Solarwinds SAML to Azure AD

Question

* Go to portal.azure.com and create a non-gallery enterprise app
* After giving your app a name and creating the app on the next page go to the single sign-on link and choose SAML
* In SAML Settings* Under Basic SAML Configuration set the following values* Identifier (Entity ID) - URL of your Solarwinds instance - like - https://solarwinds.my-company.com
* Reply URL (Assertion Consumer Service URL) - link to the SAML login page - like - https://solarwinds.my-company.com/Orion/SamlLogin.aspx
* Leave everything else as is

* Under User Attributes & Claims* Leave all user attributes as is
* Add a group claim* Choose Security groups
* Change Source Attribute to sAMAccountName - this will limit the groups you can use to on prem only
* Customize the name of the group claim to OrionGroups

* Save all the settings

* Under SAML Signing Certificate* Click the download link next to Certificate (base64) - save this somewhere easy to get to (do not install on your computer if asked) - you will need to open with a text editor like VS Code in order to copy the contents into a text field during the Solarwinds SAML set up

* Under Set up {Name of your Enterprise App}* Copy the Login URL link
* Copy Azure AD Identifier Link and save for later

* Go into the Solarwinds Admin setting and choose SAML Configuration
* Set the Orion Web Console External URL to the URL of your Solarwinds instance - like - https://solarwinds.my-company.com - click next
* Under Edit Identity Provider* Set Identity Provider Name  to something like 'Azure AD'
* Set SSO Target URL to the link you copied in step 5.1 - the Login URL from the Azure enterprise application setup
* Set Issuer URI to the link you copied in step 5.2 - the Azure AD Identifier from the Azure enterprise application setup
* In the X.509 Signing Certificate field you will copy the contents of the certificate file you downloaded step 4.1 - include all text (including the BEGIN CERTIFICATE and END CERTIFICATE lines).

* Save your configuration
* The last step is to add users that can login.  You will need to assign users/groups or both to the Azure AD Enterprise Application before they can authenticate to against Azure and get routed back to the Solarwinds app* Go to portal.azure.com -> enterprise applications -> users and groups
* Click Add user* Add users and groups

* Go in to your Solarwinds instance * All settings -> Manage Accounts
* Add your SAML individual users or groups - the name that you enter here must match the username or group name exactly as in Azure AD

* That’s it

How To - Solarwinds SAML to Azure AD.pdf

cnorcross · Answer

FWIW,

I had similar issues.  Adding single users worked fine but groups would always fail.  After some trial and error, I was able to get the groups to work by changing the group claim from "Security Groups" to "Groups Assigned to the Application".

The groups were created as security groups, so I'm not sure why it wasn't working outside of maybe a timeout or something.

Adding my .02 in case it helps anyone

b3nw00d · Answer

Thanks bnpj! The guide was really useful. Has anyone has any success in getting SolarWinds to work with Azure groups? For some reason, I cannot get the group based authentication to work using the group name, only the group ID. I assume I need to set something in the OrionGroups claim as I see it list the group ID in the attributes in the SAML log but not the group name. So if I add a SAML group with the Azure group ID it works, but not using the group name. If that makes sense This is what I see in the SolarWinds SAML log... af49ae14-133c-xxxxxxx-xxxxxxx 12a4edad-cb88-xxxxxxx-xxxxxxx 10798acd-8bfc-xxxxxxx-xxxxxxx ----> This group ID matches the group in Azure the user is a member of. 2ba35399-d435-xxxxxxx-xxxxxxx e937e6b5-0569-xxxxxxx-xxxxxxx

bnpj · Answer

Yes. As long as the group names match then whatever access that group has in Solarwinds will be granted to the authenticated user.