SSO Azure Security Permissions
Minimum Security
-
TLS 1.2+ on all endpoints.
-
Signed assertions (RSA 2048+).
-
Store PEM securely. Limit access.
Role & Group Mapping
-
Provide group-to-role CSV or JSON.
-
Map least-privilege groups to
Admin,Developer,Viewer. -
Test mapping with non-admin accounts.
Certificate Rotation
-
Generate new certificate on Azure
Generate the new certificate/keys in Azure.
-
Upload metadata/PEM to SailPoint Entro staging
Upload the new metadata and PEM to the SailPoint Entro staging environment.
-
Test with a test user
Verify authentication and assertions using a test user account.
-
Schedule cutover and revoke old cert after validation
Perform cutover once validation succeeds, then revoke the old certificate.
Diagnostics & Logs
-
Check Azure Sign-in logs and SailPoint Entro SSO logs.
-
Capture assertion_id, issuer, email, and timestamps.
Capture the following fields when reviewing diagnostics and logs:
-
assertion_id
-
issuer
-
email
-
timestamps
Recovery
-
Keep an emergency local admin not bound to SSO.
-
Document rollback steps and test quarterly.