Azure Active Directory SAML Setup

Create a new SAML configuration in Kasm

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> SAML -> Add Configuration

  3. The SAML 2.0 Configuration page will auto-generate the Entity ID, Single Sign On Service, Single Logout Server, and Relay State values.

  4. Check Enable and enter a Display Name. e.g (Azure AD)

  5. Enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in Group Member Attribute

  6. Enter emailAddress in NameID Attribute

../../_images/kasm_saml_configurations1.webp

Kasm SAML Configurations

  1. Leave this page open and continue to the next steps.

Add a new application in Azure

  1. Navigate to Azure Active Directory in the Portal.

../../_images/portal.png

Azure Portal

  1. Under the Manage section of the menu, select Enterprise applications.

../../_images/enterprise_apps.png

Enterprise Applications

  1. Click the New Application button and select Non-Gallery application. Provide a name. e.g (Kasm) and click Add

../../_images/create_application1.png

New Applications

Basic SAML Configurations

  1. Select Single Sign-On under the Manage Menu.

  2. Select SAML.

  3. Select Edit next to the Basic SAML Configuration

../../_images/single_sign_on.png

SAML Single Sign-On

  1. Copy the Service Provider entries from the Kasm SAML Configurations started in the previous section into the Basic SAML configurations and click Save , and close the section.

Kasm Property Name

Azure Property Name

Entity ID

Identifier (Entity ID)

Single Sign On Service

Reply URL (Assertion Consumer Service URL)

Single Logout Service

Logout URL

Relay State

Relay State
../../_images/basic_saml_configurations.png

Basic SAML Configurations

User Attributes and Claims

  1. Select Single Sign-On under the Manage Menu.

  2. Select SAML.

  3. Select Edit next to the User Attributes and Claims

  4. Click Add a Group to Claim

../../_images/add_group_to_claims.png

Add a Group to Claim

  1. Select Security Groups, leave the Source Attributes as Group ID and click Save then close the section.

../../_images/group_claims1.png

Group Claims

SAML Signing Certificate

  1. Select Single Sign-On under the Manage Menu.

  2. Select SAML.

  3. Click Download next to Certificate (Base64) in the SAML Signing Certificate section . Save this file for later

  4. Select Edit next to the SAML Signing Certificate

  5. Change the Singing Algorithm to SHA-1 and click Save. Close the section.

../../_images/saml_singing_certificate.png

Singing Certificate

  1. Open the Base64 certificate that was downloaded in the earlier step in a text editor. Copy the contents into the X509 Certificate setting in the Identity Provider section of the Kasm configuration

../../_images/x509_certificate.webp

X509 Certificate

Set Up Kasm

  1. Select Single Sign-On under the Manage Menu.

  2. Select SAML.

  3. Review Section 4 , Set Up Kasm. Copy the properties into the Identity Provider options in the Kasm Configuration.

Kasm Property Name

Azure Property Name

Single Sign On Service / SAML 2.0 Endpoint

Login URL

Entity ID

Azure AD Identifier

Single Logout Service / SLO Endpoint

Logout URL
../../_images/identity_provider.webp

Identity Provider

  1. In the Advanced Settings of check Want Assertion Signed and click Submit

Mapping Users

You must assign users or groups to the Azure Kasm application. This will provide users access to login. Azure will then pass all user group memberships during login so that Kasm can determine Authorization (e.g mapping AD groups to Kasm groups)

In this example, a Kasm Users and Kasm Admin groups were defined.

  1. Navigate to Azure Active Directory in the Portal.

  2. Under the Manage section of the menu, select Enterprise applications.

  3. Search for Kasm and select it.

  4. Click Users and Groups under the Manage menu.

  5. Click Add Users and add the desired users and group assignments.

  6. Inspect the desired groups and note the Object ID. This will be used to map to Kasm groups.

../../_images/group_assignments.png

Group Assignments

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups, then using the arrow menu click Edit next to the Administrators Group.

  3. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  4. Select “SAML - Azure AD” as the SSO Provider and enter the Object Id for the desired Azure AD Security group previously configured into the Group Attributes field.

../../_images/update_group.webp

Add SSO Mapping

Testing Access

  1. Log out of the Kasm UI if already logged in.

  2. Navigate to the Kasm UI login page.

../../_images/kasm_login1.webp

Kasm Login

  1. Click Azure AD to initiate the SAML SSO process.

../../_images/azure_login.png

Azure Login

Known Issues

SLO Error AADSTS75005

Azure AD may present the following error when a user logs out the application:

AADSTS75005: The request is not a valid SAML 2.0 protocol message.

In some Azure AD deployments, Microsoft will generate a SLO URL similar to https://login.microsoftonline.com/<id>/saml2 This endpoint requires an encoding that is not currently supported by Kasm. The workaround is to utilize the older federated SLO endpoint https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 for the Single Logout Service/SLO Endpoint in the Kasm SAML Configuration.