Skip to main content

Configuring a SAML Provider with Azure Active Directory (AD)

This page provides details about SSO configuration on Checkmarx One when using Azure Active Directory.

Instructions

  1. Log in to Checkmarx One using your Tenant, Username and Password.

  2. Click on the Identity_and_Access_MGMT.png icon

  3. In the Identity and Access Management screen click on 6235525678.png icon

  4. Select SAML v2.0

    6235525732.png

  5. Copy the redirect URI

    Redirect_URI.png

  6. On the Azure webapp, set Identifier and Reply URL fields according to the copied Redirect URI.

    • Identifier = A portion of the Redirect URI (until the tenant name).

    • Reply URL = Redirect URI.

      Note

      To create a new Azure webapp go to Enterprise Applications → Create your own application → Integrate any other application you don't find in the gallery (Non-gallery).

      6235525726.png

  7. On Azure, copy the App Federation Metadata Url

    6235525723.png

  8. On Checkmarx One, use the copied link to import the metadata.

    Perform the following:

    1. Copy the URL to Import from URL field.

    2. Click Import

    3. Click Save

      6235525720.png

  9. Check Checkmarx One SAML configuration.

    This is how SAML settings should look like:

    SAML_Settings2.png
    6235525714.png

  10. On Azure, check that the claims are correctly configured.

    6235525711.png
    6235525708.png

  11. In Checkmarx One, create a mapper for the Username

    1. Click on Mappers tab.

    2. Click Create

      6235525705.png

    3. Fill the information and click Save

      Username_Mapper2.png

  12. Create a FirstName Mapper.

    Firstname_Mapper.png

  13. Create a Surname Mapper.

    Surname_Mapper.png

  14. Create an Email Mapper.

    Email_Mapper.png

  15. Create a Role Mapper.

    Role_Mapper.png

Warning

For this example, the Role claim configured on Azure is a constant “ast-viewer”.

This will map all users to assume the ast-viewer role.

Azure can send other values on this claim.

You will need to add a mapper for each value, to convert the azure claim value into a Checkmarx One role.

Explore other Mapper Types for other ways to map roles.

Importing Groups

Checkmarx One can also import groups from Azure AD.

Create the GroupMapper:

6235525687.png

On Azure, add a group claim.

6235525684.png

Warning

This azure configuration example will return the group ID's. Check Azure AD documentation on how to provide a friendly name.

Related article: How To Work Around The Azure SAML Group Claim Limitations

If the integration is being done for groups that are not created within Checkmarx One, using the Entra ID group name, users can use the sAMAccountName as the source attribute instead of the Group ID and configure the Entra ID group name.

Troubleshooting

A good way to troubleshoot issues with the configuration is to only configure one mapper, for example a Given Name.

When the information is incomplete, the user will be prompted to enter the user’s missing data.

SAML_Login.png

In the image above, we can check that Checkmarx One is being able to retrieve the First Name correctly.

This form is only shown when the user logs in for the first time.

In this section: