Using Microsoft Entra ID as your Identity Provider (IdP)

This article provides instructions on how to set up Microsoft Entra ID (Entra) as an Identity Provider (IdP) for federated authentication.

Set up an enterprise application

1. Sign in to the Azure Portal with an administrator account and from the Entra services list on the homepage select Enterprise applications > New application.

2. You must select Create your own application because Mambu is not one of the gallery applications. In the Create your own application dialog, provide a name for your new application and select Create.

3. Go to Set up single sign on > SAML.

4. In the Set up Single Sign-On with SAML screen, you must fill in the information for the Basic SAML Configuration section. The Identifier and Reply URL fields are required.

5. Go to the Attributes & Claims section. You must edit each of the claims to remove the Namespace value, edit the Name, and in some cases edit the source attribute value. Refer to the table below for the correct values. The RoleID claim does not exist, you must select Add new claim to create it.

You must also make sure to make the Unique User Identifier Persistent.

After you are done making the edits to the Attributes & Claims section, the section should look like the image below.

6. Go to the SAML Certificates section and select to edit the section.

In the SAML Signing Certificate dialog, select the edit option and then select PEM certificate download.

7. Create a SHA-256 certificate fingerprint from the PEM certificate, using the following command:

openssl x509 -noout -fingerprint -sha256 -inform pem -in {/path/to/certificate-file.pem}

Replace the placeholder in curly braces with the actual path to your certificate file.

Enable federated authentication in Mambu UI

To enable federated authentication in Mambu UI, go to Administration > Access > Federated Authentication and select the Enable Sign Sign-On check box. For more information, see Enabling Federated Authentication with Mambu.

You must:

• Enter the Name you would like to use for your IdP. You may choose whatever name you like.
• Enter the SHA-256 certificate fingerprint you created while setting up your enterprise application in Entra into the Certificate Fingerprint field.
• Enter the Single Sign-On Endpoint, this will be the Login URL on the Set Up Single Sign-On with SAML page.
• Enter the Issuer ID, this will be the Azure AD Identifier on the Set Up Single Sign-On with SAML page.

User assignment

Once you have created an enterprise application in Entra, you must also assign users to the application.

To assign the first user to your application:

1. On the Entra homepage, go to Enterprise applications > Choose your enterprise application > Users and Groups > Add user/group.
2. Under the Users list, select None Selected. In the Users dialog, select the user you would like to assign.

Role assignment

In order for your users to be able to log into to Mambu UI using Entra as the IdP you must have assigned a Mambu role to them.

To carry out proper role assignment:

1. Create a role in Mambu and make sure to select Mambu under Access Rights to grant access to the Mambu UI to this role. For more information, see Creating a role.

2. Create an app role in Entra. On the Entra homepage, go to Azure Active Directory > Choose your directory (for example, Default Directory) > App Registrations > Choose your enterprise application > App Roles > Create app role.

In the Create app role dialog, enter all the required information. The Value field must be the exact name of the role you created in Mambu.

3. Assign the Entra app role to a user. To do so, navigate from the Entra homepage to Enterprise applications > Choose your enterprise application > Assign Users and Groups > Select the checkbox next to the user's name > Edit Assignment.

In the Edit assignment dialog, select the app role you created and select Assign to assign it to the user.

Branch assignment

For each of your users, you must also define the branch they are assigned to in Entra. For more information, see Managing Users under Federated Authentication - Branch assignment.

The following are the main steps to perform branch assignment using Entra as your IdP:

1. Create a custom attribute in the Attributes & Claims section of your IdP configuration called BranchID.

2. For branch definition, in Entra you can either define the same branch ID for all the users assigned to a specific application or define a different branch ID for each user.

If you want to all the users for a specific application to be assigned the same branch ID, then you may set the value of the BranchID attribute to a specific branch ID. In the example, we have set the value to EMEA.

If you want to define different branch IDs for each user, then you may set the value of the BranchID attribute to user.department. Next, in the Department field for each user you may define the branch ID you want to assign the user to.