How to configure Single Sign On (SSO) for an Illumina Enterprise domain using Azure

Follow the steps below to configure the IDP (Azure) and SP (Illumina) for SSO on an Illumina Enterprise domain.

Note: Illumina supports SP-initiated login only; users must sign in via an illumina.com URL (eg, https://{domain}.login.illumina.com or https://{domain}.basespace.illumina.com).

Create an Enterprise application within the Azure portal and select the "Integrate any other application you don't find in the gallery (Non-gallery)" option. Here the application name is "PlatformAuthTest."
From the Overview page for the application created in Step 1, select "Set up single sign on."
Select the SAML option.
Under "basic SAML Configuration" select Edit:
Enter the following URLs in the appropriate fields and select Save.

Identifier (Entity ID): https://login.illumina.com/saml-service/saml/metadata
Reply URL: https://login.illumina.com/saml-service/saml/SSO
Logout URL: https://login.illumina.com/saml-service/saml/SingleLogout

Download the IDP metadata XML file, called "Federation Metadata XML" on Azure:
Sign into the Illumina Enterprise account and navigate to the DOMAIN tab within the IAM Console.
Select AUTHENTICATION from the left side navigation and select the SAML button.
Under "Select SAML configuration file" select the Choose File button and navigate to the metadata XML file downloaded in Step 6.
Select the Upload button and, when prompted, select Save Changes.
Select Download under "Metadata XML file (SP)" to download the Illumina SP metadata XML file to be uploaded to the IDP account.
From the Single sign-on configuration page in the Azure portal, select Upload metadata file.
Select Select a file and navigate to the file downloaded in Step 11 (illumina_sp.xml) and select Add.
Make sure the Entity ID, Reply URL, and Logout URL fields are still populated correctly. If they are not, refer to Step 5 to correct them. For example, the Reply URL may not be populated correctly, as shown below.
Select Save under the Basic SAML Configuration heading to save settings on the Azure IDP side.
Obtain the SAML Attribute Mapping values for EmailId, Last name, and First name from the IDP and enter them into the relevant fields in the Authentication Configuration page within the Illumina IAM console:

For Azure, these values can be found by selecting the "Edit" button on the User Attributes & Claims card:

The values needed are highlighted below under Additional Claims:

The above shows the default claims created by Azure. Claims can be modified, added, and deleted. However, at a minimum, the values provided in the SAML Authentication Configuration in the Illumina IAM console for the fields EmailId, First name, and Last name must map to the Azure attributes: user.email, user.givenname, user.surname, respectively.

Once settings have been saved on both the IDP and SP ends, it will take some time for everything to sync on the Illumina side. Wait at least 15 min, and be aware that settings can sometimes take over an hour to sync.

Last updated 2 months ago