Chariot Single Sign-On (SSO) with Azure

Chariot offers Single Sign-On integration with Azure to streamline user access management. This guide will walk you through the complete setup process, which requires configuring both your Azure environment and Chariot. Before beginning the integration, you'll need to gather three essential pieces of information

  • Client ID 
  • Client Secret 
  • Issuer URL 

Domain Verification

The first step is to verify ownership of your domain by adding a DNS TXT record. Access your domain's DNS settings or management interface where you'll need to add a TXT record. The record should follow the format "chariot=<email>", where <email> is your primary Chariot account email address. You can find your primary email on Users page.

At your DNS  management interface, set the text record for your root domain. For example, if your domain is YourDomain.com and your record is set at the root level (@), you would add a TXT record with the value "chariot=YourPrimaryEmail@email.com". Within the Chariot setup pop-up, you can copy and paste this value:

Once Set, your DNS TXT record might look something like this. 

YourDomain.com Record type: value:
@ TXT "chariot=YourPrimaryEmail@email.com"

To verify that your record has been published, you can run the command dig +short TXT YourDomain.com if on a Mac or nslookup -type=TXT YourDomain.com if using Windows, and look for your record in the output.

Creating the Azure Application Registration

Start by visiting the Azure Portal and creating a new Single Tenant App Registration.

On the App registrations page, follow these steps:

  1. Supply the name of the application to Azure, such as "Chariot SSO".
  2. Make and implement decisions on who will be able to access Chariot SSO through Azure.
  3. Configure a "Web" Redirect URI with this URI:
https://praetorian-chariot.auth.us-east-2.amazoncognito.com/oauth2/idpresponse

 

Generate the Client Secret and Application ID

Navigate to the newly created application Overview. Note the Application (client) ID and Directory (tenant) ID on the overview page. Copy these. The Application (client) ID will be used as the Client ID and the Directory (tenant) ID will be used in the Issuer URL in the Chariot application.

Click on Certificates and Secrets on the menu to the left. 

On the Certificates and secrets page, click to add a New client secret. Generate a new client secret, and copy the value. Once you create the New client secret this value will not be visible again.

The newly generated secret value will show up in the table below Description. Again, remember to copy the secret value as you will need for Chariot SSO Setup as the Secret. The Secret ID (separate from the Application (client) ID, above) should not be needed for the Chariot - Azure integration.

 

Get the issuer URL

Your issuer URL will be:

 https://login.microsoftonline.com/<tenant-id>/v2.0

...where <tenant-id> is the Directory (tenant) ID listed on the application overview page.

Chariot Integration Configuration

To complete the integration, log into Chariot with your existing credentials. Click Settings on the bottom left menu and navigate to the Settings page. Look for the "Setup Single Sign-On" button.

Provide the following information:

The domain field should be your email domain (for example, "praetorian.com" if your email is "john.doe@praetorian.com"). The Client ID is your Azure Application (client) ID, and the Client Secret is the value you generated in the Certificates and Secrets section. For the Issuer URL, use the formatted URL containing your tenant ID as described above.

Managing Access Permissions

Access to your Chariot account will be granted to users based on the account group specified in your Azure tenant. For detailed information about configuring these access permissions, consult the Azure Documentation.

Once the setup is complete, users can access Chariot through the Corporate ID portal on the login page.

It's worth noting that while you can remove the DNS TXT record after completing the SSO setup, you'll need to temporarily reinstate it if you make any changes to the SSO configuration, such as rotating secrets.

Should you encounter any difficulties during this process or need assistance, don't hesitate to reach out to support@praetorian.com for help. Our support team is ready to assist you in ensuring a smooth integration between Azure and Chariot.