Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. Banyan integrates with your organization’s Azure AD SSO to authenticate enterprise users that need access to Banyan secured services.
In order to set up this integration, you need administrative access to Azure AD and the ability to add a new “non-gallery” Enterprise Application.
1a. Navigate to Settings > TrustProvider Settings > Identity Provider and then set your User Identity Provider to SAML.
You will fill out these Identity Provider configuration fields after you set up the new application integration in Azure AD.
1b. Take note of the Redirect URL (ACS) provided in the configuration field. You will need it for the steps in Azure AD below.
2a. Login into your Azure Portal and go to the Azure Active Directory section.
2b. Navigate to New Application, then select Non-gallery application to add a new Enterprise Application.
2c. Name the Enterprise Application Banyan TrustProvider.
2d. Click on the Single Sign On tab to enter SAML parameters.
2d. When asked for the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL) use the Redirect URL you obtained in Step 1b.
2e. Banyan requires your IDP’s returned SAML assertion to contain attributes can be mapped to a user’s Email, Username, and Groups.
Click on Add a group claim to create Group claims, and take note of the Claim Names.
Azure only transmits its Groups IDs and not Group Names via SAML attributes. You can use Banyan Roles to map Group IDs into human-readable constructs for use in Policies.
2f. In the Properties section, upload our logo and change the User assignment required? and Visible to users? toggles to No.
This will allow Banyan to use the Banyan TrustProvider Enteprise Application we just created to federate authentication of all users in your organization to your SAML IDP.
Note: You still need to apply Policies in the Banyan Command Center to manage which users can access specific internal applications.
2g. Take note of your SAML Single Sign-On Service URL and download the Certificate (Raw).
3a. Return to the Identity Provider page in the Banyan Control Center (Settings > TrustProvider Settings > Identity Provider).
Ensure the User Identity Provider is set to SAML, and then enter the Banyan TrustProvider App parameters from Azure AD:
3b. Click Update Identity Provider Config to save the settings.
That’s it! You have successfully integrated Azure AD to manage your directory of users in Banyan.