Configuring Microsoft Entra ID SSO

You can configure Stellar Cyber to use Microsoft Entra ID SSO (formerly Azure Active Directory SSO) for Authentication or Authentication and Authorization using the procedure in this topic.

You must collect the following information as you progress through the procedure:

  • User Principal Names (email addresses for users that will log into Stellar Cyber with SSO)

  • Claim/Attribute Information (Applicable for Authorization only)

  • Identifier (Entity ID)

  • Login URL

  • Certificate

See also: Configuring Azure AD B2C SSO

The order in which you perform these steps matters. Perform the following steps in the order shown below:

  1. Create a Application in Microsoft Entra ID

  2. Add Users / Groups to the Application

  3. Configure SAML for the Application

  4. (Optional) Configure Authorization Attributes / Claims

  5. (Optional) Configure Multi-Factor Authentication

  6. Configure SSO in Stellar Cyber

Create a Stellar Cyber Application for SSO in Microsoft Entra ID

Set up this application to configure Stellar Cyber as an application that uses Microsoft Entra ID for authentication.

  1. Log in to https://portal.azure.com as an administrative user and select Microsoft Entra ID from the navigation pane or from Azure services.

  2. From the left navigation, select Enterprise Applications.

  3. Select New application.

    The Browse Azure AD Gallery pane appears.

  4. Select Create your own application.

  5. In the Create your own application pane, specify a name for the application to manage your Stellar Cyber SSO access.

  6. Select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Select Create.

With your application created, you can now add users and configure SAML.

Add Users/Groups to the Stellar Cyber SSO Application

When you complete this section, you should have a list of the User Principal Names you added to this application. You will need to add these for the following purposes:

  • For Authentication Only SSO configurations: You will use these to create user accounts in Stellar Cyber.

  • For Authentication and Authorization SSO configurations: You will use these to assign values to claim attributes (not applicable for per-tenant SSO).

  1. When the Overview pane of your new application appears, select Assign users and groups.

  2. Select Add user/group.

  3. From the left side of the Add Assignment pane, click None Selected.

    A selection list appears.

  4. Pick each user or group and then click Select.

    After you pick the first user or group, the Users and groups section is updated to show a count of your selections.

  5. Repeat the process, selecting the link and adding each user or group until you're finished.

  6. When you have finished adding users or groups, select Assign at the bottom of the Add Assignment pane.

    The list of users or groups you selected for this application is displayed.

  7. You must make note of each user's User Principal Name for these reasons:

    Email addresses in Microsoft Entra ID are case sensitive. The Microsoft Entra ID user email address must exactly match the Stellar Cyber email address.

    • For Authentication Only SSO configurations: You will use these to create user accounts in Stellar Cyber.

    • For Authentication and Authorization SSO configurations: For this type of configuration, users are automatically added to Stellar Cyber. You will use the User Principal Names, though to assign values to claim attributes (not applicable for Tenant-specific SSO; Authorization configurations apply only to Global SSO).

    • For users, click the Display Name and copy the User Principal Name.

    • For groups, click the Display Name and then click the Members link in the left side of the navigation pane. This displays a list of members (users) in that group. You can now click each user Name and copy the User Principal Name.

Now that you have added users to the application, you can configure the SSO SAML section.

Configure SAML for the Microsoft Entra ID Stellar Cyber Application

When you complete this set of steps, you will have the certificate and other information required to configure SSO in the Stellar Cyber UI.

  1. If you have navigated away from the application page, select the Home button on the portal and navigate back to your list of Enterprise applications.

  2. Locate and display the application you created above.

  3. Select Single sign-on from the left side navigation or select Set up single sign on.

  4. From the Single sign-on page, select SAML.

  5. In the first block, labeled 1. Basic SAML Configuration, select Edit.

  6. In the pane that opens, Add the following values:

    If you are configuring SSO for the entire Stellar Cyber system:

    • Identifier (Entity ID): Enter the Stellar Cyber URL. For example: https://192.168.24.110.

    • Reply URL: Use the Stellar Cyber URL, appended with /saml/login/callback. The format is https://<your.stellar.cyber.address>/saml/login/callback. For example: https://192.168.24.110/saml/login/callback.

    • Logout URL: This setting is here for future functionality but is not currently supported.

    If you are configuring SSO for a tenant:

    • Identifier (Entity ID): Enter the Stellar Cyber URL.

    • Reply URL: Use the Stellar Cyber Platform URL, appended with /saml/login/callback/cust_id/<tenant-id>. The format is https://<your.stellar.cyber.address>/saml/login/callback/cust_id/<tenant-id>. For example:  https://192.168.24.110/saml/login/callback/cust_id/59125044.

    • Logout URL: This setting is here for future functionality but is not currently supported.

  7. Select Save and then exit the Basic SAML Configuration editor pane.

    Block 1 of the SAML configuration is now complete.

Configure Authorization (Optional)

Authorization allows you to assign Stellar Cyber scopes, privileges, and tenant options within Microsoft Entra ID, rather than within Stellar Cyber. If you want to configure Authorization in addition to Authentication, you must add Microsoft Entra ID attributes / claims (scopes) for use in Stellar Cyber This procedure adds the required fields to the Microsoft Entra ID users you associated with the application.

You must configure the basic identity, above, before you perform the steps in this section. If you are configuring Authentication only, or per-tenant SSO authentication, skip this section.

Add Stellar Cyber Fields to User Accounts

  1. If you have navigated away from the application page, select Home on the portal and navigate back your list of Enterprise applications.

  2. Locate and display the application you created above.

  3. Select Single sign-on from the left side navigation, or select Set up single sign on.

  4. From the Single sign-on page, select SAML.

  5. In the second block, labeled 2. Attributes & Claims, select Edit.

  6. When the Attributes & Claims page opens, select the option to Add new claim.

  7. Use the Manage claim page to add the following attributes that correlate to the access control in Stellar Cyber.

    You define attributes in this UI area; values are added in a later step.

    Take care when entering the required attributes and values. Typos in either mean that users are not authenticated and cannot log in. Typos in the optional attributes and values mean that users are not assigned to the appropriate tenant or tenant group (but are authenticated).

    Custom Attribute Name

    Source Attribute*

    		 Values (set later) Global SSO

    Tenant-specific SSO
    stellar_scope

    user.extensionattribute1

    		 root

    partner

    tenant

    Required for Authorization

    Not applicable

     
    stellar_privilege

    user.extensionattribute2

    super_admin

    platform_admin

    security_admin

    user

    Required for Authorization
    stellar_tenant

    user.extensionattribute3

    		 ID number for configured tenant

    (Optional) Specify an individual tenant ID, not name. The ID is available on the Tenants List page.
    stellar_tenant_group

    user.extensionattribute4

    		 ID number for any configured tenant group

    (Optional) Specify a tenant group ID, not name. This is typically available for use by MSSP users with the Partner role. The Tenant Group ID is displayed on the Tenant Groups page.

    * Any available user.extensionattributeX (where X is 1-15) may be used

    Values in these fields are case sensitive and syntax matters. Use the exact indicated syntax and verify that you have made no typos. If you have created a custom privilege with spaces or dashes, use an underscore instead. Example: A custom privilege of STML-Security Admin must be entered as STML_Security_Admin.

  8. Select Save and then exit the Attributes & Claims editor pane.

    Block 2 now shows the attributes you added.

Assign Values to Stellar Cyber Fields (Graph Explorer Method)

Microsoft Entra IDdoes not provide a GUI-based mechanism to modify the attribute values. This procedure uses Microsoft Graph Explorer to edit and validate the attributes.  If you wish to automate the steps, refer to the PowerShell method, below.

  1. To set the attribute values, retrieve the list of User Principal Names you saved above.

  2. Open Microsoft Graph and log in with your administrator Microsoft Entra IDCredentials (https://developer.microsoft.com/en-us/graph/graph-explorer).

  3. In the query pane, change the GET action menu to PATCH.

  4. Now enter this query URL, replacing the <user principal name> below with a User Principal Name you saved earlier.

    https://graph.microsoft.com/beta/users/<user principal name>

  5. Enter the following content as the Request Body, replacing the attribute values with one of the supported values in the table above:

    Take care when entering the required attributes and values. Typos in either mean that users are not authenticated and cannot log in. Typos in the optional attributes and values mean that users are not assigned to the appropriate Stellar Cyber tenant or tenant group (but are authenticated). 

    {
"onPremisesExtensionAttributes": {
    "extensionAttribute1": "root",
    "extensionAttribute2": "security_admin"
    }
}

  6. Click Run Query to set the values.

  7. To verify the values were set correctly, change the query type back to GET.

  8. Now enter this query URL, replacing the <user principal name> below with the same User Principal Name (Microsoft Entra ID login) you just set above.

    https://graph.microsoft.com/beta/users/<user principal name>?$select=onPremisesExtensionAttributes

  9. Click Run Query and review the list of extensionAttributes to verify the values were set.

Assign Values to Stellar Cyber Fields (PowerShell Method)

  • For Authentication Only SSO: First, manually add all users on the Stellar Cyber Platform. After this manual entry, users can log in with SSO. Use the list of User Principal Names that you saved.

  • For Authentication & Authorization SSO: Configure all users through the IdP.

    You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://your.stellar.cyber.address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the Stellar Cyber Platform with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows: <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This email alias is what Stellar Cyber uses to permit the bypass of an SSO for a local login. After you create this separate user account, the user can log in two ways:

    • An SSO user with <user>@yourorganization.com

      or

    • A local user at https://your.stellar.cyber.address/login using <user>+admin@yourorganization.com

    If SSO is configured, it's recommended to keep an active administrative account in the Stellar Cyber user management.

As an alternative to the Microsoft Graph Explorer method, you can use PowerShell to set the attribute values. The commands in this section can also be automated in PowerShell.

  1. Open PowerShell from your Windows system as an administrative user.

  2. From the PowerShell command line, run the bolded commands and replace $User value with the login you used above. The last two lines illustrate assigning values to the stellar_scope and stellar_privilege attributes. If you used all four attributes, add commands for those and specify the Tenant ID and Tenant Group ID exactly as they are listed in Stellar Cyber.

    Be sure that you assign the correct value to the correct extension number. In this example extensionAttribute1 is for stellar_scope, which is being given root; extensionAttribute2 is for stellar_privilege and is being assigned security_admin. Review your list of extension attributes carefully before running these commands.

    PS C:\WINDOWS\system32> Install-Module AzureAD                                                                                                                                                                                                  Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
PS C:\WINDOWS\system32> $AzureAdCred = Get-Credential
Enter your Azure admin user and password

PS C:\WINDOWS\system32> Connect-AzureAD -Credential $AzureAdCred
PS C:\WINDOWS\system32> $User = "dstarr@aella.onmicrosoft.com"
PS C:\WINDOWS\system32> $UserId = (Get-AzureADUser -Searchstring $User).ObjectId
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> Set-AzureADUserExtension -ObjectID $UserId -ExtensionName extensionAttribute1 -ExtensionValue "root"
PS C:\WINDOWS\system32> Set-AzureADUserExtension -ObjectId $UserId -ExtensionName extensionAttribute2 -ExtensionValue "security_admin"
PS C:\WINDOWS\system32> exit

    Following is an example of this sequence:

Configure Multi-Factor Authentication Support (Optional)

Microsoft Entra ID and Stellar Cyber support use of multi-factor authentication. If you intend to set up Stellar Cyber access with 2FA, you must enable a Conditional Policy in Microsoft Entra ID that supports the nature of access suitable for your deployment. This section provides an example of the Microsoft Entra ID process.

Configuration of multi-factor authentication in Microsoft Entra ID is independent of whether you enable 2FA in Stellar Cyber. It is possible for you require your users to authenticate with MFA in Microsoft Entra ID and again with 2FA in Stellar Cyber

  1. Log in to Microsoft Entra ID and navigate to the Security pane.

  2. Select the navigation menu item for Conditional Access.

  3. Select New policy and then select Create new policy.

  4. Name the policy.

  5. Select the link for Users or workload identities and then select Specific users included.

  6. Select the Users and groups that you specified to be members of the Stellar Cyber Microsoft Entra ID application created above.

  7. After adding the users, select the link in the Cloud apps or actions section.

  8. Select Cloud apps and then select Include > Select apps.

  9. When the selection pane opens, locate the Stellar Cyber Microsoft Entra ID  application you created above and then click Select.

  10. In the Grant section, select 0 controls selected.

  11. In the pane that opens, select the radio button to Grant access, then select Require multi-factor authentication.

  12. Click Select.

  13. At the bottom of the page, change the Enable policy toggle from Report-only to On.

  14. Select Create.

    The policy is created and the Conditional Access Policy page is redisplayed to include the new policy.

Collect Microsoft Entra ID Access Details

At this stage, you should have collected all your user information and have set up the Microsoft Entra ID application for Stellar Cyber SSO access. Your certificate and access details are now ready to copy/download. Use this procedure to ensure you have all the noted information before you proceed to the next section.

If you are configuring Authorization, you must perform that procedure (see previous section) prior to downloading the certificate in this section.

  1. If you have navigated away from the application page, select Home on the portal and navigate back the list of Enterprise applications.

  2. Locate and display the application you created above.

  3. Select Single sign-on from the left side navigation or select Set up single sign on.

  4. On the Single sign-on page, select SAML.

  5. With the SAML-based Sign-on panel displayed, download or copy (as appropriate) the items below for use when you set up SSO in Stellar Cyber:

    • From Block 1: Basic SAML Configuration

      Identifier (Entity ID) – The Stellar Cyber URL. Microsoft Entra ID uses this to recognize and establish a trust relationship with Stellar Cyber as a service provider (SP).

    • From Block 2: Claims (Applicable only if you configured Authorization)

      User.extensionattributeX values for all the Stellar Cyber claim names you added

    • From Block 3: SAML Signing Certificate

      Certificate (base 64) – You upload this as the IdP certificate in Stellar Cyber.

    • From Block 4

      Login URL (or SAML-P Sing-on Endpoint) – This is used for the Entry Point URL field in Stellar Cyber, to link with Microsoft Entra ID.

In addition to the above details, you should have previously noted all of the User Principal Names (email addresses) for all users that will use Microsoft Entra ID SSO with Stellar Cyber.

Configure Authentication in Stellar Cyber

With all your details collected, you are now ready to configure SSO Authentication in Stellar Cyber. The steps below are generally applicable for use for global configuration or per-tenant configuration.

Prepare for Users

  • For Authentication Only SSO: First, manually add all users on the Stellar Cyber Platform. After this manual entry, users can log in with SSO. Use the list of User Principal Names that you saved.

  • For Authentication & Authorization SSO: Configure all users through the IdP.

    You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://your.stellar.cyber.address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the Stellar Cyber Platform with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows: <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This email alias is what Stellar Cyber uses to permit the bypass of an SSO for a local login. After you create this separate user account, the user can log in two ways:

    • An SSO user with <user>@yourorganization.com

      or

    • A local user at https://your.stellar.cyber.address/login using <user>+admin@yourorganization.com

    If SSO is configured, it's recommended to keep an active administrative account in the Stellar Cyber user management.

Enable SSO

  1. Log in to Stellar Cyber and select System | Settings.

  2. In the Authentication Settings section, select SSO (SAML) as the Authentication Method.

  3. Select Metadata URL or Manual Config:

    If you select Metadata URL:

    • Issuer URL: Enter the Stellar Cyber URL.

    • Metadata URL: Paste the URL you copied from the IdP. The URL must begin with either https:// or http://. Different vendors use different names for the Metadata URL:

      Identity Provider

      Term for Metadata URL

      Active Directory Federation Services Federation Metadata URL
      Microsoft Entra ID App Federation Metadata URL
      Okta Metadata URL
      OneLogin Issuer URL
      Rippling Metadata URL

    If you select Manual Config:

    • Issuer URL: Enter the Stellar Cyber URL.

    • Entry Point: Paste the entry point URL you copied from the IdP.

      You must include http:// or https:// before the URLs. Different vendors use different names:

      Identity Provider

      Term for Entry Point URL

      Active Directory Federation Services SAML Endpoint
      Microsoft Entra ID Login URL or SAML-P Sign-on Endpoint
      Okta Sign on URL
      OneLogin SAML 2.0 Endpoint (HTTP)
      Rippling SAML 2.0 Endpoint (HTTP)

    • IDP Certificate: Upload the certificate file you downloaded from the IdP.

  4. Select Allow Clock Skew to allow for system time differences between Stellar Cyber and your IdP. Authentication messages have an expiration. If the system times on Stellar Cyber and your IdP are not synchronized, the messages might expire before they even get to Stellar Cyber. The result is that users cannot log in, because they cannot authenticate.

  5. Choose your IdP setting: Authentication Only or Authentication and Authorization. Note the following:

    • A Global selection of Authentication and Authorization applies to all users (root, partner, and tenant), so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You cannot log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

    • Although you can customize SSO configuration on a per-tenant basis, the Authorization capability is only supported at the global level. Overrides you make at the tenant level are for Authentication only, so the toggle for Authentication and Authorization is not offered in the tenant editor.

    • The root tenant must be configured to use either Default (same method as the Global authentication), or Local. It is not supported for configuration with an independent SSO.

    • The authentication method for partners is the same as that for root users. Any authentication overrides for tenant-level users in a tenant group have no effect on the authentication method for the partners who manage the group.

    • Choose Authentication Only for Stellar Cyber to authenticate users from your IdP, but manage scope and privilege locally. If you choose this, you must create the user in Stellar Cyber before adding them to your IdP.

    • Choose Authentication and Authorization for Stellar Cyber to authenticate users from your IdP, along with their scope and level of privilege. You must configure authorization on your IdP before enabling this, otherwise users cannot log in. If you choose this, you do not need to create the user in Stellar Cyber. Stellar Cyber creates the user and assigns scope and privilege based on the information passed from the IdP.

      When Global Settings is configured for Authentication & Authorization, the option to Create new users manually is hidden because new users must come from the IdP source.

  6. Choose a Two-Factor Authentication option that matches your IdP configuration:

    • Off: If you choose this option, Stellar Cyber user accounts are not offered a 2FA option.

    • Mandatory: If you choose this option, all users for every tenant are required to use 2FA when logging in to Stellar Cyber.

    • Optional: If you choose this option:

      • The 2FA option can be customized for individual tenants under System | Tenants.

      • Individual users can choose to enable 2FA under their User Profile in the Stellar Cyber UI.

      • You can enforce 2FA for specific users under System | Users when adding or editing a user

      • The overall Global Settings for 2FA affect authentication for partners and tenant users. For example, if 2FA is Mandatory, all users must use 2FA.

      • Enabling 2FA here is independent of what you have configured on your SSO service. Enabling it here causes a separate 2FA prompt to be displayed upon logging in to Stellar Cyber.

      • The 2FA page from Stellar Cyber refers to use of Google Authenticator, but other authenticator applications also work.

  7. Review your settings and then Submit them.