Skip to main content
Version: QB11

Single Sign-On with Azure AD (SAML)

Purpose

This tutorial demonstrates how to set up QuickBuild to authenticate via Azure AD using SAML protocol

Assumptions

  1. QuickBuild is accessed via https://build.example.com

Steps

  1. Create an application in Azure AD:

  2. Assign users/groups to created application

  3. Open SAML SSO setup page:

  4. Edit basic SAML configuration, change Identifier as https://build.example.com/saml_, and _Reply URL as _https://build.example.com/sso-login_, and then save the setting:

  5. Edit user attributes and claims to add group claim:

  6. Download and save the Idp meta data:

  7. Login to QuickBuild, navigate to page Administration/Security Setting and select SSO via SAML2 as SSO Provider . Paste content of downloaded metadata from above step into field IdP Metadata

  8. Run below commands to generate SP private key and self-signed SP certificate:

    openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout sp-key.pem -out sp-cert.crt
    openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in sp-key.pem -out sp-key-pkcs8.pem

    Copy content of file sp-key-pkcs8.pem into field SP Private Key , and content of file sp-cert.crt into field SP Cert

  9. Continue to specify below fields in SAML setting:

  10. Specify a default group if necessary and save the setting

  11. Navigate to Group Management page and define groups with same name as we've defined in Azure AD, and assign appropriate permissions

  12. Navigate to page Administration/System Setting , and make sure property Url to Access QuickBuild is specified as _https://build.example.com_

  13. Now logout and visit _https://build.example.com_ (make sure to visit the url specified in system setting), the sign in page should display a SSO login button

  14. Click this button and you will be taken to Azure AD for authentication. If authenticated successfully, you will be logged into QuickBuild.

    warning

    You can still login to QuickBuild with normal user/password without clicking the SSO button