Configure SAML SSO for VAST Management GUI using Entra ID

  • Published on Jan 24, 2026
  • 4 minute(s) read
Prev Next

Overview

This article provides a step-by-step guide for configuring Single Sign-On (SSO) for the VAST Management GUI using SAML with Microsoft Entra ID (formerly known as Azure Active Directory). By following these instructions, you will enable users to log in to the VAST Management GUI securely using their existing corporate credentials managed within your Entra ID tenant.

The process involves two main parts: first, configuring a new enterprise application within Microsoft Entra ID, and second, applying the necessary settings within the VAST Management GUI. It covers the specific settings for basic SAML configuration, user attributes, and role claims to ensure a successful and seamless integration.

IdP Configuration

Configuring SAML takes two steps; it’s easiest to start at the Identity Provider. The following steps should be done in Microsoft Entra ID (formerly known as Azure Active Directory).

Pick a name for the integration. This can reference the identity provider, such as “Entra”, or it can be the name of your domain or business, such as “acme.com”.

Basic SAML Configuration

Create an “Enterprise Application” with the following configuration:

The image displays the basic SAML configuration settings required to integrate with an identity provider, including fields such as Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), Sign on URL, Relay State, and Logout URL, each populated with specific URLs starting with "https://10.14".

SAML Config

Configuration

Value

Identifier (Entity ID)

https://vmsip/api/saml2/metadata/

Reply URL (Assertion Consumer Service URL)

https://vmsip/api/saml2/acs/?id_name=entra

Sign on URL

https://vmsip/api/saml2/login/?id_name=entra

Relay State (Optional)

empty, not important for our config

Logout Url (Optional)

empty, not supported at this time

Replace vmsip with the actual VMS IP address.

ℹ️ Note

This must be the VMS VIP. A DNS name will not work at this time.

Note that the string format is exact – you must provide it as shown above, including the trailing slash before the? denoting the beginning of the HTTP query string parameters. SAML uses many of these values to ensure that its requests and responses are being sent to the correct endpoint.

Attributes & Claims

These are necessary to fit the SAML Response into a format that the VAST Management GUI will understand.

The screenshot displays an "Attributes & Claims" configuration, detailing how email is mapped to `user.mail`, username to `onpremisesamaccountname`, roles as `"administrators"` and Unique User Identifier to `User.principalname`.

Attributes & Claims

The following is an example of the Edit page for the Attributes & Claims section:

The image displays an Attributes & Claims configuration page, where required and additional claims are being defined using SAML types. The unique user identifier (Name ID) is set to "user.userprincipalname," while other attributes like email, first name, last name, roles, and username are also configured accordingly.

Required claim

Unique User Identifier

The Unique User Identifier is unique and should look like the following:

The screenshot displays the "Manage claim" section in which a claim for an identifier named 'nameidentifier' is being to be configured within Azure AD, specifying that its source attribute is 'user.userprincipalname'. The format chosen is 'Email address', sourced from attributes rather than transformations or directory schema extensions.

Manage Claim

This is the only value with a Name and Namespace that you cannot change.

Other claims

For the remainder of the claims, ensure there is no value in the Namespace field:

The image shows the "Manage claim" interface where users can configure claims, specifically setting up an email attribute named `email` as the source with the source attribute being `user.mail`. This setup is likely for integration purposes in a directory or SAML-based system.

Manage Claim contact info

Required claims are:

  • username - This can be any string value from the user’s directory entry that is unique.

  • email - This should be an e-mail address, whether the On Premises SAM account or “Other Email”

ℹ️ Info

At this time, “First Name” and “Last Name” are not updated upon login.

The “roles” claim is optional, but highly recommended. If the “roles” claim is not defined, VMS will assign the “read-only” role to the user upon login.

For role mapping in this simple example, it’s possible to hard-code a “role” into the SAML login, and then control access to the application (and therefore VMS) within Entra ID.

The screenshot displays the "Manage claim" configuration page within an identity management interface, where users can define claims such as role assignments based on attributes from organizational directories or other sources. The current setup involves specifying a claim named 'roles' sourced directly from an attribute labeled 'administrators'.

Claim roles

The “Source attribute” field will allow you to type a free-form text string. When you press enter, it wraps the text you wrote in quotation marks (“administrators”), which signifies that Entra’s SAML response will send this string verbatim, rather than taking something unique about the user.

VMS will compare that string against all the roles it knows about and apply the role to the user upon login.

The screenshot displays the "Administrators" section in an identity and access management tool, listing users with their corresponding roles such as 'administrators', 'csi', or 'debug_metrics'. The user interface includes tabs like Managers, Roles, Realms, and SAML which indicate different administrative functionalities available within this system.

VMS account attribute

VMS Configuration

Within the VAST Management GUI, three pieces of information are required.

  • The name of the integration from the first step of this document. In the examples provided above, “entra” was used.

  • The “App Federation Metadata URL” from Entra ID in section 3, “SAML Certificates”.

    • Alternatively, it is possible to copy the Metadata XML from that URL.

  • The “Microsoft Entra Identifier” from Entra ID in section 4, “Set up (application name)”.

The image displays configuration details for SAML certificates and Microsoft Entra ID integration, including token signing certificate information such as status, expiration date, and download links for metadata XML and certificates in both Base64 and raw formats. Additionally, it outlines setup instructions for integrating with Microsoft Entran ID, listing URL endpoints required to link the application.

SAML certificate

General

These values will be entered into a new SAML configuration within VMS. In “Identity Provider name” enter the value as shown.

In “Identity Provider entity ID” enter the “Microsoft Entra Identifier”.

Choose “Force Authenticate” if you want your users to always go to the Identity Provider, even if they are already signed in.

The image displays configuration settings for a User API access key, including an Identity Provider name set to "entra" and an Identity Providers entity ID specified as https://sts.windows.net/0a3e86d0-e648-4933-b4bb-93bb0f4bed63/. These fields are essential for integrating with Azure Active Directory (AD addCriterion It appears there has been a typo in the Identity Provider Name field where it seems intended to be 'Azure AD'. The Identity Provider Entity ID points towards Microsoft's Azure ActiveDirectory STS endpoint, indicating this is likely part of

API Access Key

Metadata

If the VAST VMS node is able to reach the URL defined in Entra’s “App Federation Metadata URL field, then the “Metadata URL” can be the URL.

The Metadata configuration section allows specifying either remote metadata or a direct URL, with at least one method required to be selected in order to proceed.

Metadata URL

If the VAST VMS node is air gapped or otherwise cannot reach the URL, open the URL in a browser that can reach it, and copy the XML contents into the large text field provided.

The image shows an interface where users can set local metadata by pasting data into a designated input field labeled "Set local metadata." This is likely part of a user or configuration tool for specifying additional data that needs to be stored locally with certain information being entered here.

Paste here

Press the “Set” button at the bottom of the form to finish the process. A new button should be present in the login page, allowing for SSO Login with your provider, as named above.

The login screen depicted in the image is part of the VAST application, featuring fields to enter username and password, along with an option for Single Sign-On (SS o) authentication using the entr a platform.

VMS login screen

ℹ️ Info

If you want to change the name of the provider displayed, you will need to delete and re-create the SAML integration, as well as update the values in the URLs within Entra ID.

Related articles