SAML with Entra ID

Before you configure Entra ID SAML for yourself, ensure that you have the Identifier and Reply URL for your erwin Mart Portal instance. If you do not have these, reach out to your Quest Support representative.

To configure Entra ID SAML for erwin Mart Portal on-cloud authentication, follow these steps:

1. Log in to the Microsoft Entra admin center.

2. Click Enterprise apps.

   

3. Click New application and create your non-gallery application with an appropriate name.

4. Open your newly created application.

   

5. Click Set up single sign on.

   

6. Under single sign-on method, click SAML.

   

7. In the Basic SAML Configuration section, click Edit.

   The Basic SAML COnfiguration page opens.

   

8. Enter the Identifier and Reply URL that you received from Quest Support in the respective fields and click Save.

   For example, your Identity and Reply URL would follow the https://<fqdn>:<portnumber>.myerwin.com/MartPortal format.

   

9. In the Attributes & Claims section, click Edit.

   The Attributes & Claims page opens.

10. Click Add a group claim. In the Group Claims pane, click Groups assigned to the application and in the Source attribute list, select Group ID.

    

11. Click Save.

    This configures the group attribute name (user.groups [ApplicationGroup]). This is a necessary property.

    Apart from this, you can configure email (user.mail) and display name (user.givenname) values here. However, they are optional.

    

12. Go back to the Set up Single Sign-On with SAML page.

    Under Attributes & Claims, the user.groups claim is available now.

    

13. Copy the App Federation Metadata URL and save it for use later, in step 16.

14. Click Users and groups > Add user/group. Initially, under Users, it displays None Selected.

    

15. Click the None Selected link.

    Select the required users or groups and click Select. Then, click Assign.

    

    Your SAML SSO setup for the required users is complete.

16. Finally, share the following information with your Quest Support representative along with the detailed questionnaire that you receive at the beginning of the engagement:

    • App Federation Metadata URL (copied in step 14)

    • Group Attribute Name (Available under Attributes & Claims. For example, user.groups http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)

      Group Attribute Name is case-sensitive.

    • Optional-User Email Attribute Name (Available under Attributes & Claims, For example, user.mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)

    • Optional-User Display Name Attribute Name (Available under Attributes & Claims, For example, user.givename http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)

    Once the support team authenticates erwin Mart Portal for you, you can move to adding groups in erwin Mart Portal at https://<your_instance>.myerwin.com/MartPortal.

To configure Entra ID SAML for erwin Mart Portal authentication, follow these steps:

1. Log in to the Microsoft Entra admin center.

2. Click Enterprise apps.

   

3. Click New application and create your non-gallery application with an appropriate name.

4. Open your newly created application.

   

5. Click Set up single sign on.

   

6. Under single sign-on method, click SAML.

   

7. Click Upload metadata file.

   

8. Select the SP Metadata file (mart-sp-metadata.xml) that you downloaded (erwin Mart Portal Configuration > Authentication tab > Download SP Metadata) during erwin Mart Portal configuration.

   Then, click Add.

   Doing this retrieves the Identifier, Reply URL, and Logout URL.

   

9. Click Save.

   The necessary metadata is saved under the Basic SAML Configuration section.

   

10. In the Attributes & Claims section, click Edit.

    The Attributes & Claims page opens.

11. Click Add a group claim. In the Group Claims pane, click Groups assigned to the application and in the Source attribute list, select Group ID.

    

12. Click Save.

    This configures the group attribute name (user.groups [ApplicationGroup]). This is a necessary property.

    Apart from this, you can configure email (user.mail) and display name (user.givenname) values here. However, they are optional.

    

13. Go back to the Set up Single Sign-On with SAML page.

    Under Attributes & Claims, the user.groups claim is available now.

    

14. Copy the App Federation Metadata URL.

15. Click Users and groups > Add user/group. Initially, under Users, it displays None Selected.

    

16. Click the None Selected link.

    Select the required users or groups and click Select. Then, click Assign.

    

    Your SAML SSO setup for the required users is complete.

17. On the erwin Mart Portal Configuration screen, click the Authentication tab, and then follow these steps:

    1. In the MetaData XML field, paste the App Federation Metadata URL copied in step 14.

    2. In the Group Attribute Name, User Email Attribute Name, and User Display Name Attribute Name fields, configure values as follows:

       • Group Attribute Name (Available under Attributes & Claims. For example, user.groups http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)

       • Optional-User Email Attribute Name (Available under Attributes & Claims, For example, user.mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)

       • Optional-User Display Name Attribute Name (Available under Attributes & Claims, For example, user.givename http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)

       

18. Click Configure.

    Your erwin Mart Portal is now authenticated via SAML EntraID.