Azure Active Directory SAML SSO Configuration
This page explains how to set up SSO in HashiCorp Cloud Platform (HCP) with the Azure Active Directory identity provider. Refer to SSO Overview for details about managing organizations with SSO enabled.
Only organization owners can set up SSO; admins do not have permissions. To begin configuring SSO:
- Log in to HCP and go to your organization.
- Click Settings and then click SSO. The Single Sign-On page appears.
- Click Configure SSO for your Organization. The Setup SAML SSO page appears, where you will enter the required information for Azure Active Directory.
You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
To verify your domain:
- Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
- Return to the HCP Settings page and add your email address domains.
- Click Verify domains.
If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.
You must add information from the the Initiate SAML Integration section in HCP to the SAML configuration for an Enterprise application in Azure Active Directory.
To add the required integration information in Azure Active Directory:
- Log in to your Microsoft Azure portal and go to Azure Active Directory.
- Click Enterprise applications under Manage.
- Click New application. The Browse Azure AD Gallery page appears.
- Click Create your own application and enter a name.
- Select Integrate any other application you don't find in the gallery (Non-gallery) and then click Create. Your application overview page appears.
- Click Get started inside Set up single sign on.
- Select SAML.
- Click Edit in Basic SAML Configuration and enter the following information:
- Identifier: The Entity ID from HCP.
- Reply URL: The SSO Sign-On URL from HCP.
- Sign on URL: The SSO Sign-on URL from HCP.
- Click Edit in Attributes & Claims and enter the following information:
- Name: emailaddress
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Source: Attribute
- Source attribute: user.primaryauthoritativeemail
- Click Save.
To finish configuring SSO:
- Download the SAML Signing Certificate from your Azure Active Directory application in Base64 format.
- Open it in a text editor and then copy and paste the contents into the SAML IDP Certificate field in HCP.
- Copy the Login URL from your Azure Active Directory application and paste it into the SAML IDP Single Sign-on URL field in HCP.
- Click Save SSO Settings.
Now, users can sign in to your organization through Azure Active Directory.