Setting Up Security Assertion Markup Language (SAML)

To integrate Privileged Access Service and Microsoft Azure Active Directory, review and perform the following steps:

  1. Open a browser tab or window to a {Company} PAS and navigate to Settings > Users > Partner Management and click Add.

  2. On the main Settings tab, enter values in the following fields:

alt

  • Partner Name Azure.

  • Federation Type SAML 2.0.

  • Under Federation Domains, click Add, enter the domain for users and click Add again.

You are about to pivot to the Microsoft Azure Active Directory. Do not close this window as you will return back to it to conclude set up.

  1. Open another browser to log into Microsoft Azure Active Director (https://portal.azure.com) as an administrator to setup a new enterprise application that will federate with {Company}. Once you are in the main console click the Azure Active Directory service in the left-hand menu.

alt

  1. Click New application and make sure it is a Non-gallery application.

alt

alt

  1. Name the application and Add.

alt

  1. Select the SAML single sign-on method.

alt

This is a good time to bring back up the Delinea Partner add page you still have open.

  1. In the Partner Management window, select the Outbound Metadata tab and choose Option 2: Download Service Provider Metadata. Save the file to downloads or another location of choice.

alt

  1. Edit the FederationMetadata.xml file by inserting the following line between </KeyDescriptor> and <SingleLogoutService> : <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>, as seen below:

alt

  1. Save the file.

  2. Go back to the Microsoft Azure Active Directory page, click Upload metadata file and upload the file you just downloaded and saved.

alt

  1. In the SAML Signing Certificate section, copy the value for App Federation

    Metadata Url.

Graphical user interface, text, application Description automatically generated

  1. In the Partner Management window, Inbound Metadata tab, under the field for

    Option 1: Upload configuration from URL paste the value you copied above and click Save.

alt

  1. Automatically fill the username in Access Directory when performing an SP-initiated log on from Delinea PAS (to avoid having to type the usernametwice: once in Delinea PAS and once in Entra ID Integration). In the PartnerManagement window, at the Inbound Metadata tab, in the field forIdentity Provider Login URL append /?login_hint=[username] to the URL value the and click Save.

  2. Navigate back to Entra ID Integration, under the SAML configuration for the Delinea application and Add a new claim:

Graphical user interface, text, application, email Description automatically generated

  • Name: userprincipalname.

  • Source Attribute: user.userprincipalname and Add a group claim:

The group claim name must contain the word "group":

alt

Lastly, save the configuration.

  1. Create a new Entra ID group and note the ObjectId:

Graphical user interface, text, application, email Description automatically generated

Ensure you are a member of this new Entra ID group:

alt

  1. Navigate back to the Delinea PAS tenant. Navigate to Partner Management and add the group mapping using the ObjectId as the Group Attribute Value and a Group Name of your choice:

alt

  1. In Delinea PAS, add the Group Name to System Administrator. Navigate to Access > Roles and choose system administrator:

Graphical user interface, text, application, email Description automatically generated

Click Members and add the group name you just added:

Graphical user interface, application, Teams Description automatically generated

  1. Save the configuration.