Start Azure AD SAML docs

backend/src/utils/auth.ts

@@ -135,24 +135,24 @@ const initializePassport = async () => {
     {
       passReqToCallback: true,
       getSamlOptions: async (req: any, done: any) => {
-          const { ssoIdentifier } = req.params;
-          
-          const ssoConfig = await getSSOConfigHelper({
-            ssoConfigId: new Types.ObjectId(ssoIdentifier)
-          });
-          
-          const samlConfig = ({
-            path: "/api/v1/auth/callback/saml",
-            callbackURL: `${await getSiteURL()}/api/v1/auth/callback/saml`,
-            entryPoint: ssoConfig.entryPoint,
-            issuer: ssoConfig.issuer,
-            cert: ssoConfig.cert,
-            audience: ssoConfig.audience
-          });
-          
-          req.ssoConfig = ssoConfig;
+        const { ssoIdentifier } = req.params;
+        
+        const ssoConfig = await getSSOConfigHelper({
+          ssoConfigId: new Types.ObjectId(ssoIdentifier)
+        });
+        
+        const samlConfig = ({
+          path: `/api/v1/sso/saml2/${ssoIdentifier}`,
+          callbackURL: `${await getSiteURL()}/api/v1/sso/saml2${ssoIdentifier}`,
+          entryPoint: ssoConfig.entryPoint,
+          issuer: ssoConfig.issuer,
+          cert: ssoConfig.cert,
+          audience: ssoConfig.audience
+        });
+        
+        req.ssoConfig = ssoConfig;
 
-          done(null, samlConfig);
+        done(null, samlConfig);
       },
     },
     async (req: any, profile: any, done: any) => {
@@ -161,7 +161,7 @@ const initializePassport = async () => {
       const organization = await Organization.findById(req.ssoConfig.organization);
       
       if (!organization) return done(OrganizationNotFoundError());
-      
+
       const email = profile.email;
       const firstName = profile.firstName;
       const lastName = profile.lastName;

docs/documentation/platform/saml.mdx

@@ -5,15 +5,15 @@ description: "Log in to Infisical via SSO protocols"
 
 <Warning>
   Infisical currently only supports SAML SSO authentication with [Okta as the
-  identity provider (IDP)](https://www.okta.com/). We're expanding support for
-  other IDPs in the coming months, so stay tuned with this issue
+  identity provider (IdP)](https://www.okta.com/). We're expanding support for
+  other IdPs in the coming months, so stay tuned with this issue
   [here](https://github.com/Infisical/infisical/issues/442).
 </Warning>
 
 You can configure your organization in Infisical to have members authenticate with the platform via protocols like [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0).
 
 To note, configuring SSO retains the end-to-end encrypted architecture of Infisical because we decouple the **authentication** and **decryption** steps. In all login with SSO implementations,
-your IDP cannot and will not have access to the decryption key needed to decrypt your secrets.
+your IdP cannot and will not have access to the decryption key needed to decrypt your secrets.
 
 ## Configuration
 
@@ -28,7 +28,7 @@ below to configure SSO for your identity provider:
 </Note>
 
 <AccordionGroup>
-  <Accordion title="Okta SAML 2.0">
+  <Accordion title="Okta SAML">
     1. In the Okta Admin Portal, select Applications > Applications from the
     navigation. On the Applications screen, select the Create App Integration
     button.
@@ -46,7 +46,7 @@ below to configure SSO for your identity provider:
     - Single sign on URL: `https://app.infisical.com/api/v1/sso/saml2/:identifier`; we'll update the `:identifier` part later in step 6.
     - Audience URI (SP Entity ID): `https://app.infisical.com`
 
-    ![SAML Okta configure IDP fields](../../images/saml-okta-3.png)
+    ![SAML Okta configure IdP fields](../../images/saml-okta-3.png)
 
     <Note>
         If you're self-hosting Infisical, then you will want to replace `https://app.infisical.com` with your own domain.
@@ -63,18 +63,18 @@ below to configure SSO for your identity provider:
 
     Once configured, select the Next button to proceed to the Feedback screen and select Finish.
 
-    5. Get IDP values
+    5. Get IdP values
 
     Once your application is created, select the Sign On tab for the app and select the View Setup Instructions button located on the right side of the screen:
 
     Copy the Identity Provider Single Sign-On URL, the Identity Provider Issuer, and the X.509 Certificate to be pasted into your Infisical SAML SSO configuration details with the following map:
 
-    - `Audience -> Okta Audience URI (SP Entity ID)`
-    - `Entrypoint -> Okta Identity Provider Single Sign-On URL`
-    - `Issuer -> Identity Provider Issuer`
-    - `Certificate -> X.509 Certificate`.
+    - `Audience -> Audience URI (SP Entity ID) from Okta`
+    - `Entrypoint -> Identity Provider Single Sign-On URL from Okta`
+    - `Issuer -> Identity Provider Issuer from Okta`
+    - `Certificate -> X.509 Certificate from Okta`
 
-    ![SAML Okta IDP values](../../images/saml-okta-5.png)
+    ![SAML Okta IdP values](../../images/saml-okta-5.png)
 
     ![SAML Okta paste values into Infisical](../../images/saml-okta-6.png)
 
@@ -97,4 +97,51 @@ below to configure SSO for your identity provider:
     Enabling SAML SSO enforces all members in your organization to only be able to log into Infisical via Okta.
 
   </Accordion>
+  <Accordion title="Azure SAML">
+  
+  1. In the Azure Portal, navigate to the Azure Active Directory and select Enterprise applications. On this screen, select
+  the **+ New application** button.
+  
+  TODO: insert  image.
+  
+  2. On the next screen, press the **+ Create your own application** button.
+  Give the application a unique, Infisical-specific name; choose the "Integrate any other application you don't find in the gallery (Non-gallery)"
+  option and hit the **Create** button.
+  
+  TODO: insert image
+  
+  3. On the application overview screen, select **Single sign-on** from the left sidebar. From there,
+  select the **SAML** single sign-on method.
+
+4. Next, press the **Edit** button in the **Basic SAML Configuration** section and configure the following fields:
+
+- Identifier (Entity ID): https://app.infisical.com
+- Reply URL (Assertion Consumer Service URL): `https://app.infisical.com/api/v1/sso/saml2/:identifier`
+
+<Note>
+  If you're self-hosting Infisical, then you will want to replace
+  `https://app.infisical.com` with your own domain.
+</Note>
+
+5. Next, press the **Edit** button in the **Attributes & Claims** section.
+
+In the **Attributes && Claims** section, configure the following claims to map:
+
+- `email -> user.userprinciplename`
+- `firstName -> user.firstName`
+- `lastName -> user.lastName`
+
+Once you've done that, head back to the **Set up Single Sign-On with SAML** screen.
+
+6. Get IdP values:
+
+Back in Infisical > Organization settings > Authentication, select **Set up SAML SSO** and paste your Infisical SAML SSO configuration details
+with the following map from the **Set up Single Sign-On with SAML** screen in Azure:
+
+- `Audience -> Azure `
+- `Entrypoint -> X`
+- `Issuer -> X`
+- `Certificate -> X.509 Certificate from Azure`
+
+</Accordion>
 </AccordionGroup>