Single Sign-On with Azure AD

To enable single sign-on for Azure Active Directory users, you will need to create a new enterprise application for Veza, and configure both Veza and the enterprise app to enable the SAML connection. The steps in this guide walk through creating the Azure enterprise app and setting up SSO.

With Single Sign-On active, AAD users assigned to the Veza enterprise app (directly or via group membership) can opt to log in using your identity provider when browsing to the Veza home page, without the need to provision a new user ahead of time. If IdP-initiated flow is enabled, authenticated AAD users can access Veza directly from their Azure app portal, without a login prompt.

• SSO users have the access_reviewer role by default. A Veza administrator can change IdP user roles after the account has first logged in.

• You can save time by obtaining your Service Provider URN and SSO URL from your Veza support team. Otherwise, you can retrieve these after creating an AAD enterprise app and retrieved the IdP URLs and signing certificate.

1. Create an AzureAD Enterprise Application

From your Azure Portal, navigate to Enterprise Applications > New Application > Create your own application. Choose "non-gallery" as the app type:

Open the Single sign-on panel, and select SAML as the sign-on method.

2. Edit the basic SAML configuration

1. Get the information required to configure the app by navigating to Veza Administration > Sign-in Settings. Click Configure to enable SSO, and copy the values at the top of the wizard.

2. Configure the application:

   Reply URL: The Veza Single Sign on URL (ACS), e.g. https://your-org.vezacloud.com/auth/saml/acs. This can also be retrieved from the Location= value in the downloaded SP Metadata.

   Identifier (Entity ID): The Veza Audience URI (Entity ID), for example https://earlypreview.cookiebeta.ai/auth/saml/metadata. This is the entityID= value in the downloaded SP Metadata URL.

   Sign-On URL: Leave blank

   Relay state: Leave blank

3. Save the configuration.

4. Scroll down to the SAML signing certificate section. Download the Base64 certificate.

5. Under section 4) Set up, copy the Login URL, Azure AD Identifier, and optional Logout URL.

2. Configure Veza

In another window, navigate to Veza Administration > Sign-in Settings. Configure a new SAML connection:

• Set the Sign-in URL to your Azure AD Login URL

• Upload the base64 certificate from AAD as the X.509 Signing Certificate

• Set the Issuer ID to the Azure AD Identifier

• To log users out of AAD when logging out from Veza, enable single logout (SLO) by setting Sign Out URL to the AAD Logout URL

• Select Enable Request Signing. Leave the encryption algorithm and protocol binding at the default values (SHA-256, HTTP-POST).

• Upload an icon to use as a logo on the Veza home page.

• To permit users to sign in directly from their Azure AD portal with an unsolicited SAML response to Veza, toggle Enable IDP-initiated login.

Save the connection, and download the SP metadata at the provided URL.

3. Finish configuring SSO for the AAD Enterprise App

Return to the AAD enterprise application's SSO settings, and upload the metadata from Veza:

• The Identifier, Reply URL, and Logout URL will change to the imported values.

• Set the Sign In URL to the same destination as the Assertion Consumer Service URL

4. Enable and verify the SSO connection

Return to Veza Administration > Sign-in Settings and toggle Enable SSO.\

Ensure that your Azure AD user is assigned to the Veza enterprise application. To assign users and groups, navigate to the Azure app's Users & Groups > + Add user/group:\

If IdP-initiated SSO is enabled, you can test the connection from Azure using the Test option under enterprise app Single Sign-on settings, or using the "User access URL" available under properties:\

To test SP-initiated SSO, navigate to the landing page of your Veza instance, and choose Continue with SSO. You should be redirected to Azure AD for authentication.