Use this procedure to enable the SAML integration with Microsoft Azure Active Directory (Azure AD) for user authentication.

Prerequisites

Important: Open two separate browsers of the Carbon Black Cloud in case you are unable to log in using SAML. If you are unable to log in, return to the second browser and deactivate SAML. Verify the settings or contact Carbon Black technical support.
For more information about SAML and Azure AD, see the official Microsoft documentation.

Procedure

  1. In each of two Carbon Black Cloud browsers, on the left navigation pane, click Settings > Users.
  2. In each of two Carbon Black Cloud browsers, for SAML configuration, select Enabled.
    The SAML configuration window displays.
    Note: Note the following fields:
    • Audience
    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL
  3. Leave the SAML configuration window open in both browsers, with the three fields blank:
    • Single sign-on URL (HTTP-redirect binding)
    • Email attribute name
    • X509 attribute name
  4. Conduct the remaining steps on one of the open browser windows:
    1. Configure Azure AD.
    2. Enter the Values Collected from the Azure AD Console.
    3. Add New Users in Azure AD.

Configure Azure AD

Use this procedure to configure Azure AD to integrate with Carbon Black Cloud console for SAML single sign-on.

Procedure

  1. In a new tab, go to portal.azure.com and open Azure AD.
  2. Click Enterprise applications > New application > Create your own application.
  3. In the pane that displays:
    1. Provide a name to identify the application.
    2. Select the option for a Non-gallery application.
    3. Create the application.
  4. On the resulting page, select Single sign-on.
  5. Select SAML as the single sign-on method. In the new window that opens, enter the SAML configuration details.
    1. Click Edit on the Basic SAML Configuration section.
    2. Click Edit on the Basic SAML Configuration section.
    3. Copy the Audience URL from the Carbon Black Cloud Console SAML configuration window.
      The audience URL on the SAML config screen.
    4. Enter the Audience URL into the mandatory Identifier and Reply URL fields.
      The Identifier and Reply URL mandatory fields.
    5. In the Attributes and Claims section, verify that there is a default claim row with the claim value user.mail.
      The Attributes and Claims screen.
    6. Click Edit to open the Attributes and Claims screen. Copy the claim name and save this for later.
      The claim name on the Attributes and Claims screen
      Note: If no claim with a claim value of user.mail exists, create a claim by selecting Edit > Add new claim, with a claim name of your choice and a claim value of user.mail. Save the claim name for later.
    7. Return to the Set up Carbon Black Cloud page for the SAML configuration. Copy and save the Login URL.
      The Login URL.
    8. Download the SAML Certificate in Base64 format.
      Download the Base 64 Certificate under the SAML Certificate list.

What to do next

Enter the Values Collected from the Azure AD Console.

Enter the Values Collected from the Azure AD Console

Use this procedure to transfer the SAML configuration data from the Azure AD console to the Carbon Black Cloud console SAML configuration window.

Prerequisites

Configure Azure AD.

Procedure

  1. In the Carbon Black Cloud console SAML configuration window, copy the Login URL into the Single sign-on URL (HTTP-redirect binding) field.
  2. Copy the claim name corresponding to the claim value of user.mail into the Email attribute name field.
  3. From the downloaded certificate file, copy the SAML certificate to the X509 certificate field.
    Note: Carbon Black Cloud automatically removes the begin-cert header and the end-cert footer.
  4. On the Carbon Black Cloud SAML configuration window, click Save. Open a new browser tab or window and verify that SAML Authentication functions correctly.

What to do next

Add New Users in Azure AD.

Add New Users in Azure AD

Use this procedure to add new users in Azure AD.

Prerequisites

Enter the Values Collected from the Azure AD Console.

Procedure

  1. Go to Enterprise Applications in Azure AD.
  2. Select the non-gallery application you created to configure SAML in Configure Azure AD.
  3. Click Users and groups under the Manage header.
  4. Click Add user/group. On the resulting page, under the Users header, select which Azure AD users you want to have access to this application. By default, None Selected is displayed.
    Note: To access Carbon Black Cloud, each user in the Azure AD must provide an email address. When creating users in Azure AD, verify that the email address field has been entered and saved.
  5. In Carbon Black Cloud, go to Settings > Users. Enter the email address for the user exactly as it is specified in Azure AD.
    Note: If a password window displays, you can ignore it.

Results

Users can log into Carbon Black Cloud with the role you specified, using their Azure AD credentials. Users must select the Sign in via SSO option when logging into Carbon Black Cloud.