Azure Active Directory Setup#

This guide explains how to set up Squirro Single Sign-On with Azure Active Directory (AAD).

This process follows the official Azure AD SSO integration with Azure AD SAML Toolkit tutorial.

Refer to that tutorial if this Squirro-specific explanation does not seem to match up with the current user interface of Azure Active Directory.

Configure AAD#

Register an Enterprise Application#

Initially, an Active Directory application must be registered. This application manages the access that Squirro needs to get information about the users accessing the extension in Microsoft Outlook.

To register an application, follow the steps below:

  1. Log in to the Azure Active Directory Admin Center.

  2. Navigate to Enterprise applications.

  3. Click New application.

  4. In the resulting list, search for Azure AD SAML Toolkit and select the application.

  5. Enter a descriptive name (e.g. Squirro) and confirm by clicking Create.

image1

Tip

If the Create button remains greyed out, your organization does not have the requisite Azure AD subscription.

  1. The Enterprise Application detail view is now opened, as shown in the example screenshot below:

image2

Configure Single Sign-On (SSO)#

  1. Navigate to Properties in the left-hand navigation.

  2. Upload the Squirro logo or an alternate project logo.

  3. Click Save.

  4. In the left navigation click Single sign-on.

  5. Select SAML.

  6. Click Edit` in the Basic SAML Configuration section.

  7. Enter the following values:

    • Identifier (Entity ID): https://sso.squirro.com/o/saml2/entity
      Note: If this creates a conflict due to the same Entity ID already being used, it can be changed to any other value. In that case, make sure to also insert the same value later in the Squirro configuration.

    • Reply URL: https://<squirro_server>/sso/callback

    • Sign on URL: https://<squirro_server>

  8. To send the users’ group memberships to Squirro click Add a group claim in the toolbar. Refer to the official Configure group claims for applications by using Azure Active Directory for details on this.

Tip: One common option is to use Groups assigned to the application and select the Group ID source attribute.

  1. Back on the Single Sign-on overview page, download the Federation Metadata XML file.

Configure Squirro#

To configure SAML Single Sign-On with the federation metadata file, follow the steps below:

  1. Log in to your Squirro instance and navigate to the Server space.

  2. From the left menu, click Single Sign-On (SAML).

  3. Click the orange plus icon in the top-right corner of the page to create a new SSO. Fill out the form as follow:

    • Domain: *

    • Enabled: Check

    • Entity ID: Use the same Entity ID as provided to AAD earlier. If you used the default, then you can leave this empty.

    • Metadata file: upload the Federation Metadata XML file that was obtained from AAD earlier.

    • Certificate file: can be left empty.

    • User group: Select a Squirro user group which should be assigned to all SSO users - this is optional.

    • Group names field: if sending group claims then put in the value http://schemas.microsoft.com/ws/2008/06/identity/claims/groups (this should correspond to the claim name given for the group claim in AAD).

    • Mapping of groups to Squirro roles:
      This defines the server-wide permissions for SSO users based on the group names that were retrieved from the claims. If using the Group ID source attribute this will refer to the Object Id of the relevant group.
      Example value: 72b6ff2e-a56d-4398-9f80-283266e12f00=admin; 2d361d77-1610-4a47-81b9-124f6cce8e8b=user; reject
      This example gives admin rights to all users in a administrator group (72b6ff2e-a56d-4398-9f80-283266e12f00) group, normal access to all users in a user group (2d361d77-1610-4a47-81b9-124f6cce8e8b) and rejects all other logins.

    • If you are going to use the Squirro for Microsoft Outlook integration, Squirro needs to map the user’s object identifier. This can be achieved by providing the following configuration in Fields to map in as user values:

      msExchMailboxGuid = http://schemas.microsoft.com/identity/claims/objectidentifier

  4. Store the configuration by clicking Save Settings as shown in the example screenshot below:

image3

Enable SSO#

For security reasons, the final configuration needs to be done directly on the server.

Log into the server using SSH or similar means and edit the file /etc/squirro/frontend.ini.

Then append the following lines at the end:

[security]
sso_enabled = true
sso_endpoint = http://localhost:81/studio/extauth_saml/extauth

Reduce HTTP Session#

By default, Squirro will keep user sessions for 30 days, surviving browser restarts as well. In a Single Sign-On environment, this should be changed to the session expiring once the user restarts the browser.

This can be achieved by changing /etc/squirro/frontend.ini and adding the following lines:

[frontend]
session_permanent = false