Prerequisites
This integration requires the following:
An Azure Active Directory (AD) instance on the Microsoft Azure public cloud
An active ZTP account, accessible using the Bootstrap Identity provided by AppGate
A test user account on your Azure directory with at least the following attributes configured:
username, for example:testuserfirstName, for example:JoelastName, for example:Smith
NOTE
Attribute changes may take time to propagate. For details about creating a user account, refer to the Azure Documentation.
Step 1: Add a new application in Azure
Sign in to the Azure portal using your Azure Active Directory administrator account.
In the left menu, go to Microsoft Entra ID > Enterprise Applications.
Click New application, then click Create your own application.
Enter a name, for example:
AppGate ZTP.Under What are you looking to do with your application?, select Non-gallery.
Click Create.
NOTE
For additional details about creating an enterprise application, refer to the Azure Documentation.
Step 2: Configure the application
Return to Microsoft Entra ID > Enterprise Applications and select the application you created.
Under the Getting Started section, select Set up single sign on, or click Single sign-on in the left menu.
Select SAML.
Step 3: Complete basic SAML configuration
In the Identifier (Entity ID) field, enter the Audience value from your ZTP configuration. For this example, use
azure-idp.In the Reply URL (Assertion Consumer Service URL) field, enter a placeholder URL, for example:
https://example.com. You will replace this value after completing the configuration.
Click Save.
Step 4: Download the federation metadata
In the SAML Certificates section, download the Federation Metadata XML file. You will upload this file when completing the configuration form.
Step 5: Review attributes and claims
Azure AD requires full URLs for attribute mapping. The following table shows the default claim URLs that Azure AD provides and the corresponding ZTP attribute fields:
Azure AD value | Claim name URL | ZTP field |
|---|---|---|
| Full claim URL from Azure | Email attribute |
| Full claim URL from Azure | First name attribute |
| Full claim URL from Azure | Last name attribute |
| Full claim URL from Azure | Username attribute |
Record the claim name URLs displayed in the Azure Attributes & Claims section. You will need them to complete the configuration form.
Step 6: Configure the IdP in ZTP
In ZTP, go to Settings > Identity Providers in the left menu.
Click Add New and select SAML provider.
Complete the form using the following values::
Field | Description |
|---|---|
Name* |
|
Audience* |
|
XML Metadata File | Federation metadata XML file downloaded from Azure in Step 4. |
SSO URL* | If you uploaded the XML file, this field populates automatically. |
Issuer* | If you uploaded the XML file, this field populates automatically. |
Public Certificate | If you uploaded the XML file, this field populates automatically. |
Email Attribute* | Claim name URL corresponding to |
First Name Attribute* | Claim name URL corresponding to |
Last Name Attribute* | Claim name URL corresponding to |
Username Attribute* | Claim name URL corresponding to |
Copy the ACS URL from the ZTP form by clicking the copy to clipboard button:
In Azure, return to the Basic SAML Configuration section and replace the placeholder URL (
https://example.com) in the Reply URL (Assertion Consumer Service URL) field with the ACS URL you copied.Click Save and test the integration.