To enable logging with Azure AD, follow the instructions below:
1. In your Azure account, go to: Enterprise applications → New application
2. Then click Create your own application
3. Type Calamari's name, select the setting ‘Integrate any other application you don't find in the gallery’ and click Create
4. When you get to the overview page of the Calamari app, click on Set up single sign on
Then select SAML as the SSO method.
5. In the Basic SAML Configuraton click Edit
6. For the next step, you need to copy some information from your Calamari account.
Log in to Calamari as Admin and go to the Configuration → SAML → Configure
You should see the Service Provider Information table:
Copy the Assertion Consumer Service (ACS) URL and paste it into the Reply URL (Assertion Consumer Service URL) field in Azure
Copy the Entity ID / Audience URI and paste it into the Identifier (Entity ID) field in Azure
7. In the next step, you need to assign users or groups that will be able to use Azure to log into Calamari. Note that the email addresses of the users in Calamari need to match Unique User Identifier in Azure.
Select Users and groups from the menu on the left
Click Add user/group and select users or groups that will log to Calamari via Azure AD. Once it’s done, click Assign.
8. To complete the integration setup, click on Single Sign-On again and scroll down to sections 3 and 4 (‘SAML Certificates’ and ‘Set up Calamari integration’). Here, you can find the details you need to enter in the Calamari configuration.
9. Go back to your Calamari App and go to Configuration → SAML → Configure and click the switch to enable the integration. You should see 3 empty fields that need to be filled in.
In the SAML SSO URL paste the Login URL value from Azure AD
In Issuer Entity ID paste the Azure AD Identifier value
For Public certificate click the Download link next to Certificate (Base64). Open the downloaded file in the text editor. Copy all the text and paste it into Calamari in the Public Certificate field
10. We’re all set! Now, you may want to set up additional features:
you can turn on forcing the authentication - this feature requires users to re-enter their login credentials
you can customize the sign-in button label (custom button name that will be displayed on the Calamari login page)