Azure AD SAML SSO

Learn how to configure Single Sign-On for Doppler using an Azure Active Directory SAML application.

This guide will show you how to create and configure an Azure Active Directory SAML application to enable Single Sign-On for Doppler.

Requirements

  • Domain Verified (Settings page)
  • Azure role with permissions to create enterprise applications: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

🚧

Make sure you maintain at least one window or tab where you're logged into your Doppler account. This will allow you to disable SAML SSO in the event something goes wrong during the configuration process and will prevent you from locking yourself out of your account.

1. Create Custom SAML App

Go to the Azure Active Directory console

Select Enterprise applications from the left menu.

12761276

In the Enterprise applications pane, select New application.

12801280

From the Browse Azure AD Gallery page, click Create your own application.

Give the application a name of your choosing such as Doppler SAML. Then click Create.

12801280

Click on Properties from the left menu. Set the logo for the application by uploading the image below, then click Save.

12801280

2. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Settings tab from the top menu. Choose the Default Roles for users who login via SSO.

πŸ“˜

The Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. Users with the Owner role can adjust this after the user has logged in once. If you scroll down further on the Settings page, you'll see a breakdown of what permissions each Role has.

12011201

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the Azure SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the + button in the corner and choose a verified domain from the Domain Domain dropdown menu and then click Save.

923923

Copy the ACS URL and Entity ID URLs to use when configuring the Azure SAML SSO application.

931931

3. Azure SAML Configuration

Next, we'll begin configuring the Azure SAML application. Switch back to the Azure Console window. Click Overview from the left menu. then select Get started from the 2. Set up single sign on section.

12801280

Select SAML as the single sign-on method.

12791279

Click Edit from the Basic SAML Configuration section.

12801280

Then populate the form with the URLs obtained from the Doppler SAML Single Sign-On setup page in Step 2 above. They will look similar to the following:

❗️

These are example URLs only and will not work in your setup. You need to use the URLs obtained from the Doppler SAML Single Sign-On setup page referenced in Step 2 above.

The form should then look similar to the following. Then click Save.

12691269

If a Test single sign-on prompt appears, click No, I'll test later as we're not yet ready to test.

12811281

Scroll down to the SAML Signing Certificate section and click the Download link for the Federation Metadata XML which we'll then upload into Doppler.

12791279

4. Update Doppler SAML SSO Configuration

Next, we need to update the Doppler SAML SSO configuration with the contents of the downloaded Federation Metadata XML file we got from Azure. Paste the contents into the IDP XML field and then click Save.

921921

5. Azure SAML Attributes and Claims

Now we need to configure the data sent to Doppler by the Azure SAML application.

From the Setup Single Sign-On page, click Edit from the User Attributes & Claims section.

12791279

Delete the user.mail claim.

12811281

Next, delete the user.givenname claim.

12791279

Next, delete the user.surname claim.

12801280

Next, click on the user.userprincipalname claim to edit it.

12801280

Delete the value for Namespace and change the Source attribute to user.displayname.

12811281

If the Name (user.displayname) field for your users is not set because only First Name and LastName are populated, you'll need to create a Transform to join these two fields together.

12801280 12801280

Click the Save button to apply the changes for the name claim.

The completed result should look like the following.

12811281

6. Enable Doppler SAML SSO

You can now enable SAML SSO in Doppler. Check the Enable checkbox and then click Save.

924924

With the app configured and SAML SSO enabled, you can now proceed with testing!

7. Testing

🚧

We highly recommend testing with a different account in case an error is encountered which could lock you out of Doppler.

Once a test user has been created and assigned to the Doppler SAML application, click the Test this application button to bring up the testing panel.

12761276

Then click Sign in as someone else.

🚧

This functionality requires a Microsoft browser extension to be installed. You'll see a banner prompt for it and the Sign in as someone else option will be disabled until you have the extension installed.

12791279

Once you've signed into Azure as the test user, the test will be performed.

If an error occurs, contact us using our in-product support or email [email protected]ppler.com, pasting into the email the error response, as well as the contents of the Download the SAML request link (don't attach the XML file as Intercom prevents the viewing of XML files).

If during testing you are presented with a Doppler error page, also paste in the Request Id shown on that page so we can look up the error on our end.

12791279

If the test was successful, great job! You're now ready to start assigning users to the Doppler SAML application.

12791279

πŸ“˜

We recommend further testing your SAML configuration by attempting to login to Doppler in an Incognito Window. To do that, open an Incognito tab at https://dashboard.doppler.com and enter the email address of the test user, then follow the login flow. If SAML is configured properly, you should be able to login successfully.

Doppler SAML User Assignment

Assigning users to the Doppler SAML application and adjusting Self-Service options such as the ability to request access and whether approval is required is the next step but is beyond the scope of this tutorial as each organization will handle things differently.

Check out Azure's guide on application user assignment.

Doppler Project Access

Now that your Active Directory users can sign into Doppler via SAML SSO, the final step is to assign access to Projects in Doppler.

Navigate to a Doppler project and click on Members.

12801280

Then search for and select the user(s) and click Add.

12801280

Once the user has been added to the project, select which environments they can access.

12801280

πŸ‘

Awesome Work!

You've successfully created an Azure Active Directory SAML application for signing into Doppler using SSO and assigned them access to a Doppler project.


Did this page help you?