Configuring Microsoft Entra ID SSO

You can configure Stellar Cyber to use Microsoft Entra ID SSO (formerly Azure Active Directory SSO) for Authentication or Authentication and Authorization using the procedure in this topic. The configuration includes application creation, user and group assignments, SAML setup, optional authorization, optional multi-factor authentication (MFA), and Stellar Cyber settings.

You must collect the following information as you progress through the procedure:

  • User Principal Names (email addresses for users that will log into Stellar Cyber with SSO)

  • Claim/Attribute Information (Applicable for Authorization only)

  • Identifier (Entity ID)

  • Login URL

  • Certificate

The Microsoft Entra ID configuration steps are based on version 2.4.

Perform the following steps in the order shown below:

  1. Create a Stellar Cyber Application for SSO in Microsoft Entra ID

  2. Add Users/Groups to the Stellar Cyber SSO Application

  3. Configure SAML-based Single Sign-On (SSO)

  4. Configure Authorization (Optional)

  5. Configure Multi-Factor Authentication Support (Optional)

  6. Configure Authentication in Stellar Cyber

Create a Stellar Cyber Application for SSO in Microsoft Entra ID

Sign in to the Microsoft Entra Admin Center, access Enterprise Applications, and add a new application that uses Microsoft Entra ID for authentication.

  1. Sign in to the Microsoft Entra Admin Center with an account that has the Cloud Application Administrator or Application Administrator role.

  2. In the left-hand menu, select Identity | Applications | Enterprise applications.

  3. At the top of the page, select New application.

    Screen capture of Microsoft Entra Admin Center

  4. In the Browse Microsoft Entra Gallery, select Create your own application.

  5. Enter a name for the application (for example, Stellar Cyber SSO), select Integrate any other application you don't find in the gallery (Non-gallery), and then Create.

    Screen capture of the Microsoft Entra Gallery

Microsoft Entra ID creates the application and displays the Overview page. With your application created, you can now add users and configure SAML.

Add Users/Groups to the Stellar Cyber SSO Application

Assign the users and groups that you want Microsoft Entra ID to authenticate to the application. You will need to add these for the following purposes:

  • For Authentication Only SSO configurations: You will use these to create user accounts in Stellar Cyber.

  • For Authentication and Authorization SSO configurations: You will use these to assign values to claim attributes (not applicable for per-tenant SSO).

  1. In the Getting Started section of the Stellar Cyber SSO application Overview, select Assign users and groups.

    Screen capture of the Microsoft Entra UI

    You can also access this from Manage | Users and groups in the side menu.

  2. Select Add user/group in the action menu at the top of the page.

  3. In the Add Assignment panel, click or tap None Selected under Users.

  4. Select the users or groups that you want to assign, tap or click Select and then Assign to finalize the assignments.

    For each assigned user, select its name and note the User principal name (email address). Ensure that it exactly matches the corresponding Stellar Cyber user email address. Usernames and email addresses in both Microsoft Entra ID and Stellar Cyber are case sensitive.

  5. You must make note of each user's User Principal Name for these reasons:

    • For Authentication Only SSO configurations: You will use these to create user accounts in Stellar Cyber.

    • For Authentication and Authorization SSO configurations: For this type of configuration, users are automatically added to Stellar Cyber. You will use the User Principal Names, though to assign values to claim attributes (not applicable for Tenant-specific SSO; Authorization configurations apply only to Global SSO).

    • For users, select Display Name and copy the User Principal Name.

    • For groups, select Display Name and then select the Members link in the left side of the navigation panel. This displays a list of members (users) in that group. You can now select each user Name and copy the User Principal Name.

Now that you have added users to the application, you can configure the SSO SAML section.

Configure SAML-based Single Sign-On (SSO)

Configure basic SAML settings, download the signing certificate, and copy URLs to use when configuring SSO settings in the Stellar Cyber UI.

  1. In the Getting Started section of the Stellar Cyber SSO application Overview, select Get started for 2. Set up single sign-on.

    You can also access this from Manage | Single sign-on in the side menu.

  2. Select the SAML option, select Edit in the 1. Basic SAML Configuration section, fill in the required fields, and then Save the configuration.

    If you are configuring SSO for the entire Stellar Cyber system:

    • Identifier (Entity ID): Enter the Stellar Cyber URL. For example: https://192.168.24.110.

    • Reply URL: Use the Stellar Cyber URL, appended with /saml/login/callback. The format is https://<your.stellar.cyber.address>/saml/login/callback. For example: https://192.168.24.110/saml/login/callback.

    • Logout URL: This setting is here for future functionality but is not currently supported.

    If you are configuring SSO for a tenant:

    • Identifier(Entity ID): Enter the Stellar Cyber URL.

    • Reply URL: Use the Stellar Cyber Platform URL, appended with /saml/login/callback/cust_id/<tenant-id>. The format is https://<your.stellar.cyber.address>/saml/login/callback/cust_id/<tenant-id>. For example: https://192.168.24.110/saml/login/callback/cust_id/59125044.

    • Logout URL: This setting is here for future functionality but is not currently supported.

      Screen captures of basic SAML configurations

Configure Authorization (Optional)

Authorization allows you to assign Stellar Cyber scopes, privileges, and tenant options within Microsoft Entra ID, rather than within Stellar Cyber. If you want to configure Authorization in addition to Authentication, you must add Microsoft Entra ID attributes / claims (scopes) for use in Stellar Cyber This procedure adds the required fields to the Microsoft Entra ID users you associated with the application.

You must configure the basic identity, above, before you perform the steps in this section. If you are configuring Authentication only, or per-tenant SSO authentication, skip this section.

Add Stellar Cyber Fields to User Accounts

  1. In the Set up Single Sign-On with SAML section of the Stellar Cyber SSO application configuration, select Edit in the 2 Attributes & Claims section.

  2. Select Add new claim, enter the following claim settings, leave the others as they are, and then Save the configuration.

    Name: Enter stellar_scope.

    Source: Attribute

    Source Attribute: Choose a relevant user attribute (for example, user.extenstionattribute1).

    Screen capture of the Microsoft Entra Manage Claim configuration

    You define attributes in this step; values are added in a later step.

  3. Repeat the previous step to add the following attributes: stellar_privilege, stellar_tenant, and stellar_tenant_group

    Take care when entering the required attributes and values. Typos in either mean that users are not authenticated and cannot log in. Typos in the optional attributes and values mean that users are not assigned to the appropriate tenant or tenant group (but are authenticated).

    Custom Attribute Name

    Source Attribute*

    Values (set later) Global SSO

    Tenant-specific SSO

    stellar_scope

    user.extensionattribute1

    root

    partner

    tenant

    Required for Authorization

    Not applicable

    stellar_privilege

    user.extensionattribute2

    super_admin

    platform_admin

    security_admin

    user

    Required for Authorization

    stellar_tenant

    user.extensionattribute3

    ID number for configured tenant

    (Optional) Specify an individual tenant ID, not name. The ID is available on the Tenants List page.

    stellar_tenant_group

    user.extensionattribute4

    ID number for any configured tenant group

    (Optional) Specify a tenant group ID, not name. This is typically available for use by MSSP users with the Partner role. The Tenant Group ID is displayed on the Tenant Groups page.

    Any available user.extensionattributeX (where X is 1-15) may be used.

    Values in these fields are case sensitive and syntax matters. Use the exact indicated syntax and verify that you have made no typos. If you have created a custom privilege with spaces or dashes, use an underscore instead. Example: A custom privilege of STML-Security Admin must be entered as STML_Security_Admin.

  4. When done, exit the Attributes & Claims editor panel.

Assign Values to Stellar Cyber Fields (Graph Explorer Method)

Microsoft Entra IDdoes not provide a GUI-based mechanism to modify the attribute values. This procedure uses Microsoft Graph Explorer to edit and validate the attributes.  If you wish to automate the steps, refer to the PowerShell method, below.

  1. To set the attribute values, retrieve the list of User Principal Names you saved above.

  2. Open Microsoft Graph and log in with your administrator Microsoft Entra IDCredentials (https://developer.microsoft.com/en-us/graph/graph-explorer).

  3. In the query pane, change the GET action menu to PATCH.

  4. Now enter this query URL, replacing the <user principal name> below with a User Principal Name you saved earlier.

    https://graph.microsoft.com/beta/users/<user principal name>

  5. Enter the following content as the Request Body, replacing the attribute values with one of the supported values in the table above:

    Take care when entering the required attributes and values. Typos in either mean that users are not authenticated and cannot log in. Typos in the optional attributes and values mean that users are not assigned to the appropriate Stellar Cyber tenant or tenant group (but are authenticated).

    {
    "onPremisesExtensionAttributes": {
        "extensionAttribute1": "root",
        "extensionAttribute2": "security_admin"
        }
    }	
  6. Click Run Query to set the values.

  7. To verify the values were set correctly, change the query type back to GET.

  8. Now enter this query URL, replacing the <user principal name> below with the same User Principal Name (Microsoft Entra ID login) you just set above.

    https://graph.microsoft.com/beta/users/<user principal name>?$select=onPremisesExtensionAttributes

  9. Click Run Query and review the list of extensionAttributes to verify the values were set.

Assign Values to Stellar Cyber Fields (PowerShell Method)

  • For Authentication Only SSO: All users must first be added manually in the data processor (DP). Subsequent to that manual entry, the user can log in with SSO. Use the list of User Principal Names that you saved.

  • For Authentication & Authorization SSO: All users are configured through the IdP.

  • You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://Stellar Cyber DP address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the DP with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows:  <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This process an email alias for that valid user that Stellar Cyber uses to permit bypass of an SSO for local login. After you create this separate manual user account, that user can log in two ways:

    • an SSO user with <user>@yourorganization.com

    • or as a local user at https://Stellar Cyber DP address/login) using <user>+admin@yourorganization.com

    If SSO is configured, it is recommended to keep an active administrative account in Stellar Cyber's user management.

As an alternative to the Microsoft Graph Explorer method, you can use PowerShell to set the attribute values. The commands in this section can also be automated in PowerShell.

  1. Open PowerShell from your Windows system as an administrative user.

  2. From the PowerShell command line, run the bolded commands and replace $User value with the login you used above. The last two lines illustrate assigning values to the stellar_scope and stellar_privilege attributes. If you used all four attributes, add commands for those and specify the Tenant ID and Tenant Group ID exactly as they are listed in Stellar Cyber.

    Be sure that you assign the correct value to the correct extension number. In this example extensionAttribute1 is for stellar_scope, which is being given root; extensionAttribute2 is for stellar_privilege and is being assigned security_admin. Review your list of extension attributes carefully before running these commands.

    PS C:\WINDOWS\system32> Install-Module AzureAD                                                                                                                                                                                                  Untrusted repository
    You are installing the modules from an untrusted repository. If you trust this repository, change its
    InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
    'PSGallery'?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
    PS C:\WINDOWS\system32> $AzureAdCred = Get-Credential
    Enter your Azure admin user and password
    
    PS C:\WINDOWS\system32> Connect-AzureAD -Credential $AzureAdCred
    PS C:\WINDOWS\system32> $User = "dstarr@aella.onmicrosoft.com"
    PS C:\WINDOWS\system32> $UserId = (Get-AzureADUser -Searchstring $User).ObjectId
    PS C:\WINDOWS\system32>
    PS C:\WINDOWS\system32> Set-AzureADUserExtension -ObjectID $UserId -ExtensionName extensionAttribute1 -ExtensionValue "root"
    PS C:\WINDOWS\system32> Set-AzureADUserExtension -ObjectId $UserId -ExtensionName extensionAttribute2 -ExtensionValue "security_admin"
    PS C:\WINDOWS\system32> exit 
    

    Following is an example of this sequence:

Configure Multi-Factor Authentication Support (Optional)

Microsoft Entra ID and Stellar Cyber support multi-factor authentication (MFA). If you intend to set up Stellar Cyber access with two-factor authentication (2FA; a subset of MFA), you must enable a Conditional Policy in Microsoft Entra ID that supports this type of authentication and assign it to users and groups.

Configuration of MFA in Microsoft Entra ID is independent of whether you enable 2FA in Stellar Cyber. It is possible for you require users to authenticate with MFA in Microsoft Entra ID and again with 2FA in Stellar Cyber

  1. In Microsoft Entra Admin Center, select Protection | Security Center | Conditional Access.

    If you don’t see Security Center in the Protection section of the menu, select Show more.

  2. Select + Create new policy and enter a name for the policy, such as Require MFA for Stellar Cyber.

  3. Under Assignments, select the Specific users included link for Users or workload identities and then select Specific users included.

  4. Select the Users and groups that you specified to be members of the Stellar Cyber Microsoft Entra ID application created above, and then click or tap Select.

  5. Under Assignments, select the No cloud apps, actions, or authentication contexts selected link for Cloud apps or actions.

  6. Select Include | Select apps, and then select the None link to open the Select Cloud apps panel.

  7. When the selection pane opens, locate the Stellar Cyber Microsoft Entra ID application you created above and then click or tap Select.

  8. In the Grant section, select 0 controls selected.

  9. In the side panel that opens, select Grant access, select Require multi-factor authentication, and then click or tap Select.

  10. At the bottom of the page, change the Enable policy toggle from Report-only to On.

  11. Select Create.

    The policy is created and the Conditional Access Policy page is redisplayed to include the new policy.

Collect Microsoft Entra ID Access Details

At this stage, you should have collected all your user information and have set up the Microsoft Entra ID application for Stellar Cyber SSO access. Your certificate and access details are now ready to copy/download. Use this procedure to ensure you have all the noted information before you proceed to the next section.

If you are configuring Authorization, you must perform that procedure (see previous section) prior to downloading the certificate in this section.

  1. If you have navigated away from the application page, select Home on the portal and navigate back Identity | Applications | Enterprise applications.

  2. Locate and display the application you created above.

  3. Select Single sign-on from the left side navigation or select Get started for 2. Set up single sign on.

  4. On the Set up Single Sign-On with SAML page, download or copy (as appropriate) the items below for use when you set up SSO in Stellar Cyber:

    • Step 1: Basic SAML Configuration

      Identifier (Entity ID) – The Stellar Cyber URL. Microsoft Entra ID uses this to recognize and establish a trust relationship with Stellar Cyber as a service provider (SP).

    • Step 2: Attributes & Claims (Applicable only if you configured Authorization)

      User.extensionattributeX values for all the Stellar Cyber claim names you added

    • Step 3: SAML Certificates

      Certificate (base 64) – You upload this as the IdP certificate in Stellar Cyber.

    • Step 4: Set up Stellar Cyber SSO

      Login URL – This is used for the Entry Point URL field in Stellar Cyber, to link with Microsoft Entra ID.

In addition to the above details, you should have previously noted all of the User Principal Names (email addresses) for all users that will use Microsoft Entra ID SSO with Stellar Cyber.

Configure Authentication in Stellar Cyber

With all your details collected, you are now ready to configure SSO Authentication in Stellar Cyber. The steps below are generally applicable for use for global configuration or per-tenant configuration.

Prepare for Users

  • For Authentication Only SSO: All users must first be added manually in the data processor (DP). Subsequent to that manual entry, the user can log in with SSO. Use the list of User Principal Names that you saved.

  • For Authentication & Authorization SSO: All users are configured through the IdP.

  • You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://Stellar Cyber DP address/login).

  • For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the DP with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows:  <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This process an email alias for that valid user that Stellar Cyber uses to permit bypass of an SSO for local login. After you create this separate manual user account, that user can log in two ways:

    • an SSO user with <user>@yourorganization.com

    • or as a local user at https://Stellar Cyber DP address/login) using <user>+admin@yourorganization.com

    If SSO is configured, it is recommended to keep an active administrative account in Stellar Cyber's user management.

Enable SSO

  1. Log in to Stellar Cyber.

  2. Click System | Administration | Settings.

  3. Scroll down to the Authentication Settings.

  4. Choose SSO (SAML) in the Authentication Method drop-down.

  5. Choose Metadata URL or Manual Config:

    • If you selected Manual Config:

      1. Enter the Issuer URL. This is your Stellar Cyber IP address or FQDN. You must include http:// or https:// in the Issuer URL field.

      2. Enter the Entry Point. This is the URL you noted during your IDP setup steps. For example:

        In Microsoft Entra ID (formerly Azure AD), it's the Identifier (Entity ID)

        In OKTA, it's the Identity Provider Single Sign-On URL

      3. Upload the IDP Certificate you obtained during your IDP setup steps.

    • If you selected Metadata URL enter the Metadata URL from your IDP provider.

  6. Select Allow Clock Skew to allow for system time differences between Stellar Cyber and your IdP. Authentication messages have an expiration. If the system times on Stellar Cyber and your IdP are not synchronized, the messages might expire before they even get to Stellar Cyber. The result is that users cannot log in, because they cannot authenticate.

  7. Choose your IdP setting: Authentication Only or Authentication and Authorization. (Global configurations only, not applicable to Tenant-specific configuration). Note the following:

    • A Global selection of Authentication and Authorization applies to all users (root, partner, and tenant), so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You can not log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

    • Although you can customize SSO configuration on a per-tenant basis, the Authorization capability is only supported at the global level. Overrides you make at the tenant level are for Authentication only, so the toggle for Authentication and Authorization is not offered in the Tenant editor.

    • The root tenant must be configured to use either Default (same method as the Global authentication), or Local. It is not supported for configuration with an independent SSO.

    • The authentication method for partners is the same as that for root users. Any authentication overrides for tenant-level users in a tenant group have no effect on the authentication method for the partners who manage the group.

    • Choose Authentication Only for Stellar Cyber to authenticate users from your IdP, but manage scope and privilege locally. If you choose this, you must create the user in Stellar Cyber before adding them to your IdP.

    • Choose Authentication and Authorization for Stellar Cyber to authenticate users from your IdP, along with their scope and level of privilege. You must configure authorization on your IdP before enabling this, otherwise users cannot log in. If you choose this, you do not need to create the user in Stellar Cyber. Stellar Cyber creates the user and assigns scope and privilege based on the information passed from the IdP.

      When Global Settings is configured for BOTH Authentication & Authorization, the option to Create new users manually is hidden because new users MUST come from the IdP source.

  8. Choose a Two-Factor Authentication to the option that matches your IdP configuration:

    • Off: If you choose this option, Stellar Cyber user accounts are not offered a 2FA option.

    • Mandatory: If you choose this option, all users for every tenant are required to use 2FA when logging in to Stellar Cyber.

    • Optional: If you choose this option:

      • The 2FA option can be customized for individual tenants under System | Administration | Tenants

      • Individual users can choose to enable 2FA under their User Profile, accessed from the top menu of the Stellar Cyber UI.

      • You can enforce 2FA for specific users under System | Administration | Users when adding or editing a user

      • The overall Global Settings for 2FA affect tenant-specific authentication. For example, if 2FA is Mandatory, all users must use 2FA.

      • Enabling 2FA here is independent of what you have configured on your SSO service. Enabling it here causes a separate 2FA prompt to be displayed upon logging in to Stellar Cyber.

      • The 2FA page from Stellar Cyber refers to use of Google Authenticator, but other authenticator applications also work.

  9. Review your settings, then click Submit.