Before you begin configuring Microsoft Entra ID, make sure of the following:

• You are logged on the management console as DDI administrator.
• You have obtained the metadata file from DDI.
  You can get it in the Deep Discovery Inspector management console going to Administration > Integrated Products/Services > SAML Authentication > Service Provider tab > Click Download Metadata.

Follow the instructions below to configure Microsoft Entra ID.

1. Create a new application for DDI.
   1. Logon to Microsoft Entra ID portal, go to Home > Microsoft Entra ID.

      

      ^{Click the image to enlarge.}

   2. On the left navigation, click Enterprise applications.

      

      ^{Click the image to enlarge.}

   3. Create a new application by “Create your own application”.

      

      ^{Click the image to enlarge.}

   4. Specify a display name for Deep Discovery Inspector, for example, “Deep Discovery Inspector”.
   5. Select Integrate any other application you don't find in the gallery (Non-gallery) then click Create.

      

      ^{Click the image to enlarge.}

2. Upload DDI meta file.
   1. Once the application is created, the main page of the application will show up. Click Single sign-on on the left navigation.

      

      ^{Click the image to enlarge.}

   2. Select SAML as the single sign-on method.

      

      ^{Click the image to enlarge.}

   3. On the Basic SAML Configuration section, upload the Deep Discovery Inspector metadata file by Upload metadata file and Save.

      

      ^{Click the image to enlarge.}

   4. Once the metadata file is successfully uploaded, the Identifier value gets auto populated in Basic SAML Configuration section textbox.
3. Configure a group claim called DDI_GROUP.
   1. On the Attributes & Claims section, click Edit then select Add a group claim.

      

      ^{Click the image to enlarge.}

   2. For the associated group, it's recommended to select Groups assigned to the application to restrict the accessibility.
   3. For the Source attribute, choose sAMAccountName or Cloud-only group display names (It depends on its on-premise AD sourced or Microsoft Entra ID sourced).

      

      ^{Click the image to enlarge.}

       

      Microsoft Entra ID may not supported to emit nested group name for group claims.

       
   4. In Advanced options, check the Customize the name of the group claim option and name it to “DDI_GROUP” and then Save.

      

      ^{Click the image to enlarge.}

   5. Make sure there is an additional claim called DDI_GROUP in the Attributes & Claims section.

      

      ^{Click the image to enlarge.}

4. Assign a group to the application.

   In the section Users and groups on the left navigations, add the group which is authorized to sign on to Deep Discovery Inspector.

   

   ^{Click the image to enlarge.}

5. The application should be set up. Export the Identity Provider metadata by clicking the Download link for the Federation Metadata XML in the SAML Certificates section.

   

   ^{Click the image to enlarge.}

6. Import Identity Provider information to DDI.
   1. Login to DDI web console.
   2. Navigate to Administration > Integrated Products/Services > SAML Authentication.

      

      ^{Click the image to enlarge.}

   3. Click Add in the Identity Provider tab.
   4. In the popped-up model, upload the Metadata collected from Microsoft Entra ID.

      

      ^{Click the image to enlarge.}

   5. Specify a name for this Identity Provider then click Save.
7. Add SAML account.
   The SAML Single Sign-On has been set up on DDI.

   Add SAML account following DDI Administrator's Guide > Chapter 6: Administration > Accounts > Adding a SAML Account.