Body
Overview
This document covers how to configure Infoblox to use Azure AD SAML for authentication. When a SAML authentication service has been added, Infoblox will add a SSO login box to the login window
Procedure
- Navigate to Administration, Authentication Server Groups, SAML Authentication Services
- When you click on the + icon to add a Service you will be presented with the Add SAML Authentication Service window
- The SSO metadata URL is: https://login.microsoftonline.com/2e5ff8e7-7397-4041-8d96-876bd26a86a0/federationmetadata/2007-06/federationmetadata.xml?appid=e4c52b8f-9c3e-4076-8856-760a247102d6
- The SSO Redirect IPAddress/FQDN is the fully qualified domain name of the infoblox appliance
- You can find this URL in the Azure Active Directory service in the Azure Portal
- In the Azure Active Directory console, scroll down and click on Enterprise Applications
- In the Search field, type Infoblox
You will see that we have two definitions - one for Production (DDI) and one for Test. When associating an application/appliance with an Enterprise Application, you must specify the actual URL of the user interface. Since Production is https://ddi.net.nic.edu and Test is https://infoblox.nic.edu, we have an Enterprise Application for each
- Click on the appropriate Enterprise Application - in this case Infoblox - DDI. Click on Single Sign-on in the Manage menu on the right (or click on the Set up single sign on box)
- Scroll down to section 3. SAML Certificates. There you will see the App Federation Metadata URL (SSO Metadata URL in Infoblox). Microsoft conveniently has a copy icon so you don't have to try and highlight the whole string. You can paste that into the SSO Metadata URL field in Infoblox
Configuring Group Access
There currently are two groups in Active Directory that can grant a user access to Infoblox
- ACL.M365.INFOBLOX.ADMIN - Full administrative access to the Infoblox appliance
- ACL.M365.INFOBLOX.USER - Access to view/update host records and create DHCP fixed address/Reservations
Both of these groups are synchronized with Azure Active Directory on an hourly basis since Azure SSO integration can only leverage groups visible in Azure AD (not all Active Directory groups are synchronized).
This section assumes that the Groups are already synchronized in Azure Active Directory.
- Navigate to the Infoblox Enterprise Application in the Azure Active Directory portal and click on the Single Sign-on menu item
- Edit the Attributes & Claims Section
- Click on Add a group claim
- Select Security Groups and then click on Advanced Options
- Check the Customize the name of the group claim box and enter the word groups in the Name field and click Save
- You should see the groups Claim name under Addtional Claims
- Now add both Groups into the User and groups section (use the bread crumbs on the top of the screen to go back to the main page of the Enterprise Application)
- Before Navigating away from the Azure Portal, click on the groups and copy the Object id of the groups to clipboard/notepad. You will need these object ids when adding these groups to infoblox
- Now Navigate to the Infoblox Console and Open up the SAML Authentication Services entry you created earlier.
- Enter the custom group claim name groups that you had created earlier in the IDP Group Attribute field
- Click on Save and Close
- Now Navigate to Administrators/Groups and click on the + to add the group
- Step 1: Paste the Object ID into the group name and document the "normal" group name in the Comment and click next. At least the Comment field is visible the main groups menu so
- Step 2: Just click next on Step 2 since we are really controlling access at the AD level.
- Step 3: Check the Auto Create User box - this is required for SAML authentication to work. Infoblox will temporarily create the user (you will see it in Administrators->Admins) when the user is logged in. Also check the Persist Auto Create user after logout so that account to stay in the Admins list. That does speed up subsequent logins for the user. Infoblox will update the group membership of the account if necessary (if the user is moved from the ADMIN group to the USER group in AD).
- Step 4: Just click next to past Step 4
- Step 5: This is where we assign what access this Group will have. If this group is to have full access to the Infoblox appliance, check the Superusers box. Otherwise, click on the + sign and add the assigned role. If you want to assign a Custom Role that you created to this group, click on the Custom Roles to list those
As for Allowed Interfaces, Superusers would be granted all three (GUI, API, CLI). Everyone else would just need GUI access
- Click on Save & Close
Direct Access
- When using SSO, Infoblox auto-creates an account on the appliance as a member of the saml-group if the user is NOT a member of one of the groups mentioned above. This will only happen if you grant the user access directly in Azure AD
- You can add a user directly into the Enterprise Application under Users and groups
When a user logs in using SSO, Infoblox will auto create an account on the appliance. You can then change the SAML group membership of that user so that access is restricted. You can also create the SAML account ahead of time so that the user has limited access upon initial login