Set Up Single Sign-on with SAML 2.0 Identity Provider | ATP Cloud | Juniper Networks

Basic SAML Configuration

Identifier (Entity ID)

(Mandatory) The default identifier will be the audience of the SAML response for
IDP-initiated SSO. This value must be unique across all applications in your Azure
Active Directory tenant

Example: https://amer.sky.junipersecurity.net

Reply URL (Assertion Consumer Service URL)

(Mandatory) The default reply URL will be the destination in the SAML response
for IDP-initiated SSO. The reply URL is where the application expects to receive
the authentication token. This is also referred to as the “Assertion Consumer
Service” (ACS) in SAML.

Example: https://amer.sky.junipersecurity.net/portal/sso/acs

Sign on URL

(Optional) This URL contains the sign-in page for this application that will
perform the service provider-initiated single sign-on. Leave it blank if you want
to perform identity provider initiated SSO.

Relay State

(Optional) The relay state instructs the application where to redirect users
after authentication is complete, and the value is typically a URL or URL path
that takes users to a specific location within the application. The value in this
form only takes effect in an IdP-initiated SSO flow.

User Attributes & Claims

Parameters that define which access control groups to associate with ATP. The
access control groups are mapped to Juniper ATP roles.

Unique User Identifier

(Optional) Provide the Name ID.

Example: user.userprincipalname [nameid-format:emailAddress]

+Add new claim

Define the claims used by Azure AD to populate SAML tokens issued to Juniper ATP
Cloud.

To add a new claim:

1. Click

   + Add new claim

   .

   The Manage claim page
   appears.

2. Enter the claim name and namespace.
3. Select the source.
4. Select the source attribute from the drop-down list.
5. (Optional) Specify the claim condition.
6. Click

   Save

   .

Table 6:

Attribute Name
Source Attribute Value
Description

givenname
user.givenname
The givenname attribute will be used to map last name of the user
in ATP Cloud.

surname
user.surname
The surname attribute will be used to map last name of the user in
ATP Cloud.

emailaddress
user.mail
The emailaddress attribute will be used to map email address of the
user in ATP Cloud.

Note:

The givenname and surname attributes are optional. In Juniper ATP Cloud SSO
SAML Provider Settings, you must set a mandatory field named Username
Attribute. Whatever attribute value you have planned to set in
Juniper ATP Cloud, you must set the same attribute value in Azure IdP, else SSO
will fail.

For example, if you plan to set the Username Attribute
value in the Juniper ATP Cloud SSO SAML Provider Settings to
emailaddress, then you must set the same attribute name
in Azure IdP with the attribute value as user.mail.

+ Add a group claim

Define the group claims used by Azure AD to populate SAML tokens issued to
Juniper ATP Cloud.

To add a new group claim:

1. Click

   + Add a group claim

   .

   The Group Claims page
   appears.

2. For groups associated with users, choose

   All
   groups

   .

3. Select the source attribute.
   • If the source attribute is sAMAccountName, then you must specify the role
     name as the attribute for role mapping in Juniper ATP Cloud portal. For
     example, role: role_administrator
   • If the source attribute is Group ID, then you must specify the reference
     ID as the attribute for role mapping in Juniper ATP Cloud portal. For
     example, role: abcdef

   Note:

   • The source attribute only works for groups synchronized from an
     on-premises Active Directory using AAD Connect Sync 1.2.70.0 or above.
   • If you do not have the Azure Active Directory to pull the users and
     groups, then choose Group ID as the source attribute in the Azure IdP and
     provide the respective group ID in Juniper ATP Cloud SSO setting group
     attributes.
4. Select the

   Customize the name of the group

   checkbox.

5. Specify the name and namespace. For example, if the group name is role, then
   in the SAML response to Juniper ATP Cloud, the group name “role” will be the key
   and the value of the key will be the role name, where the users are added.
6. Click

   Save

   .

   Group claim role is created with value as
   user.groups.

SAML Signing Certificate

Status

Displays the status of the SAML certificate used by Azure AD to sign SAML tokens
issued to your application.

Thumbprint

Displays the thumbprint of the SAML certificate.

Expiration

Displays the expiration date of the SAML certificate.

Notification Email

Displays the notification e-mail address.

App Federation Metadata Url

Displays the Azure IdP metadata URL for SAML.

Example: https://login.microsoftonline.com/ff08d407-69c4-4850-9af0-29034d31ab36/federationmetadata/2007-06/federationmetadata.xml?appid=6915f8ab-640a-4e1c-bb67-5e81a14f7898

Certificate (Base64)

(Optional) Click to download the Base64 certificate.

Certificate (Raw)

(Optional) Click to download the Raw certificate.

Federation Metadata XML

(Optional) Click to download the federation metadata document.

Set up Application (Juniper ATP Cloud)

Login URL

Displays the login URL for Microsoft Azure. You will be redirected to login URL
for authentication.

Example: https://login.microsoftonline.com/ff08d407-69c4-4850-9af0-29034d31ab36/saml2

Azure AD Identifier

Displays the intended audience of the SAML assertion. It is the Entity ID (a
globally unique identifier) of Azure IdP.

Example: https://sts.windows.net/ff08d407-69c4-4850-9af0-29034d31ab36/

Logout URL

Displays the logout URL for Microsoft Azure.

This field is not yet supported in Juniper ATP Cloud.