azure-ad-sso-config.html.md.erb

---
title: Configuring Azure Active Directory as a SAML Identity Provider
owner: Identity
---

This topic describes how to configure single sign-on (SSO) between Microsoft Azure Active Directory (Azure AD) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

## <a id='prerequisites'></a> Prerequisites

To configure Azure AD to designate Tanzu Kubernetes Grid Integrated Edition as a service provider,
you must have an Azure AD Global Administrator account. 

## <a id='configure-saml'></a> Configure SAML in Azure AD

To configure Azure AD as a SAML identity provider for  Tanzu Kubernetes Grid Integrated Edition, do the following:

1. Log in to Azure AD as a Global Administrator.

1. Navigate to **Azure Active Directory**.

1. Under **Create**, click **Enterprise application**.

    ![Enterprise application button](images/azure-ad-add-app.png)

1. Under **Add your own app**, select **Non-gallery application**. Enter a **Name** and click **Add**.

1. Navigate to **Azure Active Directory** > **Enterprise applications**.

    ![Enterprise applications tab](images/azure-ad-app-tab.png)

1. Click your app and then click **Single sign-on**.

    ![Single sign-on tab](images/azure-ad-sso-button.png)

1. Under **Select a single sign-on method**, select **SAML**.

    ![Single sign-on pane](images/azure-ad-saml.png)

1. Under **Set up Single Sign-On with SAML**, click the pencil icon for **Basic SAML Configuration**.

    ![Basic SAML Configuration button](images/azure-ad-basic-saml-edit.png)

1. Configure the following fields:
  <table>
    <tr>
      <th>Field</th>
      <th>Instructions</th>
    </tr>
    <tr>
      <td><strong>Identifier (Entity ID)</strong></td>
      <td>Enter <code>TKGI-API:8443</code>.<br>
      For example: <code>api.tkgi.example.com:8443</code></td>
    </tr>
    <tr>
      <td><strong>Reply URL</strong></td>
      <td>Enter <code><span>https</span>://TKGI-API:8443/saml/SSO/alias/TKGI-API:8443</code>.<br>
        For example: <code>https://api.tkgi.example.com:8443/saml/SSO/alias/api.tkgi.example.com:8443</code></td>
    </tr>
    <tr>
      <td><strong>Sign on URL</strong></td>
      <td>Enter <code><span>https</span>://TKGI-API:8443/saml/SSO/alias/TKGI-API:8443</code>.<br>
      For example: <code>https://api.tkgi.example.com:8443/saml/SSO/alias/api.tkgi.example.com:8443</code></td>
    </tr>
  </table>
  <p class="note"><strong>Note:</strong> <%= vars.recommended_by %> recommends that you use the default settings for the fields that are not referenced in the above table.</p>

1. Click the pencil icon for **User Attributes & Claims**.
  ![Basic SAML Configuration button](images/azure-ad-user-claims.png)

1. Configure your user attributes and claims by doing the procedures in [How to: Customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Azure documentation. By default, Tanzu Kubernetes Grid Integrated Edition uses the <code>EmailAddress</code> name identifier format.

1. Configure your group attributes and claims by doing the procedures in the [Configure group claims for SAML applications using SSO configuration](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-group-claims-for-saml-applications-using-sso-configuration) section of _Configure group claims for applications with Azure Active Directory (Public Preview)_ in the Microsoft Azure documentation.

1. Under **SAML Signing Certificate**, copy and save the link address for **App Federation Metadata Url** or download **Federation Metadata XML**. You use the Azure AD metadata to configure SAML in the Tanzu Kubernetes Grid Integrated Edition tile.
For more information, see [Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider](configuring-saml.html).
  ![SAML Signing Certificate pane](images/azure-ad-metadata.png)