The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Azure AD. Nebula only supports SAML 2.0 authentication protocol.
Get started
- The email address used for the Nebula account must match the email address used for Azure AD.
- Log in to Nebula and go to Configure > Single Sign-on.
- Log in to your Azure AD Administrator account and go to Azure Active Directory > Enterprise applications.
Add the application in Azure AD
- In Azure AD, click Enterprise applications under Azure services.
- Click New application > Create your own application.
- Name the application.
- Select Integrate with any other application you don't find in the gallery (Non-gallery).
- Click Create.
Configure the application SSO settings
- Click Single sign-on, then select SAML as the Single Sign-on method.
- In a new browser tab, log in to Nebula and go to the Configure > Single Sign-On page.
- Click the Service Provider Metadata link to save the metadata.xml file.
- Come back to the Azure AD browser tab and click Upload metadata file at the top.
- Upload the metadata.xml file you downloaded from Nebula.
- Click Add.
- Click Save.
- Close the Basic SAML Configuration page.
Configure application attributes
- In Azure AD's Set up Single Sign-On with SAML screen, go to Attributes & Claims > click Edit.
- Click Add new claim.
- Add a new attribute in lowercase, exactly as shown below.
- Name: email
-
Source attribute: user.mail
Note: Be sure to leave the Azure namespace URL field blank.
- Click Save.
- Close out of the Attriute & Claims edit page to return to the app's SSO configuration page.
Upload Azure AD metadata into Nebula
- Download the Azure AD Federation Metadata XML file.
- In the Nebula Single Sign-On page, have a Nebula Super Admin drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata and click Apply.
Enable SSO
- Once the metadata is uploaded, toggle on Enable SSO.
- Toggle on Just-In-Time (JIT) Provisioning to automatically create Nebula users if they don't already exist when authenticating through Azure AD.
- Toggle on Service Provider Initiated SSO if you will be accessing Nebula through a tile or button in Azure AD.
- Now the application can be assigned to your Nebula administrators in Azure AD.