The following instructions assist the Identity Provider administrator with the setup of single sign-on (SSO) for Nebula with Azure AD. Nebula only supports SAML 2.0 authentication protocol.
- The email address used for the Nebula account must match the email address used for Azure AD.
- Log in to Nebula and go to Configure > Single Sign-on.
- Log in to your Azure AD Administrator account and go to Azure Active Directory > Enterprise applications.
- Ensure your environment meets the minimum operating system and external access requirements.
Add the application in Azure AD
- From the Enterprise applications page in Azure AD, click New application > Non-gallery application.
- Name the application > click Add.
Configure the application SSO settings
- Click Single sign-on > select SAML-based Sign-on from the Single Sign-on Mode drop down menu.
- On the Nebula Single Sign-On page, left-click the Service Provider Metadata link to save the metadata.xml file.
Upload Nebula XML file to Azure AD
- In Azure AD, click Upload metadata file.
- Upload the metadata.xml file you downloaded from the Nebula platform.
Update the SAML configuration
- On the Nebula Single Sign-On page, copy the Solicited Whitelist URL.
- In Azure AD's Set up Single Sign-On with SAML screen, go to Basic SAML Configuration > click the pencil icon.
- Under the Reply URL (Assertion Consumer Service URL) section, paste the previously copied Solicited Whitelist URL into the empty entry.
- Click the Save button.
Configure application attributes
- In Azure AD's Set up Single Sign-On with SAML screen, go to User Attributes & Claims > click the pencil icon.
- Click Add new claim.
- Add new attributes in lowercase, exactly as shown below.
Note: Be sure to leave the Azure namespace URL field blank.
- Click Save.
Upload Azure AD metadata into Nebula
- Download the Azure AD Federation Metadata XML file.
- On the Nebula Single Sign-On page, drag the .xml file or Choose a Different File to upload the Identity Provider (iDP) Metadata.
- Once the .xml file is uploaded, you can set Enable Single Sign-On (SSO) to ON.
- Now the application can be assigned to your Nebula administrators in Azure AD.