Azure Active Directory (AD) is a cloud-based application that helps in identity and access management by storing information about members of the domain (such as users and devices), verifying their login credentials, and controlling their access privileges. This section provides details on how to configure Azure AD as an identity provider (IdP) and integrate SAML single sign-on (SSO).

1. On the Azure Portal home page, click or search for Microsoft Entra ID. The Overview page for your Active Directory is displayed.

   

2. In the navigation pane, select Enterprise applications and then click + New application on the All applications page. The Browse Microsoft Entra Gallery page is displayed.

   

3. Click Create your own application. The Create your own application window is displayed.

   

4. Complete the following fields:
   • Name: Enter a name for the application.
   • Select Integrate any other application you don't find in the gallery (Non-gallery) option. Leave the other options as is.
5. Click Create to create the application. The application is registered in Azure AD for authentication.
6. In the navigation pane, select Enterprise applications and click the new application. The application overview page is displayed.

   

7. Click Users and groups in the navigation pane or click Assign users and group in the Getting Started section to add users and groups of users to the application.

   

8. In the Users and groups page, click Add user/group. The Add Assignment page is displayed.

   

9. Click None Selected to display the Users and groups sidebar. Click the checkbox next to the desired group names to list them on the Selected pane and click Select to add the selected groups to the application. The selected groups are displayed in the Add Assignment page and the Assign button is enabled.
10. Click Assign to assign the groups to the application.
11. Select a group and click Add members. The Add members page is displayed. Select the checkbox against a user to list them on the Selected pane and click Select to add the selected member to the group.
    Note: You can click on specific group to view the properties of the group. Take note of the Object Id of the group as you will require to enter it into the Group ID field in RUCKUS One while creating an Admin Group. For more information, refer to GUID-92CC77CD-6C90-4E4C-9F90-726B67EF6B20.html#TASK_FR4_CRJ_G1C.

    

12. In the navigation pane, select Enterprise applications and click the application. The application overview page is displayed.

    

13. Select Single sign-on in the navigation pane and click SAML protocol in the Select a single sign-on method window. The SAML-based Sign-on page is displayed.

    

14. Click Edit in the top right corner of the first section, Basic SAML Configuration.

    In the Reply URL (Assertion Consumer Service URL) field, specify a valid redirect URL where the authorization server sends the user once the application is successfully authorized. For example, https://ruckus.cloud/login/saml2/sso/<tenant-id>.

    The tenant ID is a unique identifier for the tenant account. Refer to User Profile to view your tenant ID.

    Alternatively, you can view the tenant ID in the Address bar of the browser screen. Once you log in to the RUCKUS One Cloud portal, you can find the Tenant ID in the URL. For more information, refer to: https://support.ruckuswireless.com/articles/000006453.

    

    

15. Click Edit in the second section, Attributes and Claims, and make sure to add a group claim as the SAML assertion requires an attribute to relay the group information.
    Note: RUCKUS recommends that you complete and review your account information. The following settings must be configured exactly as specified:

    • email (user.mail): The primary email address for login. This is a mandatory field.
    • name (user.userprincipalname): This serves as the unique identifier for the user in Azure AD. It is formatted as username@yourdomain.com. This is also a mandatory field.
    • firstName (user.givenname): The first name of the user.
    • lastName (user.surname): The last name of the user.
    • groups (user.groups): Dynamic groups allow you to define rules based on various user attributes like user.mail, user.givenname, user.surname, and so on. Users who meet these criteria automatically become members of the group.

    For more information, refer to: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users and https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-userprincipalname.

    

    1. In the Attributes and Claims page, click Add a group claim. The Group Claims sidebar is displayed.
    2. Select Groups assigned to the application to specify which groups you would like to return in the Group Claims settings.
    3. Select Group ID as the Source attribute.
    4. Select Customize the name of the group claim and enter a name for the group in the Name field.
    5. Click Save to add the group claim.
16. In the third section, SAML Certificates, under Token signing certificate, either copy the App Federation Metadata URL or download the Federation Metadata XML file. The IdP Metadata needs to be uploaded to RUCKUS One while setting up Setting Up SSO. For more information, refer to Setting Up SSO with a 3rd Party Provider.

    

17. If the SAML sign-on requests to Azure IdP must be signed for added security, complete the following steps:
    1. Click the Edit icon in the Verification certificates section. In the Verification certificates sidebar, select the Require verification certificates checkbox.

       

    2. Open the RUCKUS service provider (SP) metadata XML document.
    3. Copy the certificate string and use an online tool, such as https://www.samltool.com/format_x509cert.php, to convert the string to an RSA file format.
    4. Save the certificate string found in the X509Certificate field as a .CER file.
    5. In the Verification certificates sidebar, click Upload certificate to select the .CER file and add to the list of verification certificates.