Azure Active Directory SSO (SAML)

TL;DR

To have ngrok enforce Single Sign-On using SAML with Azure Active Directory (Azure AD):

This article details how to configure Azure AD as an Identity Provider for your ngrok Edge. By integrating Azure AD with ngrok, you can:

Requirements

To configure ngrok tunnels with Azure AD, you must have:

an ngrok Enterprise Account with an authtoken or admin access to configure edges with SAML
a Microsoft Azure account with access to an Azure AD tenant

Go to the ngrok dashboard
Click Cloud Edge > Edges
Create an Edge:
1. Click New Edge
2. Click HTTPS Edge
3. Click the Pencil Icon next to "no description". Enter Edge With Azure Active Directory SSO as the Edge name and click Save
Configure the SAML module for this Edge:
1. On the Routes section, click SAML
2. Click Begin setup
3. In the Identity Provider section, copy the following XML as a placeholder into the input box
```
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"></EntityDescriptor>
```
1. Click Save
2. Note that ngrok has now generated values for the fields in the Service Provider section. You will need to configure Azure AD with these values later

Go to your Azure AD tenant in Azure
Create an enterprise application
1. Starting from the sidebar, in the Manage section, click Enterprise Applications > New application
2. Give your application a name (eg www for a website client). Click Create
To assign users/groups for this application, in the Getting Started section, click 1. Assign users and groups > Add user/group
Set up single sign on with SAML
1. In the Getting Started section, click on the box titled 2. Set up single sign on > SAML
2. Configure SAML. In the Basic SAML Configuration box click Edit
1. Add Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) values using the previously the ngrok generated Entity ID and ACS URL
1. Click Save
2. Download the Metadata XML. In the SAML Certificates box > Token signing certificate section > click Download for the Federation Metadata XML

Back in the ngrok dashboard for your Edge's SAML configuration, upload the XML file generated by Azure AD
Click Save

Note

For this step, we assume you have an app running locally (i.e. on localhost:3000) with the ngrok client installed.

Launch a tunnel connected to your configured Edge
On your Edge's page, in the Routes section, click Start a tunnel
Copy the tunnel command
Launch a terminal and paste the command, replacing http://localhost:80 with your local web app address (e.g., http://localhost:3000)
Hit Enter to launch the tunnel
Confirm that the tunnel is connected to your edge
1. Return to the ngrok dashboard
2. Close the Start a tunnel and the Tunnel group drawers
3. Refresh the Edge page
4. In the Routes section > Traffic section you will see the message You have 1 tunnel online. Start additional tunnels to begin load balancing.
Copy the ngrok url on the Endpoints section
Access your Edge application
1. In your browser, launch an incognito window
2. Access your ngrok tunnel via your copied URL
3. You should be prompted to log in with your Microsoft credentials
4. After login, you should be able to see the application

In Azure, configure the SAML response to include group claims. In the Attributes & Claims box click Edit
Click Add a group claim > Advanced options > Customize the name of the group claim
Set the name of the group claim to groups. This specific value is required for ngrok
Click Save
Go to your group page and copy the object Id (Azure AD returns group object Ids in the group claim)
Configure ngrok to enforce group authorization. In ngrok on your Edge's page, in the Authorization section, update the groups input with your Azure group object Id (NOT group name) values
Access your Edge application
1. In your browser, launch an incognito window
2. Access your ngrok tunnel via your copied URL
3. You should be prompted to log in with your Microsoft credentials
4. Only users assigned to the authorized groups will have access to the application