to Configuration > Entra ID and click the Add button to create a new Entra ID integration.

  3. Click on the parameter name for details about each or following the guidance provided here:

    • Name: Enter a unique, but recognizable name for this Entra ID connection.
    • Tenant ID: From your App Registration page in Azure, copy the value from the Directory (tenant) ID and paste that into this parameter.
    • Client ID: From your App Registration page in Azure, copy the value from the Application (client) ID and paste that into this parameter.
    • Client Secret: Paste the Value string from the Certificates & Secrets page that we created in the previous section, into this parameter.
    • Direct Login: Enable this option if you wish to support native, direct non-MFA enabled Entra ID logins to this tenant. Leave it disabled if you do not wish to support direct Entra ID logins or you have MFA required for Entra ID authentication.
    • Enabled: Enable this integration.

Click the Save button to complete this integration.


Verify your Entra ID Integration

Once saved, use the Actions menu for this Entra ID integration and select the Test Connection button to verify a successful integration.

Note

If you experience any error messages during this authentication flow, please review your Azure configuration for resolution methods.


Configure your Azure Enterprise Application

The final step is to configured your Enterprise Application.

  1. Log in to this Horizon tenant with an Administrator or Configuration Manager role.
  2. Navigate to Configuration > SAML and click the Add button to create a new SAML integration.

  3. Click on the parameter name for details about each or follow the guidance provided here:

    • Name: Enter a unique, but recognizable name for this SAML connection.
    • IdP Metadata: Open the downloaded Federated Metadata XML file from the previous step in a text editor. Select all the contents of this file and paste it in this parameter.
    • Backend Directory: Select your Entra ID integration.
    • Enabled: Enable this integration.

Click the Save button to complete this integration.


Grant 12Port Permission

Before we can successfully login to 12Port Horizon, we must first grant the user(s) or group(s) permissions to the application. For testing purposes only, we will grant one user from Azure, the Administrator role so we can confirm the integration is working properly. Once validation is confirmed, we recommend removing the Administrator role from this user account.

  1. Navigate to Management > Space Roles and click the Grant button.

  2. In the User or Group parameter, switch the directory selector drop-down menu to your Entra ID integration name.

    Grant Permission Directory Selector

  3. In the provided field, begin typing an Entra ID account name. The type-ahead feature should search and display this name in its drop-down as you proceed. Select this name from the drop-down menu when it becomes visible.

    Grant Permission User Entry

  4. Click the button for the Administrator role to assign it to this Entra ID account.

  5. Finally, click the Grant button to complete this role assignment.


Verify your SAML Integration

Return to the Configuration > SAML page and use the Actions menu for this integration and select the Test Connection button to verify a successful integration. When prompted, authenticate using the account that was granted the Administrator role in the previous section. Once the authentication process is successful, you should be redirected into this Horizon tenant, confirming the integration is complete.

Additionally, you may open a new private browser and navigate to the tenant's login page. On the page, you will see a blue button below the user form with the label "Login with <Name>". When you click on this SAML login button, you will redirect to Azure where you can authenticate your credentials and upon successful validation, you will be redirected into this tenant.

Login with SAML

Note

If you experience any error messages during this authentication flow, please review your Azure configuration for resolution methods.