Skip to content

Single Sign-On (SSO)

Overview

SSO (Single Sign On) brings many benefits to your environment by unifying IAM (Identity and Access Management) across multiple applications and systems. The User Experience is improved through a simplified authentication process and provides the Administration Team with controls to enforce Entra ID managed IAM functions.

With the introduction of M365 integration, and Wireguard capabilities within Crystal Eye you can now implement Wireguard with SSO user authentication.

This allows the deployment of Wireguard VPN functionality to endpoints without the need to bundle a configuration file as this is all managed on the Crystal Eye and through Entra ID Authentication.

Installation

The SSO application is not available by default. It can be installed from Marketplace found near the bottom of the left-hand navigation panel.

Once installed, SSO can be located under the System Configuration menu on the left hand side.

Configuring MS Entra ID SSO in Crystal Eye

Step 1: Create application in Entra ID

Sign in to your Entra Admin Center as a global administrator or Application Administrator.

Under Applications click Enterprise Applications.

Entra ID Create Enterprise Application Step 1

Under Enterprise Application, click New Application.

Entra ID Create Enterprise Application Step 2

You Will then need to click Create your own application.

Entra ID Create Enterprose Application Step 3

Step 2. Name and Create Application

Give a name related to the app you’re creating and hit Create.

Note

You will need sufficient permissions to create enterprise application.

Entra ID name and create Application

Step 3. Configure App For Deployment

Click on “Set up single sign on”. Select “SAML” as single sign-on method.

From this page you will need to copy the App Federation Metadata Url and Microsoft Entra Identifier that will be used to configure SSO in the Crystal Eye.

entra id configure app for deployment step 1

Step 4: Create application in Crystal Eye

Login to Crystal Eye admin and go to Marketplace and install SSO app.

Refresh the Crystal Eye UI. Click on Single Sign-On (SSO) menu under “System Configuration”.

You are now going to add a new profile in Crystal Eye for SAML authentication using Microsoft Entra ID enterprise application.

Step 5: Exchange Metadata Between IdP and SP

In Crystal Eye, under “Single Sign-On (SSO) Profiles”, Click” Add+”. Fill in Application Profile with any descriptive name, choose SAML under Federated Copy the the App Federation Metadata Url and Microsoft Entra Identifier from the previous page into the SSO Profile.

entra id exchange metadata between idp and sp

Before we can Test Sign-In we first need to copy the Identifier (Entity ID) and Reply URL from the Crystal Eye and link it back to the Enterprise Application.

entra id exchange metadata between idp and sp step 2

Step 6: Copy Metadata back to Entra ID

Go to Entra ID. Click Edit on Basic SAML Configuration.

Entra ID copy metadata basic SAML configuration

Copy Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) from the previous page into Entra ID for the specific profile, matching the field name, as shown in the below screenshot. And click on the save button.

entra ID copy metadata basic SAML configuration identifier

Crystal Eye to Entra ID metadata exchange is done. This also completes the two-way exchange between Identify Provider (Microsoft Entra ID) and Service Provider (Crystal Eye).

The IdP has updated its metadata because of the previous step. Refresh it by clicking “Synchronize IdP Metadata” button under the created profile in Crystal Eye.

Step 7: App Permissions

In Entra ID, add users and groups in your Tenant and add these users to your application created in Step 1.

Entra ID users and groups add

We Can Now Click the Test Sign-in button to confirm SSO is working.

Entra ID users and groups test sign in Crystal Eye

Important!
Any changes in configs under” Set up Single Sign-On with SAML” in Microsoft Entra ID should be followed by refreshing the IdP metadata in Crystal Eye.

Configuring MS Entra ID SSO in Crystal Eye completed – Continue to Configure & Register API.

Configure & Register API Permissions

Step 1: Add API permissions to application

On the admin blade select “App registration”, all applications and search for the application you have just created as below.

Entra ID add api permissions app registration 1
Entra ID add api permissions app registration 2

Open the application and select “API permission” from the blade as below

Entra ID app api permissions app registration 3

Click Add permission

Entra ID app api permissions app registration 4

Microsoft Graph

Application.Read.All

CrossTenantInformation.ReadBasic.All

Directory.Read.All

EntitlementManagement.ReadWrite.All

Group.ReadWrite.All

GroupMember.ReadWrite.All

Policy.Read.All

Policy.ReadWrite.ConditionalAccess

Policy.ReadWrite.SecurityDefaults

User.ReadWrite.All

Office 365 Management APIs

ActivityFeed.Read

ActivityFeed.ReadDlp

ServiceHealth.Read

Once All Api Permissions are Added Click Grant admin consent for [Your Tenant]

Entra ID api permissions grant admin consent 1

Step 2: Create New Client Secret

In App registrations Click Certificates & Secrets.

Entra ID app registration certificates and secrets 1

Then click New Client Secret.

Enter a Description related to the App and select an Expiration.

Entra ID app registration certificates and secrets 2

Note

It’s recommended to set the Expiry to 6 months and client Secret rotation will need to be work into your maintenance routine.

Keep this page open as the Value will need to be copied into the Crystal Eye.

Entra ID app registration certificates and secrets 3

Note

Clicking off this page in Entra ID will make it impossible to view the Secret ID again and another will need to be created.

Step 3: Add settings to M365 policy manager in Crystal Eye

Open your Crystal Eye admin panel and browse to “Compliance Control” > “Microsoft 365” > M365 Policy Manager.

Entra ID crystal eye m365 policy manager 1

Click Add to create a new profile.

Entra ID crystal eye m365 policy manager 2

Fill in all fields as they appear in the Entra portal.

Entra ID crystal eye m365 policy manager 3

Client Secret being the Value from the previous page.

Application ID and Tenant ID can be found in the Overview section of the App Registration.

Entra ID application id tenant id overview

Once all the Information has been entered Click Enable Tenant.

Entra ID crystal eye m365 policy manager enable tenant 1

To Test Crystal Eye is Connection to Entra click the Identity Management Tab.

If Policy’s Users and Groups load this confirms the Crystal Eye is configured Correctly.

Entra id crystal eye m365 policy manager enable tentant 2

Configure & Register API completed - Continue to Configure Wireguard in Crystal Eye

Configure Wireguard in Crystal Eye

When Configuring Wireguard for remote users it is best to create a new zone which allows us to make specific access policies for those users.

Step 1: Create Interface for Wireguard (Optional)

Under Security Configuration > Advanced Firewall click on Security Zones.

Click Add.

Entra ID Crystal Eye m365 advanced firewall security zones 1

Give The Zone a Name relating to Wireguard.

And leave all other settings as is.

Step 2: Configure Wireguard Tunnel

Under Network Control > SD-WAN click Wireguard.

Click Add.

Give the Tunnel a Name and select the Zone you created in the step above.

The Address and Server Port can be whatever you like if it doesn’t conflict with other VPN configurations.

Select the Boxes for Full Tunnel Mode and SSO Authentication.

It is recommended to set Last Handshake Timeout to 60 minutes this is the during Wireguard will keep the session alive after a client has disconnected.

Entra ID Crystal Eye m365 wireguard settings

Note

If you want split tunnel don’t select Full tunnel mode and manually select the Allowed Local IP/Subnets.

Crystal Eye Wireguard Entra Setup Complete