Microsoft Entra ID (formerly Azure Active Directory)
This section provides step-by-step instructions for setting up SAML 2.0 with Microsoft Entra ID (formerly Azure AD) for use with balenaCloud. Follow the steps below and refer to the accompanying screenshots for visual guidance. At the end of this guide, you can start using Single Sign-On functionality from your IdP in balenaCloud.
Create a New Enterprise Application
- Go to: Microsoft Entra ID Home.
- On the left hand menu expand
Identity > Applications > Enterprise Applications
. - Select Enterprise Applications.
- Click the
+ New application
button.
Create Your Own Application
- You should now be presented with a gallery of enterprise apps. Click the
+ Create your own application button
at the top left. - In the right-hand form that opens, give your app a name.
- Leave the default option selected.
- Click
Create
.
Configure Single Sign-On
- In the left menu, click Single sign-on.
- Select SAML.
Basic SAML Configuration
- In the Basic SAML Configuration section, click
Edit
. - Paste your Entity ID and Sign-on URL. To obtain this, you must first decide on a “SSO Identifier” for your enterprise, e.g.
acme
.
- Identifier: https://api.balena-cloud.com/auth/saml/`< sso-identifier >`
- Reply URL: https://api.balena-cloud.com/auth/saml/`< sso-identifier >`/callback
- Click Save.
c
Set Unique User Identifier
- On the “Set up Single Sign-On with SAML” page, click
Edit
on the Attributes & Claims section. - On the Unique User Identifier row, click it.
- Change the Source attribute field to
user.mail
. - Click Save.
Assign Users and Groups
- Go to Users & Groups in the Manage section of the SAML app.
- Add the users or groups you want to assign access to the SAML app.
- Click Assign at the bottom left.
Download Federation Metadata XML
- On your SAML-based Sign-on app page, look for the Download link for Federation Metadata XML.
- Download this XML file to use later in setting up your SAML IdP in balenaCloud.
Congratulations! You should now have your Identity Provider (IdP) setup, head over to the balenaCloud dashboard and follow the instructions to link an IdP by uploading the XML metadata file. Your team can then start using the Single Sign-On (SSO) functionality, allowing them to securely and seamlessly access the platform using their enterprise credentials.