Azure Active Directory Setup#

This guide explains how to set up Squirro Single Sign-On with Azure Active Directory (AAD). This process follows the official Azure AD SSO integration with Azure AD SAML Toolkit tutorial. Please refer to that tutorial if this Squirro specific explanation does not seem to match up with the current user interface of Azure Active Directory.

Configure AAD#

Register an Enterprise Application#

Initially a Active Directory application has to be registered. This application manages the access that Squirro needs to get information about the users accessing the extension in Microsoft Outlook.

  1. Log in to the Azure Active Directory Admin Center.

  2. Navigate to Enterprise applications.

  3. Click New application.

  4. In the resulting list, search for Azure AD SAML Toolkit and select that application.

  5. Enter a descriptive name e.g., Squirro and confirm by clicking Create.

    image1


    Note: if the Create button remains greyed out, your organization does not have the requisite Azure AD subscription.

  6. The Enterprise Application detail view is now opened.

    image2

Configure Single Sign-On (SSO)#

  1. Navigate to Properties in the left-hand navigation.

  2. Upload the Squirro logo or an alternate project logo.

  3. Click Save.

  4. In the left navigation click Single sign-on.

  5. Select SAML.

  6. Click Edit in the Attributes & Claims section.

  7. Enter the following values:

    • Identifier (Entity ID): https://sso.squirro.com/o/saml2/entity
      Note: If this creates a conflict due to the same Entity ID already being used, it can be changed to any other value. In that case, make sure to also insert the same value later in the Squirro configuration.

    • Reply URL: https://<squirro_server>/sso/callback

    • Sign on URL: https://<squirro_server>

  8. To send the users’ group memberships to Squirro click the Add a group claim button in the toolbar. Refer to the official Configure group claims for applications by using Azure Active Directory for details on this. One common option is to use Groups assigned to the application and select the Group ID source attribute.

  9. Back on the Single Sign-on overview page download the Federation Metadata XML file.

Configure Squirro#

To configure SAML Single Sign-On with the federation metadata file, go to the Server space in Squirro and in the navigation on the left select Single Sign-On (SAML).

Press the red plus button on the top right. Fill out the form:

  • Domain: *

  • Enabled: Check

  • Entity ID: Use the same Entity ID as provided to AAD earlier. If you used the default, then you can leave this empty.

  • Metadata file: upload the Federation Metadata XML file that was obtained from AAD earlier.

  • Certificate file: can be left empty.

  • User group: Select a Squirro user group which should be assigned to all SSO users - this is optional.

  • Group names field: if sending group claims then put in the value http://schemas.microsoft.com/ws/2008/06/identity/claims/groups (this should correspond to the claim name given for the group claim in AAD).

  • Mapping of groups to Squirro roles:
    This defines the server-wide permissions for SSO users based on the group names that were retrieved from the claims. If using the Group ID source attribute this will refer to the Object Id of the relevant group.
    Example value: 72b6ff2e-a56d-4398-9f80-283266e12f00=admin; 2d361d77-1610-4a47-81b9-124f6cce8e8b=user; reject
    This example gives admin rights to all users in a administrator group (72b6ff2e-a56d-4398-9f80-283266e12f00) group, normal access to all users in a user group (2d361d77-1610-4a47-81b9-124f6cce8e8b) and rejects all other logins.

  • If you are going to use the Squirro for Microsoft Outlook integration, Squirro needs to map the user’s object identifier. This can be achieved by providing the following configuration in Fields to map in as user values:

    msExchMailboxGuid = http://schemas.microsoft.com/identity/claims/objectidentifier

Store the configuration using Save Settings.

image3

Enable SSO#

For security reasons, the final configuration needs to be done directly on the server. Log into the server using SSH or similar means and edit the file /etc/squirro/frontend.ini. Then append the following lines at the end:

[security]
sso_enabled = true
sso_endpoint = http://localhost:81/studio/extauth_saml/extauth

Reduce HTTP Session#

By default Squirro will keep user sessions for 30 days, surviving browser restarts as well. In a Single Sign-On environment, this should be changed to the session expiring once the user restarts the browser. This can be achieved by changing /etc/squirro/frontend.ini and adding the following lines:

[frontend]
session_permanent = false