Configure Azure AD to manage your directory of users in Banyan

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. Banyan integrates with your organization’s Azure AD SSO to authenticate enterprise users that need access to Banyan secured services.

Pre-requisites

In order to set up this integration, you need administrative access to Azure AD and the ability to add a new “non-gallery” Enterprise Application.

Steps

1. In the Banyan Command Center, configure your User Identity Provider

1a. Navigate to Settings > TrustProvider Settings > Identity Provider and then set your User Identity Provider to SAML.

You will fill out these Identity Provider configuration fields after you set up the new application integration in Azure AD.

1b. Take note of the Redirect URL (ACS) provided in the configuration field. You will need it for the steps in Azure AD below.

2. Add a New SAML Enterprise Application via the Azure Portal

2a. Login into your Azure Portal and go to the Azure Active Directory section.

2b. Navigate to New Application, then select Non-gallery application to add a new Enterprise Application.

2c. Name the Enterprise Application Banyan TrustProvider.

2d. Click on the Single Sign On tab to enter SAML parameters.

2d. When asked for the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL) use the Redirect URL you obtained in Step 1b.

2e. Banyan requires your IDP’s returned SAML assertion to contain attributes can be mapped to a user’s Email, Username, and Groups.

Click on Add a group claim to create Group claims, and take note of the Claim Names.

Azure only transmits its Groups IDs and not Group Names via SAML attributes. You can use Banyan Roles to map Group IDs into human-readable constructs for use in Policies.

2f. In the Properties section, upload our logo and change the User assignment required? and Visible to users? toggles to No.

This will allow Banyan to use the Banyan TrustProvider Enteprise Application we just created to federate authentication of all users in your organization to your SAML IDP.

Note: You still need to apply Policies in the Banyan Command Center to manage which users can access specific internal applications.

2g. Take note of your SAML Single Sign-On Service URL and download the Certificate (Raw).

3. Save the Azure fields in the Banyan Command Center

3a. Return to the Identity Provider page in the Banyan Control Center (Settings > TrustProvider Settings > Identity Provider).

Ensure the User Identity Provider is set to SAML, and then enter the Banyan TrustProvider App parameters from Azure AD:

  • IDP SSO URL (from Step 2g)
  • Entity Issuer - Leave this optional field blank. It will default to the Redirect URL.
  • IDP CA Certificate (from Step 2g)
  • Username Attribute (from Step 2e) Typically set to “http://schemas.microsoft.com/identity/claims/displayname”
  • Email Attribute (from Step 2e) Typically set to “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
  • Groups Attribute (from Step 2e) Typically set to “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”
  • Groups Delimiter - Do not use this field. Entering an incorrect value may lead to configuration errors and behavior issues. Please contact Banyan Support for assistance.

3b. Click Update Identity Provider Config to save the settings.


That’s it! You have successfully integrated Azure AD to manage your directory of users in Banyan.

Last modified: Jul 24, 2021