Microsoft Entra ID
Microsoft Entra ID only accepts HTTPS protocol, please follow steps described in Enabling HTTPS to enable HTTPS first on MetaDefender Core.
Entra ID - Using SAML 2.0
Register a new application on Azure
- Access Azure portal and login.
- In
Home
page, selectMicrosoft Entra ID
underAzure services
.

- Select
Enterprise applications
on the left sidebar

- In
All applications
page, hitNew application

- In
Browse Azure AD Gallery
page, search for "Microsoft Entra SAML Toolkit" then hit onMicrosoft Entra SAML Toolkit
in result panel.

- Fill
Name
, MDCore-SAML for example, and hitCreate
on right sidebar.

- Navigate
Single sign-on
on left sidebar and hitSAML
.

- Navigate to the item of
SAML Certificates
, hit the copy button at the right most ofApp Federation Metadata Url
and store as metadata_uri.

- Navigate to
Users and groups
on left sidebar, hitAdd user/group
.

- On
Add Assignment
screen, hitNon Selected
and add users who are allowed to login to the app, then hitSelect
on the right panel.

- Finally, hit
Assign
to complete.
Create SAML directory on MetaDefender Core
- Login to MetaDefender Core management console.
- At dashboard, hit
User Management
in sidebar. - Under
User Management
page, chooseDirectories
tab and hitAdd directory
on the top right.

- In
Add Directory
page, choose SAML inDirectory Type
, fillName
for the new directory, MDCore-SAML for example and hitFetch URL

- Paste the uri stored in metadata_uri to the box under
Fetch URL
, then hitOK
for MetaDefender Core to set Microsoft Entra ID as its IDP.

- Under section
Service Provider
, fillHost or IP
where MetaDefender Core is hosted, https://127.0.0.1:8008 in this example. - Copy the
Login URL
and store in reply_uri in the later steps below.

Complete configuration on Entra ID
- Switch back to Microsoft Entra ID, on
SAML-based Sign-on
page, navigate toBasic SAML Configuration
and hitEdit
on the top right.

- Navigate to
Identifier (Entity ID)
on the right sidebar, hitAdd identifier
, then fill an unique ID to identify MDCore, MDCore-SAML for an example. Store the identifier to identifier. - Navigate to
Reply URL (Assertion Consumer Service URL)
, hitAdd reply URL
and fill the URI stored in reply_uri to the new created box, then hitSave

- Navigate to
Attributes & Claims
, then hitEdit

- In
Attributes & Claims
page, navigate toAdditional claims
, click on any item underClaim name
to change its name.

- Change claim
Name
, setNamespace
empty and hitSave
to complete. In this example, claim name is changed to given_name which will be used later to identify logged-in user on MetaDefender Core.


If the names of attributes and claims provided by Azure are good enough, recommended to be used directly to identify logged-in user in MetaDefender Core.
Complete configuration on MetaDefender Core
- Switch back to MDCore, under
Service Provider
, selectUse custom entity ID
and paste value in identifier into, MDCore-SAML in this example. - Fill user identity under
User identified by
, ${given_name} is used in this example.
If the namespace is not removed from claim name in step 6 of previous section, the full claim name with namespace included must be used here to build identification for user.
For example, if the claim of http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name is added to Entra ID, then ${http://schemas.xmlsoap.org/ws/2005/05/identitity/clams/given_name} is used by MetaDefender Core to build up user identification.
- Select correct role for the user under
User Role
- Hit
Add
to complete settings.

- In
User Management
screen of MDCore, toggle the new directory, MDCORE-SAML in this example. A dialog box is shown to confirm the action. OnceEnable
is hit, all sessions are expired immediately.

Test the integration
- At the home screen on MetaDefender Core, hit
Login
, the user is redirected to login page from Microsoft Entra ID.

Login by the account registered to Entra ID.
If everything goes right, MetaDefender Core dashboard is displayed with user identity at the top right corner.
Otherwise, access back login page at
<mdcore-host>#/public/backuplogin
for trouble shooting.
Setup pseudo IdP-initiated SSO
Microsoft Entra ID does not support Idp-initiated SSO in the same way as other Identity Providers. It actually accesses the login page of its SP and do initiating SSO login from there, so basically, it is SP-initiated.
- Login to Azure management page.
- Navigate section
Azure services
, hitMicrosoft Entra ID
.

- On the left sidebar, click
Enterprise applications

- Pick
Azure AD SAML Toolkit
on the list of enterprise applications.

- Select
Single sign-on
on the left sidebar, navigate toBasic SAML Configuration
section and hitEdit
on the top right of the section.

- In
Basic SAML Configuration
right sidebar, insert Core login URL into the field underSign on URL
.

- Hit
Save
to complete.
Test IdP-initiated SSO
Login to Azure management page.
Navigate section
Azure services
, hitMicrosoft Entra ID
.On the left sidebar, click
Enterprise applications
.Pick
Azure AD SAML Toolkit
on the list of enterprise applications.Navigate to tab
Properties
.

- Copy the URL next to
User access URL
. - Paste the copied URL to browser and do login.

- If everything goes right, MDCore dashboard is shown with user identity set at the top right corner.

- Otherwise, access back login page at
<mdcore-host>#/public/backuplogin
for trouble shooting.
Entra ID - Using OpenID Connect
Register a new application on Azure
- Access Azure portal and login.
- In
Home
page, selectMicrosoft Entra ID
underAzure services
.

- Select
App registrations
underManage
section on the left sidebar, then click onNew registration
on the top menu bar.

- In
Register an application
page, fill inName
for new application, "MDCore-OIDC" in this example, and hitRegister
to complete.

- Select
Token configuration
on left sidebar, hitAdd optional claim
, chooseID
on the right sidebar, enable essential claims (given_name in this example) and hitAdd
at the bottom.

- Click
Add
on the popup to complete.

Enabled claims will be used later by MetaDefender Core to identify logged-in user.
Create OIDC directory on MetaDefender Core
Login to MetaDefender Core.
At dashboard, hit
User Management
in sidebar.Under
User Management
page, chooseDirectories
tab and hitAdd directory
on the top right.

In
Add Directory
page, choose OIDC inDirectory Type
Fill
Name
of the new directory, MDCore-OIDC for example.Under section
Service Provider
, fillHost or IP
where MDCore is hosted, https://127.0.0.1:8008 for this example.Copy the
Login URL
and store somewhere for later use.

Complete configuration on Entra ID
- Back to Entra ID, on
MDCore-OIDC
page, pickOverview
section on left sidebar and hit onAdd a Redirect URI
link to switch toAuthentication
page.

- In
Authentication
page, hitAdd a platform
and chooseWeb
option on right sidebar.

- ill
Redirect URIs
with theLogin URL
copied from MDCore, enableAccess tokens
option and hitConfigure

- Pick
Overview
on left sidebar again, copy the string next toApplication (client) ID
and store as client_id

- Hit
Endpoints
on the top bar, copy the uri underOpenID Connect metadata document
on the right sidebar and store as metadata_uri

- Pick
Certificates & secrets
on left sidebar, inClient secrets (0)
tab, hitNew client secret
, fill secretDescription
and setExpires
and, then hitAdd
to complete.

- A new client secret is created under
Client secret (1)
tab, copy the string underValue
column and store it as client_secret

Entra ID will hide the client secret completely when page Certificate & secrets
is left. Administrator is recommended to store the client secret in a safe place, otherwise they have to create a new one.
Complete configuration on MetaDefender Core
- Switch to MDCore, under section
Identity Provider
, hit onFetch URL
and paste metadata_uri gathered in Configure Azure stage to the box underFetch URL
and hitOK
to ensure MetaDefender Core can set Microsoft Entra ID as its IdP.

- Under section
Service Provider
, paste client_id and client_secret gathered in Configure Azure stage toClient ID
andClient secret
respectively.

- Fill user identity under
User identified by
, ${given_name} is used in this example. - Pick
Default role
option and select correct role for the user underUser Role
- Hit
Add
to complete settings

- In
User Management
screen of MDCore, toggle the new directory, MDCORE-OIDC in this example. A dialog box is shown to confirm the action. OnceEnable
is hit, all sessions are expired immediately.

Test the integration
- In home screen on MetaDefender Core, hit
Login
, the user is redirected to login page from Microsoft.

- Login by the registered account.
- If everything goes right, MDCore dashboard is shown with user identity set at the top right corner.

- Otherwise, access back login page at
<mdcore-host>#/public/backuplogin
for troubleshooting.