The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Azure AD. Nebula only supports SAML 2.0 authentication protocol.
Get started
- The email address used for the Nebula account must match the email address used for Azure AD.
- Log in to Nebula and go to Configure > Single Sign-on.
- Log in to your Azure AD Administrator account and go to Azure Active Directory > Enterprise applications.
Add the application in Azure AD
- From the Enterprise applications page in Azure AD, click New application > Non-gallery application.
- Name the application > click Add.
Configure the application SSO settings
- Click Single sign-on, then select SAML-based Sign-on from the Single Sign-on Mode drop-down menu.
- In the Nebula Single Sign-On page, left-click the Service Provider Metadata link to save the metadata.xml file.
Upload Nebula XML file to Azure AD
- In Azure AD, click Upload metadata file.
- Upload the metadata.xml file you downloaded from Nebula.
Update the SAML configuration
- On the Nebula Single Sign-On page, copy the Solicited Whitelist URL.
- In Azure AD's Set up Single Sign-On with SAML screen, go to Basic SAML Configuration > click the pencil icon.
- Under the Reply URL (Assertion Consumer Service URL) section, paste the previously copied Solicited Whitelist URL from Nebula into the empty entry.
- Click Save.
Configure application attributes
- In Azure AD's Set up Single Sign-On with SAML screen, go to User Attributes & Claims > click the pencil icon.
- Click Add new claim.
- Add a new attribute in lowercase, exactly as shown below.
Note: Be sure to leave the Azure namespace URL field blank. - Click Save.
Upload Azure AD metadata into Nebula
- Download the Azure AD Federation Metadata XML file.
- In the Nebula Single Sign-On page, have a Nebula Super Admin drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata.
Enable SSO
- Once the metadata is uploaded, toggle on Enable SSO.
- Toggle on Just-In-Time (JIT) Provisioning to automatically create Nebula users if they don't already exist when authenticating through Azure AD.
- Toggle on Service Provider Initiated SSO if you will be accessing Nebula through a tile or button in Azure AD.
- Now the application can be assigned to your Nebula administrators in Azure AD.