Identity Provider: Microsoft Entra ID (FKA, Azure Active Directory (AAD) )
AAD User permission: Have one of the following roles in Azure:
- Global Administrator
- Cloud Application Administrator
- Application Administrator
Prerequisites
1. Appropriate roles/permissions in Microsoft Entra ID can create applications and assign individuals to those applications.
2. Create an EDB Account if you don't have and log into EDB Postgres AI Console (Switch to the correct organization if needed)
3. Verify a domain. This may need to engage the customer's IT team to add a TXT record. Steps can refer to doc(have details steps): Add a domain
Steps
0. Login to EDB Postgres AI Console via EDB Account, go to 'Settings' -> ' Identity Provider' by clicking Profile (right upper corner)
1. Log into the Azure Active Directory Admin Center, go to Enterprise Applications > New application
2. Create your own application, enter a name for your application, then select Integrate any other application you don’t find in the gallery (Non-gallery)
3. After the application is created, from the left panel, select Single sign-on, select SAML
4. Edit Basic SAML Configuration, copy the Audience URI from BigAnimal 'Identity Provider' page: Connection Info to Identifier (Entity ID), copy Assertion Consumer Service URL to Reply URL
5. In Attributes & Claims we configure the attributes as below
6. Download the Certificate with Base64 format in SAML Certificates section
7. Copy Login URL in section 4 Set up <You application name >
8. Click Properties in the left pane and select if Assignment is Required or not
9. Login to EDB Postgres AI Console, go to 'Settings' -> ' Identity Provider', scroll down to 3 SAML Settings
- Single Sign-On URL - > URL copied in step 7
- Identity Provider Signature Certificate -> Certificate in step 6
- Request Binding - > HTTP-POST
- Response Signature Algorithm -> sha256 or rsa-sha1
10. Click 'Test Connection' and login with your Azure account.
11. If Test Connection is successful, then you are good to click 'Sign into EDB Postgres AI'
12. After the domain is verified(Add a domain), input your email address in the box shown in the screenshot below. (Don't click Sign in for Azure Marketplace users)
Possible error 1
If you get the below block error AADSTS50105, it's caused by the Assignment Requirement in step 8 is Yes. But you/the users are not assigned to the application specifically.
To resolve the error, go to Users and Groups at the left pane and Add User/group
Add the specific users or groups and then click 'Assign' and go back 'Test Connection' in step 10 again.
Possible error 2
If you got the error AADSTS50020 like "the user does not exist in tenant", then it's caused by browser cache then a wrong user was logged in Azure portal.
To resolve this issue, you can open a Private window or clear your browser cache and try 'Test Connection' in Step 10 again.