Microsoft Entra ID OnPrem (SAML)
This guide will walk you through the steps required to configure Microsoft Entra ID as a Single Sign-On (SSO) provider in On Premise deployment of Observo using SAML 2.0.
Prerequisites
Active Entra ID.
A running Observo On Premise deployment.
Admin access to both Entra ID and Observo.
Steps to Set Up Entra ID as a SAML Identity Provider in Observo
1. Create an Enterprise Application in Entra ID
You need to create an Enterprise Application in Entra ID to enable On Premise Observo to authenticate users via SAML.
Log into Azure Portal and Go to Entra ID Service.
Go to Enterprise applications under Manage tab in left Menu.
Click on New application.
Click Create your own application.
Provide a user facing display name for the application (e.g., "Observo SAML").
Select Integrate any other application you don't find in the gallery.
Click Create button to create the Enterprise Application.
2. Download SAML Metadata
Download the SAML metadata file that will be used in Observo configuration.
In the Enterprise application's Overview section, go to Manage > Single sign-on.
Select SAML as the single sign-on method.
Skip the Basic SAML Configuration for now (we'll configure this after setting up Keycloak).
In the SAML Certificates section, note the App Federation Metadata Url for alternative configuration method.
3. Configure Observo to Use Entra ID as a SAML Identity Provider
Now, configure Entra ID as a SAML Identity Provider in Observo keycloak.
Log into Observo keycloak with
Observo Adminusers credential. Observo keycloak is hosted in this URL:https://<ObservoOnPremURL>/observo-authSelect the realm of your Observo deployment to configure Entra ID SSO.
masteris the default realm.In the left-hand menu, click Identity Providers.
From the Add provider dropdown, select SAML.
Fill in the following details:
Alias:
entra-samlDisplay name: (Optional) The name that users will see on the login screen (e.g., "Entra ID")
Import SAML Configuration:
URL Import: Use the App Federation Metadata Url from step 2.
7Click Save.
4. Configure Basic SAML Settings in Entra ID
After creating the Identity Provider in Keycloak, you need to provide the SAML configuration in Entra ID.
Observo Keycloak
Go to the identity provider you just created in keycloak for Entra ID and note the following URLs from the top of the page:
Redirect URI: It will look something like this:
https://<ObservoOnPremURL>/observo-auth/realms/master/broker/entra-saml/endpoint
Entra ID
Open the Enterprise Application you created in Entra ID.
Go to Manage > Single sign-on > SAML.
In Basic SAML Configuration, click Edit and configure:
Identifier (Entity ID):
https://<ObservoOnPremURL>/observo-auth/realms/masterReply URL (Assertion Consumer Service URL): Use the Redirect URI from Keycloak (from previous step)
Sign on URL:
https://<ObservoOnPremURL>/observo-auth/realms/master/accountLogout Url: Use the Redirect URI from Keycloak (from previous step)
Click Save.
5. Configure User Attributes & Claims
Now configure the claims that Entra ID will send to Observo.
In the SAML configuration, go to Attributes & Claims section and click Edit.
Ensure the following claims are configured:
Email:
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressSource attribute:
user.mail
First Name:
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameSource attribute:
user.givenname
Last Name:
Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameSource attribute:
user.surname
Groups (Optional for role mapping):
Name:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsSource attribute:
user.groups [All]
Click Save.
6. Configure Attribute Mappers
Create mappers to import user attributes from Entra ID into Observo.
Log into keycloak and Go to the entra-saml identity provider you just created.
Click on the Mappers tab.
Create the following mappers by clicking Add mapper → Attribute Importer:
Email Mapper:
Name:
EmailAttribute Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUser Attribute Name:
email
First Name Mapper:
Name:
First NameAttribute Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameUser Attribute Name:
firstName
Last Name Mapper:
Name:
Last NameAttribute Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameUser Attribute Name:
lastName
User Name Mapper:
Name:
User NameAttribute Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUser Attribute Name:
username
Click Save for each mapper.
7. Create SSO Object in Observo
Observo UI needs to know about the domains name for which it will use SSO.
Log in Observo UI and Go to Settings > SSO
Configure SSO of type
SAMLand provide the required detailsIn the Domain Aliases section, provide email domains that will use SSO.
Next page, Configure Role Mapping (Optional)
Default User Role: Default role for those users with no explicit role assigned
Filed Path:
realm_access.rolesRole Mapping: Map the roles you created in keycloak with Observo roles.
8. Add Role Mapper (Optional)
For using role mapping with Entra ID groups, follow these steps:
Go to Realm roles in keycloak and create the roles you want to use.
In the entra-saml identity provider, go to Mappers tab.
Click Add mapper → Advanced Role:
Name:
Groups Role MapperSync Mode Override:
ForceMapper type:
SAML Attribute to RoleAttribute Name:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsAttribute Value: Use the groups
Object IDthat you want to use for role mapping.Role: Select the keycloak realm role to assign. If you don't find the role you created, try using
Filter by realm roles.
9. Test the Integration
Once the configuration is complete, test the Entra ID SAML integration.
Access Observo UI.
Select the Entra ID SSO option on the login page.
Log in with your Entra ID credentials.
After successful authentication, you should be redirected back to Observo UI and logged in.
By following these steps, you should have Entra ID successfully integrated with Observo On Premise deployment using SAML 2.0.
Last updated
Was this helpful?