Sign in to Security Cloud Control with the organization you want to integrate with Microsoft Entra ID.

1. Create a new identity provider and decide whether to opt out of Duo MFA, as explained in Step 1: Initial setup.

2. On Step 2: Provide Security Cloud SAML metadata to your identity provider, download the Public certificate, and copy the values for Entity ID and Single Sign-On Service URL for use in the next steps.

In a new browser tab, sign in to https://portal.azure.com as an administrator. Keep the Security Cloud Control tab open as you'll return to it shortly.

1. Click Azure Active Directory.

2. Click Enterprise Applications in the left sidebar.

3. Click + New Application and search for Microsoft Entra SAML Toolkit.

4. Click Microsoft Entra SAML Toolkit.

5. In the Name field, enter Security Cloud Sign On or other value, then click Create.

6. On the Overview page, click Single Sign On under Manage in the left sidebar.

7. Select SAML for the select single sign on method.

8. In the Basic SAML Configuration panel, click Edit, and do the following:

   • Under Identifier (Entity ID), click Add Identifier and enter the Entity ID URL provided by Security Cloud Control.

   • Under Reply URL (Assertion Consumer Service URL), click Add reply URL and enter the Single Sign-On Service URL from Security Cloud Control.

   • In the Sign on URL field, enter https://security.cisco.com/.

   • Click Save and close the Basic SAML Configuration panel.

9. In the Attributes & Claims panel click Edit.

   • Under Required claim, click the Unique User Identifier (Name ID) claim to edit it.

   • Set the Source attribute field to user.userprincipalname. This assumes that the value of user.userprincipalname represents a valid email address. If not, set Source to user.primaryauthoritativeemail.

10. Under Additional Claims panel, click Edit and create the following mappings between Microsoft Entra ID user properties and SAML attributes.

    Name	Namespace	Source attribute
    email	No value	user.userprincipalname
    firstName	No value	user.givenname
    lastName	No value	user.surname

    Be sure to clear the Namespace field for each claim, as shown below.

11. In the SAML Certificates panel, click Download for the Certificate (Base64) certificate.

12. In the Set up Single Sign-On with SAML section, copy the value of Login URL and Microsoft Entra Identifier for use later in this procedure.

Return to Security Cloud Control and click Next. You should be on Step 3: Provide SAML metadata from your IdP to Security Cloud.

1. Select the Manual Configuration option.

2. In the Single Sign-on Service URL (Assertion Consumer Service URL) field, enter the Login URL value that is provided by Azure.

3. In the Entity ID (Audience URI) field, enter the Microsoft Entra Identifier value that is provided by Microsoft Entra ID.

4. Upload the Signing Certificate provided by Azure.

   The signing certificate file that is provided by Azure has a .cer extension. However, for Security Cloud Control to accept the certificate, change the file extension to .cert and then upload it.

Click Next in Security Cloud Control.