Link your Identity Provider - Azure Active Directory

Learn how to integrate your company's Azure Active Directory for federated login access into Stax.

Article Tags

On This Page

Before You Begin Prepare the SAML URIs Create a new Enterprise Application in Azure AD Configure Stax to allow Azure AD Sign-In How Do You Know This Worked?See also

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Azure Active Directory is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.

This guidance assumes your AWS accounts are Stax-managed. If you only have the Cost & Compliance module, review this article instead.

Before You Begin

Estimated time to complete: 1 hour
Ensure you are a member of the Admin role in your Stax tenancy
You need to be a member of the Global Admins role in Azure AD, or be delegated equivalent access to Enterprise Applications by an administrator

Prepare the SAML URIs

First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.

Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.

Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and staxapp.cloud in the URL. Below, it is au1.

Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:

URI	Format	Example
Entity ID	https://id.security.<customer-alias>.<installation-id>.staxapp.cloud/auth/realms/master	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
SAML 2.0 Service URL	<entity-id>/broker/azure_ad/endpoint	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/azure_ad/endpoint

Prepare the Active Directory Domain Services (AD) Groups

Stax has four roles; Admin, Cost & Compliance admin, User, and Read Only. You can use Azure AD to specify these roles at login time. For this purpose, you'll need to create and populate four AD groups.

In the examples below, we'll use the following four group names:

Stax Admins
Stax Cost & Compliance Admins
Stax Users
Stax Read Only Users

See Stax Roles - Stax Permissions for more information on Stax roles.

Create a new Enterprise Application in Azure AD

Once you've prepared the URIs and AD Groups, you can configure Azure AD.

Log in to the Azure AD Portal at https://aad.portal.azure.com
From the left-hand navigation pane, choose All services, then within the Identity section choose Enterprise applications
From the All applications page, choose + New application
On the Add an application page, choose Non-gallery application
On the Add your application page, enter a name for the application then click Add
Once the application is created, from the Manage section, choose Single sign-on, then SAML to enable SAML for the application

Using the details you gathered above, complete the Basic SAML configuration for the new application:

Parameter	Value	Example
Identifier (Entity ID)	The entity ID you determined earlier	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
Reply URL (Assertion Consumer Service URL)	The SAML 2.0 Service URL you determined earlier	https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/azure_ad/endpoint
Sign on URL	(blank)
Relay State	(blank)
Logout Url	(blank)

Next, click the edit button next to User Attributes & Claims and configure the Claims for the application:

First, click on Unique User Identifier (Name ID) under Required claim and change the name identifier format from the default Email address to Persistent. Save and close the Manage claim form to return to the User Attributes & Claims page

In turn, update each of the Additional claims to match the following configuration:

Claim Name	Namespace	Source	Source attribute
email	(blank)	Attribute	user.mail
firstName	(blank)	Attribute	user.givenname
name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	Attribute	user.userprincipalname
lastName	(blank)	Attribute	user.surname

Finally, configure the Role claim to be sent with a particular value depending on the user's group membership. To do this, choose + Add a new claim, then enter the following configuration:

Parameter	Value
Stax Admins
Name	Role
Namespace	(blank)
Source	Attribute
Source attribute	"customer_admin" (you'll need to type this)
Claim conditions
User type	Any
Scoped Groups	Stax Admins

Stax Cost & Compliance Admins
Name	Role
Namespace	(blank)
Source	Attribute
Source attribute	"customer_costadmin" (you'll need to type this)
Claim conditions
User type	Any
Scoped Groups	Stax Cost & Compliance Admins

Stax Users
Name	Role
Namespace	(blank)
Source	Attribute
Source attribute	"customer_user" (you'll need to type this)
Claim conditions
User type	Any
Scoped Groups	Stax Users
Stax Read Only Users
Name	Role
Namespace	(blank)
Source	Attribute
Source attribute	"customer_readonly" (you'll need to type this)
Claim conditions
User type	Any
Scoped Groups	Stax Read Only Users

Choose Save once the Claim is configured.

Return to the Single sign-on page for the Stax application to complete the configuration. If prompted to test it, choose No

In section 3 of the Single sign-on page, download the Federation Metadata XML file and keep it handy. You'll need this in the next step

When you're ready to have Stax configured, you simply need to supply us with your Azure AD metadata, and we'll do the rest for you.

How Do You Know This Worked?

Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your Azure AD sign-in page. Log in on the Azure AD page and you'll be signed into your Stax tenancy.