How to Configure Single Sign On Through Azure Active Directory with VMware Carbon Black Cloud

1. In a web browser, go to the appropriate login page for your region and login with your administrator account.
   Note: The regional login pages are as follows.

   • Americas = https://defense-prod05.conferdeploy.net/
   • Europe = https://defense-eu.conferdeploy.net/
   • Asia Pacific = https://defense-prodnrt.conferdeploy.net/
   • Australia and New Zealand = https://defense-prodsyd.conferdeploy.net
2. Expand Settings.
   
3. Select Users.
   
4. Select Enabled under SAML Config to collect the information needed for SSO from your Carbon Black Environment.
5. Copy the green highlighted pieces of information as they are required during the Azure configuration.
   • The orange highlighted pieces of information are required from Azure and are collected in the Azure section below.
     Note:

     • This information varies depending on the Carbon Black instance to which an environment is registered.
     • No changes are made to the environment until the Single sign-on URL (HTTP-redirect binding) and the X509 certificate are populated and saved.
     
     

1. Log in to your Azure portal at https://portal.azure.com using an account that has Application Administrator or higher privileges.
2. Go to Enterprise applications by searching within the top bar.
   
3. On the Enterprise Applications screen click All applications from the left Manage menu, then click the New Application option.
   
4. Select the Create your own application option.
   
5. In the Create your own application pane provide a name for the application, select the Integrate any other application that you don't find in the gallery (Non-gallery) radio button, then click Create.
   
   Note: This may take several moments to create.
6. From the application you created, select Single sign-on from the left Manage menu.
   
7. Within the Select a single sign-on method pane, choose SAML as the single sign-on method.
   
8. Click the Edit icon in the upper right of the Basic SAML Configuration section.
   
9. Paste the Audience URL from the VMware Carbon Black Cloud console into the Identifier (Entity ID) field and set it as default.
   
10. Paste the ACS (Consumer) URL from the VMware Carbon Black Cloud console into the Reply URL (Assertion Consumer Service URL) field and set it as default.
    
11. Click the Save icon in the upper left of the Basic SAML Configuration pane.
    
12. Click the Edit icon in the upper right of the User Attributes & Claims section.
    
13. Click the three dots for the Additional Claims of user.surname, user.userprincipalname, user.givenname and delete those options. This leaves user.mail as the only claim in the Additional Claims section.
    
    
14. Click Unique User Identifier in the Required Claim section to modify the claim.
15. Modify the Source Attribute from user.userprincipalname to user.mail.
    
16. Expand Choose name identifier format.
    
17. Modify the Name identifier format to Default.
    
18. Click the Save icon in the upper left.
19. Select the Claim name under the Additional Claims heading.
    
20. Modify the Name to mail.
    Note:

    • Not setting the Name results in INVALID_ASSERTION failures.
    • Ensure that the Namespace is cleared. Any entries in this field results in INVALID_ASSERTION failures.
    
    
21. Save the changes, then close the User Attributes & Claims pane.
22. In the SAML Signing Certificate section, click Download next to the Certificate (Base64) option and save the certificate file. This is used when configuring the Carbon Black Cloud console.
    
23. Copy the Login URL from the Set up <Application Name> section. This is used when configuring the Carbon Black Cloud console.
    
24. Users must be added to the application to allow them to log in. Select Users and groups from the left Manage menu.
    
25. Select the Add user/group option.
    
26. Click None Selected to add a user.
    
27. Assign the appropriate users and groups then click Select.
    Note: Any users who are assigned must be added to and have an appropriate role set in the VMware Carbon Black Cloud console manually. For more information about roles, reference How to Add VMware Carbon Black Cloud Administrators.
    
    
28. Once the users that have been added, click Assign at the bottom left.
    
    

Have the SAML Signing Certificate and the Login URL available from the steps within the Azure Configuration section.

1. In a web browser, go to the appropriate login page for your region and login with your administrator account.
   Note: The regional login pages are as follows.

   • Americas = https://defense-prod05.conferdeploy.net/
   • Europe = https://defense-eu.conferdeploy.net/
   • Asia Pacific = https://defense-prodnrt.conferdeploy.net/
   • Australia and New Zealand = https://defense-prodsyd.conferdeploy.net
2. Expand Settings.
   
3. Select Users.
   
4. Select Enabled under SAML Config to update the SAML configuration for SSO.
5. Paste the Login URL from the Azure Configuration section into the Single sign-on URL (HTTP-redirect binding) field.
   
6. Right-click the SAML Signing Certificate that you previously downloaded from Azure and select Open with….
   
7. Choose Notepad, or your preferred text editor, from the list to open the .cer file.
   
8. Copy the content of the Certificate file and paste it in the X509 certificate field.
   
   
   Note: This field automatically truncates line-returns, and the header and footer text.
   
   
   
9. Click Save. A message appears at the top of the screen confirming that the SAML configuration was updated.
   

1. In a web browser, go to the appropriate login page for your region and select the Sign in via SSO option.
   Note: The regional login pages are as follows.

   • Americas = https://defense-prod05.conferdeploy.net/
   • Europe = https://defense-eu.conferdeploy.net/
   • Asia Pacific = https://defense-prodnrt.conferdeploy.net/
   • Australia and New Zealand = https://defense-prodsyd.conferdeploy.net
   
   
2. Enter the email address of a user that was assigned to the Azure application then select Sign In.
   
3. Sign into Azure then accept the End User Agreement to proceed into the Carbon Black Cloud console (if this has not already been accepted for this user account).
   
   The VMware Carbon Black Cloud loads as expected.