Professional Documents
Culture Documents
Azure Active Directory Integration With CloudSuite
Azure Active Directory Integration With CloudSuite
To help integrate your cloud-enabled software as a service (SaaS ) applications with Azure Active Directory, we
have developed a collection of tutorials that walk you through configuration.
For a list of all SaaS apps that have been pre-integrated into Azure AD, see the Active Directory Marketplace.
Use the application network portal to request a SCIM enabled application to be added to the gallery for
automatic provisioning or a SAML / OIDC enabled application to be added to the gallery for SSO.
Quick links
APPLICATION TUTORIAL FOR SINGLE APPLICATION TUTORIAL FOR USER
LOGO SIGN-ON PROVISIONING
SuccessFactors
Cloud Integrations
APPLICATION TUTORIAL FOR SINGLE APPLICATION TUTORIAL FOR USER
LOGO SIGN-ON PROVISIONING
Amazon Web Services (AWS) Console Amazon Web Services (AWS) Console -
Role Provisioning
OneClick SSO
APPLICATION TUTORIAL FOR SINGLE
LOGO SIGN-ON
AcquireIO
Aha!
AlertOps
Amplitude
Appraisd
ArcGIS Enterprise
Atlassian Cloud
CakeHR
Deskradar
Displayr
dmarcian
APPLICATION TUTORIAL FOR SINGLE
LOGO SIGN-ON
DocuSign
Dome9 Arc
Drift
Elium
Envoy
Evernote
ExpenseIn
Foodee
Freedcamp
Freshservice
Harness
Help Scout
Hightail
Jamf Pro
Kanbanize
monday.com
MyWorkDrive
Nuclino
People
PurelyHR
RingCentral
ScaleX Enterprise
Soloinsight-CloudGate SSO
TargetProcess
Teamphoria
TextMagic
Velpic SAML
APPLICATION TUTORIAL FOR SINGLE
LOGO SIGN-ON
Wandera
Watch by Colors
Way We Do
Workplace by Facebook
Workteam
XaitPorter
Yodeck
Zendesk
Zscaler
Zscaler Beta
Zscaler One
Zscaler Three
Zscaler Two
Zscaler ZSCloud
Next steps
To learn more about application management, see What is application management.
Tutorial: Azure Active Directory integration with
10,000ft Plans
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate 10,000ft Plans with Azure Active Directory (Azure AD ). Integrating
10,000ft Plans with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to 10,000ft Plans.
You can enable your users to be automatically signed-in to 10,000ft Plans (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with 10,000ft Plans, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
10,000ft Plans single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
10,000ft Plans support SP initiated SSO
10,000ft Plans support Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type 10,000ft Plans, select 10,000ft Plans from the result panel then click the Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value for Identifier is different if you have a custom domain. Contact 10,000ft Plans Client support team to get
this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up 10,000ft Plans section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure 10000ft Plans Single Sign-On
To configure single sign-on on 10,000ft Plans side, you need to send the downloaded Certificate (Raw) and
appropriate copied URLs from Azure portal to 10,000ft Plans support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create 10000ft Plans test user
In this section, a user called Britta Simon is created in 10,000ft Plans. 10,000ft Plans supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in 10,000ft Plans, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the 10,000ft Plans Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
123ContactForm
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate 123ContactForm with Azure Active Directory (Azure AD ). Integrating
123ContactForm with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to 123ContactForm.
You can enable your users to be automatically signed-in to 123ContactForm (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with 123ContactForm, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
123ContactForm single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
123ContactForm supports SP and IDP initiated SSO
123ContactForm supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type 123ContactForm, select 123ContactForm from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://www.123contactform.com/saml/azure_ad/<tenant_id>/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://www.123contactform.com/saml/azure_ad/<tenant_id>/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.123contactform.com/saml/azure_ad/<tenant_id>/sso
NOTE
These values are not real. You'll need to update these value from actual URLs and Identifier which is explained later in
the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up 123ContactForm section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure 123ContactForm Single Sign-On
1. To configure single sign-on on 123ContactForm side, go to https://www.123contactform.com/form-
2709121/ and perform the following steps:
a. In the Email textbox, type the email of the user like BrittaSimon@Contoso.com.
b. Click Upload and browse the downloaded Metadata XML file, which you have downloaded from Azure
portal.
c. Click SUBMIT FORM.
2. On the Microsoft Azure AD - Single sign-on - Configure App Settings perform the following steps:
a. If you wish to configure the application in IDP initiated mode, copy the IDENTIFIER value for your
instance and paste it in Identifier textbox in Basic SAML Configuration section on Azure portal.
b. If you wish to configure the application in IDP initiated mode, copy the REPLY URL value for your
instance and paste it in Reply URL textbox in Basic SAML Configuration section on Azure portal.
c. If you wish to configure the application in SP initiated mode, copy the SIGN ON URL value for your
instance and paste it in Sign On URL textbox in Basic SAML Configuration section on Azure portal.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create 123ContactForm test user
In this section, a user called Britta Simon is created in 123ContactForm. 123ContactForm supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in 123ContactForm, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the 123ContactForm tile in the Access Panel, you should be automatically signed in to the
123ContactForm for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
15Five
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate 15Five with Azure Active Directory (Azure AD ). Integrating 15Five with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to 15Five.
You can enable your users to be automatically signed-in to 15Five (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with 15Five, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
15Five single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
15Five supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type 15Five, select 15Five from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.15five.com/saml2/metadata/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact 15Five Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up 15Five section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure 15Five Single Sign-On
To configure single sign-on on 15Five side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to 15Five support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create 15Five test user
To enable Azure AD users to log in to 15Five, they must be provisioned into 15Five. When 15Five, provisioning is a
manual task.
To configure user provisioning, perform the following steps:
1. Log in to your 15Five company site as administrator.
2. Go to Manage Company.
NOTE
The Azure AD account holder receives an email including a link to confirm the account before it becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate 23 Video with Azure Active
Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate 23 Video with Azure Active Directory (Azure AD ). When you integrate
23 Video with Azure AD, you can:
Control in Azure AD who has access to 23 Video.
Enable your users to be automatically signed-in to 23 Video with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
23 Video single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
23 Video supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<subdomain>.23video.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://www.23video.com/saml/trust/<uniqueid>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact 23 Video Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up 23 Video section, copy the appropriate URL (s) based on your requirement.
Configure 23 Video SSO
To configure single sign-on on 23 Video side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to 23 Video support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to 23 Video.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select 23 Video.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create 23 Video test user
The objective of this section is to create a user called B.Simon in 23 Video.
To create a user called B.Simon in 23 Video, perform the following steps:
1. Sign on to your 23 Video company site as administrator.
2. Go to Settings.
3. In Users section, click Configure.
5. In the Invite someone to join this site section, perform the following steps:
a. In the E -mail addresses textbox, type the email address of a user like B.Simon@contoso.com.
b. Click Add the user...
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the 23 Video tile in the Access Panel, you should be automatically signed in to the 23 Video for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with 360
Online
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate 360 Online with Azure Active Directory (Azure AD ). Integrating 360
Online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to 360 Online.
You can enable your users to be automatically signed-in to 360 Online (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with 360 Online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
360 Online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
360 Online supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type 360 Online, select 360 Online from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact 360 Online Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up 360 Online section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure 360 Online Single Sign-On
To configure single sign-on on 360 Online side, you need to send the downloaded Metadata XML and
appropriate copied URLs from Azure portal to 360 Online support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create 360 Online test user
In this section, you create a user called Britta Simon in 360 Online. Work with 360 Online support team to add the
users in the 360 Online platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the 360 Online tile in the Access Panel, you should be automatically signed in to the 360 Online for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with 4me
10/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate 4me with Azure Active Directory (Azure AD ). When you integrate 4me
with Azure AD, you can:
Control in Azure AD who has access to 4me.
Enable your users to be automatically signed-in to 4me with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
4me single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
4me supports SP initiated SSO
4me supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
ENVIRONMENT URL
PRODUCTION https://<SUBDOMAIN>.4me.com
QA https://<SUBDOMAIN>.4me.qa
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
ENVIRONMENT URL
PRODUCTION https://<SUBDOMAIN>.4me.com
QA https://<SUBDOMAIN>.4me.qa
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact 4me Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. 4me application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, 4me application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
first_name user.givenname
last_name user.surname
7. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
8. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
9. On the Set up 4me section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create a user manually, contact 4me support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the 4me tile in the Access Panel, you should be automatically signed in to the 4me for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try 4me with Azure AD
Tutorial: Azure Active Directory integration with 8x8
Virtual Office
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate 8x8 Virtual Office with Azure Active Directory (Azure AD ). Integrating
8x8 Virtual Office with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to 8x8 Virtual Office.
You can enable your users to be automatically signed-in to 8x8 Virtual Office (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with 8x8 Virtual Office, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
8x8 Virtual Office single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
8x8 Virtual Office supports IDP initiated SSO
8x8 Virtual Office supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type 8x8 Virtual Office, select 8x8 Virtual Office from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Reply URL text box, type a URL using the following pattern: https://sso.8x8.com/saml2
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up 8x8 Virtual Office section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure 8x8 Virtual Office Single Sign-On
1. Sign-on to your 8x8 Virtual Office tenant as an administrator.
2. Select Virtual Office Account Mgr on Application Panel.
3. Select Business account to manage and click Sign In button.
a. In the Sign In URL textbox, paste Login URL value which you have copied from the Azure portal.
b. In the Sign Out URL textbox, paste Logout URL value which you have copied from the Azure portal.
c. In the Issuer URL textbox, paste Azure AD Identifier value which you have copied from the Azure
portal.
d. Click Browse button to upload the certificate which you downloaded from Azure portal.
e. Click the Save button.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create 8x8 Virtual Office test user
In this section, a user called Britta Simon is created in 8x8 Virtual Office. 8x8 Virtual Office supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in 8x8 Virtual Office, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the 8x8 Virtual Office support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the 8x8 Virtual Office tile in the Access Panel, you should be automatically signed in to the 8x8
Virtual Office for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Abintegro
9/6/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Abintegro with Azure Active Directory (Azure AD ). When you integrate
Abintegro with Azure AD, you can:
Control in Azure AD who has access to Abintegro.
Enable your users to be automatically signed-in to Abintegro with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Abintegro single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Abintegro supports SP initiated SSO
Abintegro supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.abintegro.com/Shibboleth.sso/Login?entityID=<Issuer>&target=https://www.abintegro.com/secure/
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Abintegro Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Abintegro section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Abintegro.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Abintegro.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Abintegro tile in the Access Panel, you should be automatically signed in to the Abintegro for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Abintegro with Azure AD
Tutorial: Azure Active Directory integration with
Absorb LMS
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Absorb LMS with Azure Active Directory (Azure AD ). Integrating Absorb
LMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Absorb LMS.
You can enable your users to be automatically signed-in to Absorb LMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Absorb LMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Absorb LMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Absorb LMS supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Absorb LMS, select Absorb LMS from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, click Edit button to open Basic SAML Configuration
dialog.
If you are using Absorb 5 - UI use the following configuration:
a. In the Identifier text box, type a URL using the following pattern:
https://company.myabsorb.com/account/saml
b. In the Reply URL text box, type a URL using the following pattern:
https://company.myabsorb.com/account/saml
If you are using Absorb 5 - New Learner Experience use the following configuration:
a. In the Identifier text box, type a URL using the following pattern:
https://company.myabsorb.com/api/rest/v2/authentication/saml
b. In the Reply URL text box, type a URL using the following pattern:
https://company.myabsorb.com/api/rest/v2/authentication/saml
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Absorb LMS Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. The following screenshot shows the list of default attributes, where as nameidentifier is mapped with
user.userprincipalname.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Absorb LMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Absorb LMS Single Sign-On
1. In a new web browser window, sign in to your Absorb LMS company site as an administrator.
2. Select the Account button at the top right.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Absorb LMS test user
For Azure AD users to sign in to Absorb LMS, they must be set up in Absorb LMS. In the case of Absorb LMS,
provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Sign in to your Absorb LMS company site as an administrator.
2. In the Users pane, select Users.
a. In the First Name box, type the first name, such as Britta.
b. In the Last Name box, type the last name, such as Simon.
c. In the Username box, type a full name, such as Britta Simon.
d. In the Password box, type user password.
e. In the Confirm Password box, retype the password.
f. Set the Is Active toggle to Active.
5. Select Save.
NOTE
By Default, User Provisioning is not enabled in SSO. If the customer wants to enable this feature, they have to set it
up as mentioned in this documentation. Also please note that User Provisioing is only available on Absorb 5 - New
Learner Experience with ACS URL- https://company.myabsorb.com/api/rest/v2/authentication/saml
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Abstract with Azure Active
Directory
7/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Abstract with Azure Active Directory (Azure AD ). When you integrate
Abstract with Azure AD, you can:
Control in Azure AD who has access to Abstract.
Enable your users to be automatically signed-in to Abstract with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Abstract single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Abstract supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.abstract.com/signin
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
NOTE
You’ll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a user’s
secondary email. If that happens, you’ll see an error message with the primary email for the failing account. Add that primary
email to the manual exceptions list after you’ve verified you know the user.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Abstract test user
To test SSO on Abstract:
1. Open the Abstract web app.
2. Go to the Permissions page in the left side bar.
3. Click Test with my Account. If the test fails, please contact our support team.
NOTE
You will need to authenticate with an organization Admin account to access the SSO settings on Abstract. This organization
Admin account will need to be assigned to Abstract on the Azure portal.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Abstract tile in the Access Panel, you should be automatically signed in to the Abstract for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Academy Attendance
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Academy Attendance with Azure Active Directory (Azure AD ). When
you integrate Academy Attendance with Azure AD, you can:
Control in Azure AD who has access to Academy Attendance.
Enable your users to be automatically signed-in to Academy Attendance with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Academy Attendance single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Academy Attendance supports SP initiated SSO
Academy Attendance supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.aattendance.com/sso/saml2/login?idp=<IDP_NAME>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.aattendance.com/sso/saml2/metadata?idp=<IDP_NAME>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Academy
Attendance Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Your Academy Attendance application expects the SAML assertions in a specific format, which requires you
to add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes.
NOTE
Academy Attendance supports two roles for users: Lecturer and Student. Set up these roles in Azure AD so that
users can be assigned the appropriate roles. Please refer to this doc which explains how to create custom roles in
Azure AD.
6. In addition to above, Academy Attendance application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirement.
role user.assignedroles
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Academy Attendance section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Academy Attendance tile in the Access Panel, you should be automatically signed in to the
Academy Attendance for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Academy Attendance with Azure AD
Tutorial: Azure Active Directory integration with
Acadia
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Acadia with Azure Active Directory (Azure AD ). Integrating Acadia with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Acadia.
You can enable your users to be automatically signed-in to Acadia (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Acadia, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Acadia single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Acadia supports SP and IDP initiated SSO
Acadia supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Acadia, select Acadia from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<CUSTOMER>.acadia.sysalli.com/shibboleth
b. In the Reply URL text box, type a URL using the following pattern:
https://<CUSTOMER>.acadia.sysalli.com/Shibboleth.sso/SAML2/POST
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<CUSTOMER>.acadia.sysalli.com/Shibboleth.sso/Login
NOTE
The values for steps 4 and 5 will be provided in a metadata file by the Acadia team which can be imported by clicking
Upload metadata file on the Basic SAML Configuration section. Update these values with the actual Identifier,
Reply URL and Sign-on URL. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal to confirm that the metadata values are correct. Contact Acadia Client support team if the provided
values are incorrect.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Acadia section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Acadia Single Sign-On
To configure single sign-on on the Acadia side, you need to send the downloaded Metadata XML, the App
Federation Metadata URL, and appropriate copied URLs from Azure portal to Acadia support team. They
configure this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Acadia test user
In this section, a user called Britta Simon is created in Acadia. Acadia supports just-in-time user provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Acadia, a new
one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Acadia tile in the Access Panel, you should be automatically signed in to the Acadia for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Accredible
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Accredible with Azure Active Directory (Azure AD ). Integrating
Accredible with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Accredible.
You can enable your users to be automatically signed-in to Accredible (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Accredible, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Accredible single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Accredible supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Accredible, select Accredible from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://api.accredible.com/sp/admin/accredible
https://api.accredible.com/sp/user/accredible
b. In the Reply URL text box, type a URL using the following pattern:
https://api.accredible.com/v1/saml/admin/<Unique id>/consume
NOTE
The Reply URL value is not real. According to the role of user, use the identifier value respectively. Each customer has a
unique Reply URL depending on their ID. Contact Accredible support team to get these values.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Accredible section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Accredible Single Sign-On
To configure single sign-on on Accredible side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Accredible support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Accredible test user
In this section, you create a user called Britta Simon in Accredible. You need to send the user's email id
to Accredible support team, then they verify the email and send you the invite mail so that you can add user in
accredible platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Accredible tile in the Access Panel, you should be automatically signed in to the Accredible for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Achieve3000
10/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Achieve3000 with Azure Active Directory (Azure AD ). When you
integrate Achieve3000 with Azure AD, you can:
Control in Azure AD who has access to Achieve3000.
Enable your users to be automatically signed-in to Achieve3000 with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Achieve3000 single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Achieve3000 supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://saml.achieve3000.com/district/<District Identifier>
NOTE
The Sign-On URL value is not real. Update the value with the actual Sign-On URL. Contact Achieve3000 Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. Achieve3000 application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes..
6. In addition to above, Achieve3000 application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirement.
studentID user.mail
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Achieve3000 section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Achieve3000 tile in the Access Panel, you should be automatically signed in to the Achieve3000
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Achieve3000 with Azure AD
Tutorial: Azure Active Directory integration with ACLP
6/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ACLP with Azure Active Directory (Azure AD ). Integrating ACLP with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ACLP.
You can enable your users to be automatically signed-in to ACLP (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ACLP, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
ACLP single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ACLP supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ACLP, select ACLP from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact ACLP Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ACLP test user
In this section, you create a user called Britta Simon in ACLP. Work with ACLP support team to add the users in the
ACLP platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ACLP tile in the Access Panel, you should be automatically signed in to the ACLP for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with AcquireIO
10/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate AcquireIO with Azure Active Directory (Azure AD ). When you
integrate AcquireIO with Azure AD, you can:
Control in Azure AD who has access to AcquireIO.
Enable your users to be automatically signed-in to AcquireIO with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
AcquireIO single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
AcquireIO supports IDP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://app.acquire.io/ad/<acquire_account_uid>
NOTE
The value is not real. You will get the actual Reply URL which is explained later in the Configure AcquireIO section of
the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up AcquireIO section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AcquireIO.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select AcquireIO.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding the extension to the browser, click Set up AcquireIO, which directs you to the AcquireIO
application. From there, provide the admin credentials to sign in to AcquireIO. The browser extension will
automatically configure the application for you and automate steps 3-6.
3. If you want to set up AcquireIO manually, in a different web browser window, sign in to AcquireIO as an
Administrator.
4. From the left side of menu, click on App Store.
5. Scroll down upto Active Directory and click on Install.
a. Click Copy to copy the Reply URL for your instance and paste it in Reply URL textbox in Basic SAML
Configuration section on Azure portal.
b. In the Login URL textbox, paste the value of Login URL, which you have copied from Azure portal.
c. Open the Base64 encoded certificate in Notepad, copy its content and paste it in the X.509 Certificate
text box.
d. Click Connect Now.
Create AcquireIO test user
To enable Azure AD users to sign in to AcquireIO, they must be provisioned into AcquireIO. In AcquireIO,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. In a different web browser window, sign in to AcquireIO as an Administrator.
2. From the left side of menu, click Profiles and navigate to Add Profile.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try AcquireIO with Azure AD
Tutorial: Integrate Adaptive Insights with Azure Active
Directory
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Adaptive Insights with Azure Active Directory (Azure AD ). When you
integrate Adaptive Insights with Azure AD, you can:
Control in Azure AD who has access to Adaptive Insights.
Enable your users to be automatically signed-in to Adaptive Insights with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Adaptive Insights single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Adaptive Insights supports IDP initiated SSO
b. In the Reply URL text box, type a URL using the following pattern:
https://login.adaptiveinsights.com:443/samlsso/<unique-id>
NOTE
You can get Identifier(Entity ID) and Reply URL values from the Adaptive Insights’s SAML SSO Settings page.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Adaptive Insights section, copy the appropriate URL (s) based on your requirement.
Configure Adaptive Insights SSO
1. In a different web browser window, sign in to your Adaptive Insights company site as an administrator.
2. Go to Administration.
a. In the Identity provider name textbox, type a name for your configuration.
b. Paste the Azure AD Identifier value copied from Azure portal into the Identity provider Entity ID
textbox.
c. Paste the Login URL value copied from Azure portal into the Identity provider SSO URL textbox.
d. Paste the Logout URL value copied from Azure portal into the Custom logout URL textbox.
e. To upload your downloaded certificate, click Choose file.
f. Select the following, for:
SAML user id, select User’s Adaptive Insights user name.
SAML user id location, select User id in NameID of Subject.
SAML NameID format, select Email address.
Enable SAML, select Allow SAML SSO and direct Adaptive Insights login.
g. Copy Adaptive Insights SSO URL and paste into the Identifier(Entity ID ) and Reply URL textboxes
in the Basic SAML Configuration section in the Azure portal.
h. Click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Adaptive Insights.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Adaptive Insights.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Adaptive Insights test user
To enable Azure AD users to sign in to Adaptive Insights, they must be provisioned into Adaptive Insights. In the
case of Adaptive Insights, provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Sign in to your Adaptive Insights company site as an administrator.
2. Go to Administration.
a. Type the Name, Username, Email, Password of a valid Azure Active Directory user you want to
provision into the related textboxes.
b. Select a Role.
c. Click Submit.
NOTE
You can use any other Adaptive Insights user account creation tools or APIs provided by Adaptive Insights to provision Azure
AD user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adaptive Insights tile in the Access Panel, you should be automatically signed in to the Adaptive
Insights for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Adobe Captivate Prime
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Adobe Captivate Prime with Azure Active Directory (Azure AD ).
Integrating Adobe Captivate Prime with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Adobe Captivate Prime.
You can enable your users to be automatically signed-in to Adobe Captivate Prime (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Adobe Captivate Prime, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Adobe Captivate Prime single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Adobe Captivate Prime supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Adobe Captivate Prime, select Adobe Captivate Prime from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: https://captivateprime.adobe.com
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Adobe Captivate Prime section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
7. Go to Properties tab, copy the User access URL and paste it in Notepad.
Configure Adobe Captivate Prime Single Sign-On
To configure single sign-on on Adobe Captivate Prime side, you need to send the downloaded Federation
Metadata XML, copied User access URL and appropriate copied URLs from Azure portal to Adobe Captivate
Prime support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Adobe Captivate Prime test user
In this section, you create a user called Britta Simon in Adobe Captivate Prime. Work with Adobe Captivate Prime
support team to add the users in the Adobe Captivate Prime platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adobe Captivate Prime tile in the Access Panel, you should be automatically signed in to the
Adobe Captivate Prime for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Adobe Creative Cloud
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Adobe Creative Cloud with Azure Active Directory (Azure AD ). When
you integrate Adobe Creative Cloud with Azure AD, you can:
Control in Azure AD who has access to Adobe Creative Cloud.
Enable your users to be automatically signed-in to Adobe Creative Cloud with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Adobe Creative Cloud single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Adobe Creative Cloud supports SP initiated SSO
Configure and test Azure AD single sign-on for Adobe Creative Cloud
Configure and test Azure AD SSO with Adobe Creative Cloud using a test user called B.Simon. For SSO to work,
you need to establish a link relationship between an Azure AD user and the related user in Adobe Creative Cloud.
To configure and test Azure AD SSO with Adobe Creative Cloud, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Adobe Creative Cloud SSO - to configure the single sign-on settings on application side.
a. Create Adobe Creative Cloud test user - to have a counterpart of B.Simon in Adobe Creative Cloud
that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL: https://adobe.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://www.okta.com/saml2/service-provider/<token>
NOTE
The Identifier value is not real. Update this value with the actual Identifier. Contact Adobe Creative Cloud Client
support team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. Adobe Creative Cloud application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes.
6. In addition to above, Adobe Creative Cloud application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirement.
NAME SOURCE ATTRIBUTE
FirstName user.givenname
LastName user.surname
Email user.mail
NOTE
Users need to have a valid Office 365 ExO license for email claim value to be populated in the SAML response.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Adobe Creative Cloud section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adobe Creative Cloud tile in the Access Panel, you should be automatically signed in to the
Adobe Creative Cloud for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Adobe Creative Cloud with Azure AD
Set up a domain (adobe.com)
Configure Azure for use with Adobe SSO (adobe.com)
Tutorial: Azure Active Directory integration with
Adobe Experience Manager
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Adobe Experience Manager with Azure Active Directory (Azure AD ).
Integrating Adobe Experience Manager with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Adobe Experience Manager.
You can enable your users to be automatically signed-in to Adobe Experience Manager (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Adobe Experience Manager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Adobe Experience Manager single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Adobe Experience Manager supports SP and IDP initiated SSO
Adobe Experience Manager supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Adobe Experience Manager, select Adobe Experience Manager from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a unique value that you define on your AEM server as well.
b. In the Reply URL text box, type a URL using the following pattern: https://<AEM Server Url>/saml_login
NOTE
The Reply URL value is not real. Update Reply URL value with the actual reply URL. To get this value, contact the
Adobe Experience Manager Client support team to get this value. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type your Adobe Experience Manager server URL.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Adobe Experience Manager section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Adobe Experience Manager Single Sign-On
1. In another browser window, open the Adobe Experience Manager admin portal.
2. Select Settings > Security > Users.
6. The certificate is added to the TrustStore. Note the alias of the certificate.
8. Select Account settings > Create/Manage KeyStore. Create KeyStore by supplying a password.
9. Go back to the admin screen. Then select Settings > Operations > Web Console.
This opens the configuration page.
10. Find Adobe Granite SAML 2.0 Authentication Handler. Then select the Add icon.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Adobe Experience Manager test user
In this section, you create a user called Britta Simon in Adobe Experience Manager. If you selected the Autocreate
CRX Users option, users are created automatically after successful authentication.
If you want to create users manually, work with the Adobe Experience Manager support team to add the users in
the Adobe Experience Manager platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adobe Experience Manager tile in the Access Panel, you should be automatically signed in to
the Adobe Experience Manager for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Adobe Identity Management
10/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Adobe Identity Management with Azure Active Directory (Azure AD ).
When you integrate Adobe Identity Management with Azure AD, you can:
Control in Azure AD who has access to Adobe Identity Management.
Enable your users to be automatically signed-in to Adobe Identity Management with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Adobe Identity Management single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Adobe Identity Management supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL: https://adobe.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://federatedid-na1.services.adobe.com/federated/saml/metadata/alias/<CUSTOM_ID>
NOTE
The Identifier value is not real. Update the value with the actual Identifier. Contact Adobe Identity Management Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Adobe Identity Management section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adobe Identity Management tile in the Access Panel, you should be automatically signed in to
the Adobe Identity Management for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Adobe Identity Management with Azure AD
Tutorial: Azure Active Directory integration with
Adobe Sign
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Adobe Sign with Azure Active Directory (Azure AD ). Integrating Adobe
Sign with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Adobe Sign.
You can enable your users to be automatically signed-in to Adobe Sign (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Adobe Sign, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Adobe Sign single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Adobe Sign supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Adobe Sign, select Adobe Sign from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.echosign.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Adobe Sign Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Adobe Sign section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Adobe Sign Single Sign-On
1. Before configuration, contact the Adobe Sign Client support team to add your domain in the Adobe Sign
allow list. Here's how to add the domain:
a. The Adobe Sign Client support team sends you a randomly generated token. For your domain, the token
will be like the following: adobe-sign-verification= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
b. Publish the verification token in a DNS text record, and notify the Adobe Sign Client support team.
NOTE
This can take a few days, or longer. Note that DNS propagation delays mean that a value published in DNS might not
be visible for an hour or more. Your IT administrator should be knowledgeable about how to publish this token in a
DNS text record.
c. When you notify the Adobe Sign Client support team through the support ticket, after the token is
published, they validate the domain and add it to your account.
d. Generally, here's how to publish the token on a DNS record:
Sign in to your domain account
Find the page for updating the DNS record. This page might be called DNS Management, Name Server
Management, or Advanced Settings.
Find the TXT records for your domain.
Add a TXT record with the full token value supplied by Adobe.
Save your changes.
2. In a different web browser window, sign in to your Adobe Sign company site as an administrator.
3. In the SAML menu, select Account Settings > SAML Settings.
4. In the SAML Settings section, perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Adobe Sign test user
To enable Azure AD users to sign in to Adobe Sign, they must be provisioned into Adobe Sign. This is a manual
task.
NOTE
You can use any other Adobe Sign user account creation tools or APIs provided by Adobe Sign to provision Azure AD user
accounts.
a. Type the Email Address, First Name, and Last Name of a valid Azure AD account you want to provision
into the related text boxes.
b. Select Create User.
NOTE
The Azure Active Directory account holder receives an email that includes a link to confirm the account, before it becomes
active.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adobe Sign tile in the Access Panel, you should be automatically signed in to the Adobe Sign
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Adoddle cSaas Platform
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Adoddle cSaas Platform with Azure Active Directory (Azure AD ).
Integrating Adoddle cSaas Platform with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Adoddle cSaas Platform.
You can enable your users to be automatically signed-in to Adoddle cSaas Platform (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Adoddle cSaas Platform, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Adoddle cSaas Platform single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Adoddle cSaas Platform supports IDP initiated SSO
Adoddle cSaas Platform supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Adoddle cSaas Platform, select Adoddle cSaas Platform from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Adoddle cSaas Platform section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Adoddle cSaas Platform Single Sign-On
To configure single sign-on on Adoddle cSaas Platform side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Adoddle cSaas Platform support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Adoddle cSaas Platform test user
In this section, a user called Britta Simon is created in Adoddle cSaas Platform. Adoddle cSaas Platform supports
just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user
doesn't already exist in Adoddle cSaas Platform, a new one is created when you attempt to access Adoddle cSaas
Platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Adoddle cSaas Platform tile in the Access Panel, you should be automatically signed in to the
Adoddle cSaas Platform for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ADP
8/29/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ADP with Azure Active Directory (Azure AD ). When you integrate ADP
with Azure AD, you can:
Control in Azure AD who has access to ADP.
Enable your users to be automatically signed-in to ADP with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ADP single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ADP supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up ADP section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
This process may take a few days.
IMPORTANT
Your employees who require federated access to your ADP services must be assigned to the ADP service app and
subsequently, users must be reassigned to the specific ADP service. Upon receipt of confirmation from your ADP
representative, configure your ADP service(s) and assign/manage users to control user access to the specific ADP service.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
2. On the left navigation pane, select the Azure Active Directory service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add new application, select New application.
5. In the Add from the gallery section, type ADP in the search box.
6. Select ADP from results panel and then add the app. Wait a few seconds while the app is added to your
tenant.
7. In the Azure portal, on your ADP application integration page, click on Properties tab and perform the
following steps:
a. Paste the User access URL, which you have copied from above properties tab (from the main ADP app).
b. Following are the 5 apps that support different Relay State URLs. You have to append the appropriate
Relay State URL value for particular application manually to the User access URL.
ADP Workforce Now
<User access URL>&relaystate=https://fed.adp.com/saml/fedlanding.html?WFN
ADP Enterprise HR
<User access URL>&relaystate=https://fed.adp.com/saml/fedlanding.html?PORTAL
MyADP
<User access URL>&relaystate=https://fed.adp.com/saml/fedlanding.html?REDBOX
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ADP tile in the Access Panel, you should be automatically signed in to the ADP for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ADP with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ADP Globalview
10/10/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ADP Globalview with Azure Active Directory (Azure AD ). When you
integrate ADP Globalview with Azure AD, you can:
Control in Azure AD who has access to ADP Globalview.
Enable your users to be automatically signed-in to ADP Globalview with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ADP Globalview single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ADP Globalview supports IDP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.globalview.adp.com/federate
https://<subdomain>.globalview.adp.com/federate2
NOTE
This value is not real. Update the value with the actual Identifier. Contact ADP Globalview Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up ADP Globalview section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ADP Globalview tile in the Access Panel, you should be automatically signed in to the ADP
Globalview for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ADP Globalview with Azure AD
Tutorial: Azure Active Directory integration with
Agiloft
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Agiloft with Azure Active Directory (Azure AD ). Integrating Agiloft with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Agiloft.
You can enable your users to be automatically signed-in to Agiloft (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Agiloft, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Agiloft single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Agiloft supports SP and IDP initiated SSO
Agiloft supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Agiloft, select Agiloft from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.saas.enterprisewizard.com/project/<KB_NAME>
https://<subdomain>.agiloft.com/project/<KB_NAME>
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.saas.enterprisewizard.com:443/gui2/spsamlsso?project=<KB_NAME>
https://<subdomain>.agiloft.com:443/gui2/spsamlsso?project=<KB_NAME>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.saas.enterprisewizard.com/gui2/samlssologin.jsp?project=<KB_NAME>
https://<subdomain>.agiloft.com/gui2/samlssologin.jsp?project=<KB_NAME>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Agiloft
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Agiloft section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Agiloft Single Sign-On
1. In a different web browser window, log in to your Agiloft company site as an administrator.
2. Click on Setup (on the Left Pane) and then select Access.
3. Click on the button Configure SAML 2.0 Single Sign-On.
4. A wizard dialog appears. On the dialog, click on the Identity Provider Details and fill in the following
fields:
a. In IdP Entity Id / Issuer textbox, paste the value of Azure Ad Identifier, which you have copied from
Azure portal.
b. In IdP Login URL textbox, paste the value of Login URL, which you have copied from Azure portal.
c. In IdP Logout URL textbox, paste the value of Logout URL, which you have copied from Azure portal.
d. Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of
it into your clipboard, and then paste it to the IdP Provided X.509 certificate contents textbox.
e. Click Finish.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Agiloft test user
In this section, a user called Britta Simon is created in Agiloft. Agiloft supports just-in-time user provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Agiloft, a new
one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Agiloft tile in the Access Panel, you should be automatically signed in to the Agiloft for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Aha! with Azure Active Directory
8/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Aha! with Azure Active Directory (Azure AD ). When you integrate Aha!
with Azure AD, you can:
Control in Azure AD who has access to Aha!.
Enable your users to be automatically signed-in to Aha! with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Aha! single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Aha! supports SP initiated SSO
Aha! supports Just In Time user provisioning
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.aha.io
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Aha! Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Aha! section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Aha!.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Aha!.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup Aha! will direct you to the Aha! application. From
there, provide the admin credentials to sign into Aha!. The browser extension will automatically configure
the application for you and automate steps 3-8.
3. If you want to setup Aha! manually, open a new web browser window and sign into your Aha! company site
as an administrator and perform the following steps:
4. In the menu on the top, click Settings.
5. Click Account.
6. Click Security and single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Aha! tile in the Access Panel, you should be automatically signed in to the Aha! for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Integrate Airstack with Azure Active
Directory
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Airstack with Azure Active Directory (Azure AD ). When you integrate
Airstack with Azure AD, you can:
Control in Azure AD who has access to Airstack.
Enable your users to be automatically signed-in to Airstack with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Airstack single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Airstack supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://airstack.lenovosoftware.com
NOTE
The value is not real. Update the value with the actual Sign-on URL. Contact Airstack Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Click Save.
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Airstack SSO
To configure single sign-on on Airstack side, you need to send the App Federation Metadata Url to Airstack
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Airstack.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Airstack.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Airstack test user
In this section, you create a user called B.Simon in Airstack. Work with Airstack support team to add the users in
the Airstack platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Airstack tile in the Access Panel, you should be automatically signed in to the Airstack for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Airtable
11/19/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Airtable with Azure Active Directory (Azure AD ). When you integrate
Airtable with Azure AD, you can:
Control in Azure AD who has access to Airtable.
Enable your users to be automatically signed-in to Airtable with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Airtable single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Airtable supports SP and IDP initiated SSO
Airtable supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://airtable.com/sso/login
6. Click Save.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Airtable section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Airtable tile in the Access Panel, you should be automatically signed in to the Airtable for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Airtable with Azure AD
Tutorial: Integrate AirWatch with Azure Active
Directory
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate AirWatch with Azure Active Directory (Azure AD ). When you integrate
AirWatch with Azure AD, you can:
Control in Azure AD who has access to AirWatch.
Enable your users to be automatically signed-in to AirWatch with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
AirWatch single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. AirWatch supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<subdomain>.awmdm.com/AirWatch/Login?gid=companycode
b. In the Identifier (Entity ID ) text box, type the value as: AirWatch
NOTE
This value is not the real. Update this value with the actual Sign-on URL. Contact AirWatch Client support team to get
this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. AirWatch application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
UID user.userprincipalname
NAME SOURCE ATTRIBUTE
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the Metadata XML and save it on your
computer.
8. On the Set up AirWatch section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create AirWatch test user
To enable Azure AD users to sign in to AirWatch, they must be provisioned in to AirWatch. In the case of AirWatch,
provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Sign in to your AirWatch company site as administrator.
2. In the navigation pane on the left side, click Accounts, and then click Users.
3. In the Users menu, click List View, and then click Add > Add User.
4. On the Add / Edit User dialog, perform the following steps:
a. Type the Username, Password, Confirm Password, First Name, Last Name, Email Address of a valid
Azure Active Directory account you want to provision into the related textboxes.
b. Click Save.
NOTE
You can use any other AirWatch user account creation tools or APIs provided by AirWatch to provision Azure AD user
accounts.
Test SSO
When you select the AirWatch tile in the Access Panel, you should be automatically signed in to the AirWatch for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Alcumus Info Exchange
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Alcumus Info Exchange with Azure Active Directory (Azure AD ).
Integrating Alcumus Info Exchange with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Alcumus Info Exchange.
You can enable your users to be automatically signed-in to Alcumus Info Exchange (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Alcumus Info Exchange, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Alcumus Info Exchange single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Alcumus Info Exchange supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Alcumus Info Exchange, select Alcumus Info Exchange from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.info-exchange.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.info-exchange.com/Auth/
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Alcumus Info
Exchange Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Alcumus Info Exchange section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Alcumus Info Exchange Single Sign-On
To configure single sign-on on Alcumus Info Exchange side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Alcumus Info Exchange support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Alcumus Info Exchange test user
In this section, you create a user called Britta Simon in Alcumus Info Exchange. Work with Alcumus Info Exchange
support team to add the users in the Alcumus Info Exchange platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Alcumus Info Exchange tile in the Access Panel, you should be automatically signed in to the
Alcumus Info Exchange for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate AlertOps with Azure Active
Directory
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate AlertOps with Azure Active Directory (Azure AD ). When you integrate
AlertOps with Azure AD, you can:
Control in Azure AD who has access to AlertOps.
Enable your users to be automatically signed-in to AlertOps with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
AlertOps single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. AlertOps supports SP and IDP
initiated SSO.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.alertops.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.alertops.com/login.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.alertops.com/login.aspx
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
AlertOps Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up AlertOps section, copy the appropriate URL (s) based on your requirement.
Configure AlertOps
1. To automate the configuration within AlertOps, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup AlertOps will direct you to the AlertOps application.
From there, provide the admin credentials to sign into AlertOps. The browser extension will automatically
configure the application for you and automate steps 3-5.
3. If you want to setup AlertOps manually, open a new web browser window and sign into your AlertOps
company site as an administrator and perform the following steps:
4. Click on the Account settings from the left navigation panel.
5. On the Subscription Settings page select SSO and perform the following steps:
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create AlertOps test user
1. In a different browser window, sign in to your AlertOps company site as administrator.
2. Click on the Users from the left navigation panel.
a. In the Login User Name textbox, enter the user name of the user like Brittasimon.
b. In the Official Email textbox, enter the email address of the user like Brittasimon@contoso.com.
c. In the First Name textbox, enter the first name of user like Britta.
d. In the Last Name textbox, enter the first name of user like Simon.
e. Select the Type value from the dropdown as per your organization.
f. Select the Role of the user from the dropdown as per your organization.
g. Select Add.
Test SSO
When you select the AlertOps tile in the Access Panel, you should be automatically signed in to the AlertOps for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Alibaba Cloud Service (Role-based
SSO)
9/19/2019 • 8 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Alibaba Cloud Service (Role-based SSO ) with Azure Active Directory
(Azure AD ). When you integrate Alibaba Cloud Service (Role-based SSO ) with Azure AD, you can:
Control in Azure AD who has access to Alibaba Cloud Service (Role-based SSO ).
Enable your users to be automatically signed-in to Alibaba Cloud Service (Role-based SSO ) with their Azure
AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Alibaba Cloud Service (Role-based SSO ) single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Alibaba Cloud Service (Role-based SSO ) supports IDP initiated SSO
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
NOTE
You will get the Service Provider metadata from this URL
NOTE
If the Identifier and Reply URL values do not get auto populated, then fill in the values manually according to your
requirement.
5. Alibaba Cloud Service (Role-based SSO ) require roles to be configured in Azure AD. The role claim is pre-
configured so you don't have to configure it but you still need to create them in Azure AD using this article.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Alibaba Cloud Service (Role-based SSO ) section, copy the appropriate URL (s) based on
your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Alibaba Cloud Service
(Role-based SSO ).
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Alibaba Cloud Service (Role-based SSO ).
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. On the Users and groups tab, select u2 from the user list, and click Select. Then, click Assign.
6. View the assigned role and test Alibaba Cloud Service (Role-based SSO ).
NOTE
After you assign the user (u2), the created role is automatically attached to the user. If you have created multiple
roles, you need to attach the appropriate role to the user as needed. If you want to implement role-based SSO from
Azure AD to multiple Alibaba Cloud accounts, repeat the preceding steps.
NOTE
You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend
that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information
page and the role information page.
7. Associate the Alibaba Cloud RAM role (AADrole) with the Azure AD user (u2): To associate the RAM role
with the Azure AD user, you must create a role in Azure AD by following these steps:
a. Sign on to the Azure AD Graph Explorer.
b. Click modify permissions to obtain required permissions for creating a role.
c. Select the following permissions from the list and click Modify Permissions, as shown in the following
figure.
NOTE
After permissions are granted, log on to the Graph Explorer again.
d. On the Graph Explorer page, select GET from the first drop-down list and beta from the second drop-
down list. Then enter https://graph.microsoft.com/beta/servicePrincipals in the field next to the drop-down
lists, and click Run Query.
NOTE
If you are using multiple directories, you can enter
https://graph.microsoft.com/beta/contoso.com/servicePrincipals in the field of the query.
e. In the Response Preview section, extract the appRoles property from the 'Service Principal' for
subsequent use.
NOTE
You can locate the appRoles property by entering
https://graph.microsoft.com/beta/servicePrincipals/<objectID> in the field of the query. Note that the
objectID is the object ID you have copied from the Azure AD Properties page.
f. Go back to the Graph Explorer, change the method from GET to PATCH, paste the following content into
the Request Body section, and click Run Query:
{
"appRoles": [
{
"allowedMemberTypes":[
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "41be2db8-48d9-4277-8e86-f6d22d35****",
"isEnabled": true,
"origin": "Application",
"value": null
},
{ "allowedMemberTypes": [
"User"
],
"description": "Admin,AzureADProd",
"displayName": "Admin,AzureADProd",
"id": "68adae10-8b6b-47e6-9142-6476078cdbce",
"isEnabled": true,
"origin": "ServicePrincipal",
"value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD"
}
]
}
NOTE
The value is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as
needed. Azure AD will send the value of these roles as the claim value in SAML response. However, you can only add
new roles after the msiam_access part for the patch operation. To smooth the creation process, we recommend
that you use an ID generator, such as GUID Generator, to generate IDs in real time.
g. After the 'Service Principal' is patched with the required role, attach the role with the Azure AD user (u2)
by following the steps of Assign the Azure AD test user section of the tutorial.
Configure Alibaba Cloud Service (Role -based SSO ) SSO
To configure single sign-on on Alibaba Cloud Service (Role-based SSO ) side, you need to send the
downloaded Federation Metadata XML and appropriate copied URLs from Azure portal to Alibaba Cloud
Service (Role-based SSO ) support team. They set this setting to have the SAML SSO connection set properly on
both sides.
Create Alibaba Cloud Service (Role -based SSO ) test user
In this section, you create a user called Britta Simon in Alibaba Cloud Service (Role-based SSO ). Work with
Alibaba Cloud Service (Role-based SSO ) support team to add the users in the Alibaba Cloud Service (Role-based
SSO ) platform. Users must be created and activated before you use single sign-on.
Test SSO
After the preceding configurations are completed, test Alibaba Cloud Service (Role-based SSO ) by following these
steps:
1. In the Azure portal, go to the Alibaba Cloud Service (Role-based SSO ) page, select Single sign-on, and
click Test.
2. Click Sign in as current user.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Alibaba Cloud Service (Role-based SSO ) with Azure AD
Tutorial: Azure Active Directory integration with
Allbound SSO
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Allbound SSO with Azure Active Directory (Azure AD ). Integrating
Allbound SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Allbound SSO.
You can enable your users to be automatically signed-in to Allbound SSO (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Allbound SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Allbound SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Allbound SSO supports SP and IDP initiated SSO
Allbound SSO supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Allbound SSO, select Allbound SSO from result panel then click Add button to
add the application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.allbound.com/
b. In the Reply URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.allbound.com/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.allbound.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Allbound SSO Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Allbound SSO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Allbound SSO Single Sign-On
To configure single sign-on on Allbound SSO side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Allbound SSO support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Allbound SSO test user
In this section, a user called Britta Simon is created in Allbound SSO. Allbound SSO supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Allbound SSO, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Allbound SSO support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Allbound SSO tile in the Access Panel, you should be automatically signed in to the Allbound
SSO for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Allocadia
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Allocadia with Azure Active Directory (Azure AD ). Integrating Allocadia
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Allocadia.
You can enable your users to be automatically signed-in to Allocadia (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Allocadia, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Allocadia single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Allocadia supports IDP initiated SSO
Allocadia supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Allocadia, select Allocadia from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
For test environment - https://na2standby.allocadia.com
b. In the Reply URL text box, type a URL using the following pattern:
For test environment - https://na2standby.allocadia.com/allocadia/saml/SSO
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Allocadia Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Allocadia application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
firstname user.givenname
NAME SOURCE ATTRIBUTE
lastname user.surname
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Allocadia section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Allocadia Single Sign-On
To configure single sign-on on Allocadia side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Allocadia support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Allocadia test user
In this section, a user called Britta Simon is created in Allocadia. Allocadia supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Allocadia, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Allocadia tile in the Access Panel, you should be automatically signed in to the Allocadia for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Amazon Business with Azure Active
Directory
7/25/2019 • 8 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Amazon Business with Azure Active Directory (Azure AD ). When you
integrate Amazon Business with Azure AD, you can:
Control in Azure AD who has access to Amazon Business.
Enable your users to be automatically signed-in to Amazon Business with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
An Amazon Business single sign-on (SSO ) enabled subscription. Go to the Amazon Business page to create an
Amazon Business account.
Scenario description
In this tutorial, you configure and test Azure AD SSO in an existing Amazon Business account.
Amazon Business supports SP and IDP initiated SSO
Amazon Business supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure in IDP initiated mode, perform the
following steps:
a. In the Identifier (Entity ID ) text box, type a URL using one of the following patterns:
https://www.amazon.com
https://www.amazon.co.jp
https://www.amazon.de
b. In the Reply URL text box, type a URL using one of the following patterns:
https://www.amazon.com/bb/feature/sso/action/3p_redirect?
idpid={idpid}
https://www.amazon.co.jp/bb/feature/sso/action/3p_redirect?
idpid={idpid}
https://www.amazon.de/bb/feature/sso/action/3p_redirect?
idpid={idpid}
NOTE
The Reply URL value is not real. Update this value with the actual Reply URL. You will get the <idpid> value
from the Amazon Business SSO configuration section, which is explained later in the tutorial. You can also refer
to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://www.amazon.com/
6. The following screenshot shows the list of default attributes. Edit the attributes by clicking on the Edit icon
in the User Attributes & Claims section.
7. Edit Attributes and copy Namespace value of these attributes into the Notepad.
8. In addition to above, Amazon Business application expects few more attributes to be passed back in SAML
response. In the User Attributes & Claims section on the Group Claims dialog, perform the following
steps:
a. Click the pen next to Groups returned in claim.
b. Select All Groups from the radio list.
c. Select Group ID as Source attribute.
d. Check Customize the name of the group claim checkbox and enter the group name according to your
Organization requirement.
e. Click Save.
9. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
10. On the Set up Amazon Business section, copy the appropriate URL (s) based on your requirement.
Configure Amazon Business SSO
1. In a different web browser window, sign in to your Amazon Business company site as an administrator.
2. Click on the User Profile and select Business Settings.
4. On the Set up SSO wizard, select the provider according to your Organizational requirements and click
Next.
5. On the New user account defaults wizard, select the Default Group and then select Default Buying
Role according to user role in your Organization and click Next.
6. On the Upload your metadata file wizard, click Browse to upload the Metadata XML file, which you
have downloaded from the Azure portal and click Upload.
7. After uploading the downloaded metadata file, the fields in the Connection data section will populate
automatically. After that click Next.
9. On the Attribute mapping wizard, add the requirement fields by clicking the + Add a field option. Add
the attribute values including the namespace, which you have copied from the User Attributes & Claims
section of Azure portal into the SAML AttributeName field, and click Next.
10. On the Amazon connection data wizard, click Next.
11. Please check the Status of the steps which have been configured and click Start testing.
12. On the Test SSO Connection wizard, click Test.
13. On the IDP initiated URL wizard, before you click Activate, copy the value which is assigned to idpid and
paste into the idpid parameter in the Reply URL in the Basic SAML Configuration section in the Azure
portal.
14. On the Are you ready to switch to active SSO? wizard, check I have fully tested SSO and am ready to
go live checkbox and click on Switch to active.
15. Finally in the SSO Connection details section the Status is shown as Active.
NOTE
Adminstrators need to create the test users in their tenant if needed. Following steps show how to create a test user.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Create an Azure AD Security Group in the Azure portal
1. Click on Azure Active Directory > All Groups.
3. Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select
members, then search for or click on the member you will like to add to the group. Click on Select to add
the selected members, then click on Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Amazon Business.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Amazon Business.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you do not assign the users in the Azure AD, you get the following error.
5. Search for the Security Group you want to use, then click on the group to add it to the Select members
section. Click Select, then click Assign.
NOTE
Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise
application in the Azure portal.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Amazon Web Services (AWS)
11/13/2019 • 10 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Amazon Web Services (AWS ) with Azure Active Directory (Azure AD ).
When you integrate Amazon Web Services (AWS ) with Azure AD, you can:
Control in Azure AD who has access to Amazon Web Services (AWS ).
Enable your users to be automatically signed-in to Amazon Web Services (AWS ) with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
You can configure multiple identifiers for multiple instances. For example:
https://signin.aws.amazon.com/saml#1
https://signin.aws.amazon.com/saml#2
With these values, Azure AD removes the value of #, and sends the correct value
https://signin.aws.amazon.com/saml as the audience URL in the SAML token.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
An AWS single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Amazon Web Services (AWS ) supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD single sign-on for Amazon Web Services
(AWS)
Configure and test Azure AD SSO with Amazon Web Services (AWS ) using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in Amazon Web
Services (AWS ).
To configure and test Azure AD SSO with Amazon Web Services (AWS ), complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Amazon Web Services (AWS ) SSO - to configure the single sign-on settings on application side.
a. Create Amazon Web Services (AWS ) test user - to have a counterpart of B.Simon in Amazon Web
Services (AWS ) that is linked to the Azure AD representation of user.
b. How to configure role provisioning in Amazon Web Services (AWS )
3. Test SSO - to verify whether the configuration works.
Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the Amazon Web Services (AWS ) application integration page, find the Manage
section and select single sign-on.
2. On the Select a single sign-on method page, select SAML.
3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to
edit the settings.
4. On the Basic SAML Configuration section, the application is pre-configured, and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by selecting Save.
5. When you are configuring more than one instance, provide an identifier value. From second instance
onwards, use the following format, including a # sign to specify a unique SPN value.
https://signin.aws.amazon.com/saml#2
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Amazon Web Services (AWS ) section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
14. Create a new policy by selecting Create policy for fetching the roles from the AWS account in Azure AD
user provisioning.
15. Create your own policy to fetch all the roles from AWS accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
}
]
}
a. Review the user name, access type, and policy mapped to the user.
b. Select Create user.
20. Download the user credentials of a user.
2. Enter the access key and secret in the clientsecret and Secret Token fields, respectively.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Amazon Web Services (AWS ) tile in the Access Panel, you should be automatically signed in to
the Amazon Web Services (AWS ) for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Known issues
In the Provisioning section, the Mappings subsection shows a "Loading..." message, and never displays the
attribute mappings. The only provisioning workflow supported today is the import of roles from AWS into
Azure AD for selection during a user or group assignment. The attribute mappings for this are
predetermined, and aren't configurable.
The Provisioning section only supports entering one set of credentials for one AWS tenant at a time. All
imported roles are written to the appRoles property of the Azure AD servicePrincipal object for the AWS
tenant.
Multiple AWS tenants (represented by servicePrincipals ) can be added to Azure AD from the gallery for
provisioning. There's a known issue, however, with not being able to automatically write all of the imported
roles from the multiple AWS servicePrincipals used for provisioning into the single servicePrincipal used
for SSO.
As a workaround, you can use the Microsoft Graph API to extract all of the appRoles imported into each
AWS servicePrincipal where provisioning is configured. You can subsequently add these role strings to the
AWS servicePrincipal where SSO is configured.
Roles must meet the following requirements to be eligible to be imported from AWS into Azure AD:
Roles must have exactly one saml-provider defined in AWS
The combined length of the role ARN and the saml-provider ARN for a role being imported must be
119 characters or less
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Amazon Web Services (AWS ) with Azure AD
Tutorial: Azure Active Directory integration with
multiple Amazon Web Services (AWS) accounts
11/19/2019 • 10 minutes to read • Edit Online
In this tutorial, you learn how to integrate Azure Active Directory (Azure AD ) with multiple accounts of Amazon
Web Services (AWS ).
Integrating Amazon Web Services (AWS ) with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Amazon Web Services (AWS ).
You can enable your users to automatically get signed-on to Amazon Web Services (AWS ) (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see what is application access and
single sign-on with Azure Active Directory.
NOTE
Please note connecting one AWS app to all your AWS accounts is not our recommended approach. Instead we recommend
you to use this approach to configure multiple instances of AWS account to Multiple instances of AWS apps in Azure AD.
Please note that we do not recommend to use this approach for following reasons:
You have to use the Graph Explorer approach to patch all the roles to the app. We don’t recommend using
the manifest file approach.
We have seen customers reporting that after adding ~1200 app roles for a single AWS app, any operation
on the app started throwing the errors related to size. There is a hard limit of size on the application object.
You have to manually update the role as the roles get added in any of the accounts, which is a Replace
approach and not Append unfortunately. Also if your accounts are growing then this becomes n x n
relationship with accounts and roles.
All the AWS accounts will be using the same Federation Metadata XML file and at the time of certificate
rollover you have to drive this massive exercise to update the Certificate on all the AWS accounts at the
same time
Prerequisites
To configure Azure AD integration with Amazon Web Services (AWS ), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Amazon Web Services (AWS ) single sign-on enabled subscription
NOTE
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
Do not use your production environment, unless it is necessary.
If you don't have an Azure AD trial environment, you can get a one-month trial.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Amazon Web Services (AWS ) supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Amazon Web Services (AWS ), select Amazon Web Services (AWS ) from result
panel then click Add button to add the application.
5. Once the application is added, go to Properties page and copy the Object ID.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Amazon Web Services (AWS ) application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes & Claims section on application integration page. On the Set up Single Sign-On with SAML
page, click Edit button to open User Attributes & Claims dialog.
6. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type the Namespace value shown for that row.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML and save it on your computer.
14. We need to capture all the Role ARN and Trusted Entities for all the roles across all the accounts, which we
need to map manually with Azure AD application.
15. Click on the roles to copy Role ARN and Trusted Entities values. You need these values for all the roles
that you need to create in Azure AD.
16. Perform the above step for all the roles in all the accounts and store all of them in format Role
ARN,Trusted entities in a notepad.
17. Open Azure AD Graph Explorer in another window.
a. Sign in to the Graph Explorer site using the Global Admin/Co-admin credentials for your tenant.
b. You need to have sufficient permissions to create the roles. Click on modify permissions to get the
required permissions.
c. Select following permissions from the list (if you don't have these already) and click "Modify Permissions"
d. This will ask you to login again and accept the consent. After accepting the consent, you are logged into
the Graph Explorer again.
e. Change the version dropdown to beta. To fetch all the Service Principals from your tenant, use the
following query:
https://graph.microsoft.com/beta/servicePrincipals
If you are using multiple directories, then you can use following pattern, which has your primary domain in
it https://graph.microsoft.com/beta/contoso.com/servicePrincipals
f. From the list of Service Principals fetched, get the one you need to modify. You can also use the Ctrl+F to
search the application from all the listed ServicePrincipals. You can use following query by using the Object
id which you have copied from Azure AD Properties page to get to the respective Service Principal.
https://graph.microsoft.com/beta/servicePrincipals/<objectID> .
g. Extract the appRoles property from the service principal object.
NOTE
You can only add new roles after the msiam_access for the patch operation. Also, you can add as many roles as you
want per your Organization need. Azure AD will send the value of these roles as the claim value in SAML response.
j. Go back to your Graph Explorer and change the method from GET to PATCH. Patch the Service Principal
object to have desired roles by updating appRoles property similar to the one shown above in the example.
Click Run Query to execute the patch operation. A success message confirms the creation of the role for
your Amazon Web Services application.
18. After the Service Principal is patched with more roles, you can assign Users/Groups to the respective roles.
This can be done by going to portal and navigating to the Amazon Web Services application. Click on the
Users and Groups tab on the top.
19. We recommend you to create new groups for every AWS role so that you can assign that particular role in
that group. Note that this is one to one mapping for one group to one role. You can then add the members
who belong to that group.
20. Once the Groups are created, select the group and assign to the application.
NOTE
Nested groups are not supported when assigning groups.
21. To assign the role to the group, select the role and click on Assign button in the bottom of the page.
NOTE
Please note that you need to refresh your session in Azure portal to see new roles.
For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
How to configure provisioning using MS Graph APIs
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
Tutorial: Azure Active Directory integration with
AMMS
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate AMMS with Azure Active Directory (Azure AD ). Integrating AMMS with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AMMS.
You can enable your users to be automatically signed-in to AMMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AMMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
AMMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AMMS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AMMS, select AMMS from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
<SUBDOMAIN>.microwestcloud.com/amms
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact AMMS Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AMMS test user
In this section, you create a user called Britta Simon in AMMS. Work with AMMS support team to add the users in
the AMMS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the AMMS tile in the Access Panel, you should be automatically signed in to the AMMS for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Amplitude
10/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Amplitude with Azure Active Directory (Azure AD ). When you
integrate Amplitude with Azure AD, you can:
Control in Azure AD who has access to Amplitude.
Enable your users to be automatically signed-in to Amplitude with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Amplitude single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Amplitude supports SP and IDP initiated SSO
Amplitude supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL: https://amplitude.com/saml/sso/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://analytics.amplitude.com/saml/sso/<uniqueid>
NOTE
The Reply URL value is not real. You will get the Reply URL value later in this tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://analytics.amplitude.com/sso
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Amplitude section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Amplitude will direct you to the Amplitude
application. From there, provide the admin credentials to sign into Amplitude. The browser extension will
automatically configure the application for you and automate steps 3-6.
3. If you want to setup Amplitude manually, open a new web browser window and sign into your Amplitude
company site as an administrator and perform the following steps:
4. Click on the Plan Admin from the left navigation bar.
5. Select Microsoft Azure Active Directory Metadata from the SSO Integration.
NOTE
If you need to create a user manually, contact Amplitude support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Amplitude tile in the Access Panel, you should be automatically signed in to the Amplitude for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Amplitude with Azure AD
Tutorial: Azure Active Directory integration with
Anaplan
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Anaplan with Azure Active Directory (Azure AD ). Integrating Anaplan
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Anaplan.
You can enable your users to be automatically signed-in to Anaplan (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Anaplan, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Anaplan single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Anaplan supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Anaplan, select Anaplan from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.anaplan.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Anaplan Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Anaplan section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Anaplan Single Sign-On
To configure single sign-on on Anaplan side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Anaplan support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Anaplan test user
In this section, you create a user called Britta Simon in Anaplan. Work with Anaplan support team to add the users
in the Anaplan platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Anaplan tile in the Access Panel, you should be automatically signed in to the Anaplan for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate ANAQUA with Azure Active
Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ANAQUA with Azure Active Directory (Azure AD ). When you integrate
ANAQUA with Azure AD, you can:
Control in Azure AD who has access to ANAQUA.
Enable your users to be automatically signed-in to ANAQUA with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ANAQUA single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. ANAQUA supports SP and IDP
initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.anaqua.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.anaqua.com/anaqua/Public/login.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.anaqua.com/anaqua/Public/login.aspx
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
ANAQUA Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the metadata file and save it on your
computer.
7. On the Set up ANAQUA section, copy the appropriate URL (s) based on your requirement.
Configure ANAQUA
To configure single sign-on on ANAQUA side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to ANAQUA support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B. Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B. Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B. Simon to use Azure single sign-on by granting access to ANAQUA.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select ANAQUA.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create ANAQUA test user
In this section, a user called Britta Simon is created in ANAQUA. ANAQUA supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in ANAQUA, a new one is created after authentication.
Test SSO
When you select the ANAQUA tile in the Access Panel, you should be automatically signed in to the ANAQUA for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
&frankly
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate &frankly with Azure Active Directory (Azure AD ). Integrating &frankly
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to &frankly.
You can enable your users to be automatically signed-in to &frankly (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with &frankly, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
&frankly single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
&frankly supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type &frankly, select &frankly from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://andfrankly.com/saml/simplesaml/www/module.php/saml/sp/metadata.php/<tenant id>
b. In the Reply URL text box, type a URL using the following pattern:
https://andfrankly.com/saml/simplesaml/www/module.php/saml/sp/saml2-acs.php/<tenant id>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://andfrankly.com/saml/okta/?saml_sso=<tenant id>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
&frankly Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up &frankly section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure &frankly Single Sign-On
To configure single sign-on on &frankly side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to &frankly support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create &frankly test user
In this section, you create a user called Britta Simon in &frankly. Work with &frankly support team to add the users
in the &frankly platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the &frankly tile in the Access Panel, you should be automatically signed in to the &frankly for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Andromeda
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Andromeda with Azure Active Directory (Azure AD ). Integrating
Andromeda with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Andromeda.
You can enable your users to be automatically signed-in to Andromeda (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Andromeda, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Andromeda single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Andromeda supports SP and IDP initiated SSO
Andromeda supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Andromeda, select Andromeda from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<tenantURL>.ngcxpress.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<tenantURL>.ngcxpress.com/SAMLConsumer.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<tenantURL>.ngcxpress.com/SAMLLogon.aspx
NOTE
These values are not real. You will update the value with the actual Identifier, Reply URL, and Sign-On URL which is
explained later in the tutorial.
6. Andromeda application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
IMPORTANT
Clear out the NameSpace definitions while setting these up.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
company CompanyName
NOTE
There are not real values. These values are only for demo purpose, please use your organization roles.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Andromeda section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Andromeda Single Sign-On
1. Sign-on to your Andromeda company site as administrator.
2. On the top of the menubar click Admin and navigate to Administration.
3. On the left side of tool bar under Interfaces section, click SAML Configuration.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Andromeda test user
In this section, a user called Britta Simon is created in Andromeda. Andromeda supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Andromeda, a new one is created after authentication. If you need to create a user manually, contact
Andromeda Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Andromeda tile in the Access Panel, you should be automatically signed in to the Andromeda
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AnswerHub
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate AnswerHub with Azure Active Directory (Azure AD ). Integrating
AnswerHub with Azure AD provides these benefits:
You can use Azure AD to control who has access to AnswerHub.
You can let your users automatically sign in to AnswerHub with their Azure AD accounts (single sign-on).
You can manage your accounts from a central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with AnswerHub, you need the following:
An Azure AD subscription. If you don't have an Azure AD environment, you can begin a one-month trial.
An AnswerHub subscription that has single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AnswerHub supports SP -initiated SSO.
4. In the search box, enter AnswerHub. Select AnswerHub in the results list, and then select Add.
3. On the Set up Single Sign-On with SAML page, select the edit icon to open the Basic SAML
Configuration dialog box.
b. In the Identifier (Entity ID ) box, enter a URL that has this pattern: https://<company>.answerhub.com
NOTE
These values aren't real. Update these values with the actual sign-on URL and identifier. Contact the AnswerHub
support team to get the values. You can also refer to the patterns shown in the Basic SAML Configuration section
in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer.
6. In the Set up AnswerHub section, copy the appropriate URL or URLs, based on your requirements.
NOTE
If you need help configuring AnswerHub, contact the AnswerHub support team.
2. Go to Administration.
3. On the User and Groups tab, in the left pane, in the Social Settings section, select SAML Setup.
4. On the IDP Config tab, complete these steps:
a. In the IDP Login URL box, paste the Login URL that you copied from the Azure portal.
b. In the IDP Logout URL box, paste the Logout URL that you copied from the Azure portal.
c. In the IDP Name Identifier Format box, enter the Identifier value selected in the User Attributes
section on the Azure portal.
d. Select Keys and Certificates.
5. In the Keys and Certificates section, complete these steps:
a. Open the Base64-encoded certificate that you downloaded from the Azure portal in Notepad, copy its
contents, and then paste the contents into the IDP Public Key (x509 Format) box.
b. Select Save.
6. On the IDP Config tab, select Save again.
Create an Azure AD test user
In this section, you create a test user named Britta Simon in the Azure portal.
To create an Azure AD test user:
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the Users list, and then select the Select button
at the bottom of the screen.
6. If you're expecting a role value in the SAML assertion, in the Select Role dialog box, select the appropriate
role for the user from the list.
7. Select the Select button at the bottom of the screen.
8. In the Add Assignment dialog box, select Assign.
Create an AnswerHub test user
To enable Azure AD users to sign in to AnswerHub, you need to add them in AnswerHub. In AnswerHub, this task
is done manually.
To set up a user account:
1. Sign in to your AnswerHub company site as an admin.
2. Go to Administration.
3. Select the Users & Groups tab.
4. In the left pane, in the Manage Users section, select Create or import users, and then select Users &
Groups.
5. In the appropriate boxes, enter the Email address, Username, and Password of a valid Azure AD account
that you want to add, and then select Save.
NOTE
You can use any other user account creation tool or API provided by AnswerHub to set up Azure AD user accounts.
Additional resources
Tutorials for integrating SaaS apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Apex
Portal
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Apex Portal with Azure Active Directory (Azure AD ). Integrating Apex
Portal with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Apex Portal.
You can enable your users to be automatically signed-in to Apex Portal (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Apex Portal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Apex Portal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Apex Portal supports IDP initiated SSO
Apex Portal supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Apex Portal, select Apex Portal from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<customer name>.apexportal.net/saml/sso.aspx
b. In the Reply URL text box, type a URL using the following pattern:
https://<customer name>.apexportal.net/saml/sso.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Apex Portal Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Apex Portal application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
FIRSTNAME user.givenname
LASTNAME user.surname
MAIL user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Apex Portal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Apex Portal Single Sign-On
To configure single sign-on on Apex Portal side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Apex Portal support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Apex Portal test user
In this section, a user called Britta Simon is created in Apex Portal. Apex Portal supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Apex Portal, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Apex Portal support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Apex Portal tile in the Access Panel, you should be automatically signed in to the Apex Portal
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AppBlade
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate AppBlade with Azure Active Directory (Azure AD ). Integrating AppBlade
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AppBlade.
You can enable your users to be automatically signed-in to AppBlade (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AppBlade, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
AppBlade single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AppBlade supports SP initiated SSO
AppBlade supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AppBlade, select AppBlade from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact AppBlade Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up AppBlade section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure AppBlade Single Sign-On
To configure single sign-on on AppBlade side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to AppBlade support team. Also, please ask them to configure the
SSO Issuer URL as https://appblade.com/saml . This setting is required for single sign-on to work.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AppBlade test user
The objective of this section is to create a user called Britta Simon in AppBlade. AppBlade supports just-in-time
provisioning, which is by default enabled. Make sure that your domain name is configured with AppBlade
for user provisioning. After that only the just-in-time user provisioning works.
If the user has an email address ending with the domain configured by AppBlade for your account, then the user
will automatically join the account as a member with the permission level you specify, which is one of "Basic" (a
basic user who can only install applications), "Team Member" (a user who can upload new app versions and
manage projects), or "Administrator" (full admin privileges to the account). Normally one would choose Basic and
then promote users manually via an Admin login (AppBlade needs to configure either an email-based admin login
in advance or promote a user on behalf of the customer after login).
There is no action item for you in this section. A new user is created during an attempt to access AppBlade if it
doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the AppBlade support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AppDynamics
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate AppDynamics with Azure Active Directory (Azure AD ). Integrating
AppDynamics with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AppDynamics.
You can enable your users to be automatically signed-in to AppDynamics (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AppDynamics, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
AppDynamics single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AppDynamics supports SP initiated SSO
AppDynamics supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AppDynamics, select AppDynamics from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.saas.appdynamics.com/controller
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact AppDynamics
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up AppDynamics section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure AppDynamics Single Sign-On
1. In a different web browser window, log in to your AppDynamics company site as an administrator.
2. In the toolbar on the top, click Settings, and then click Administration.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AppDynamics test user
The objective of this section is to create a user called Britta Simon in AppDynamics. AppDynamics supports just-in-
time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created
during an attempt to access AppDynamics if it doesn't exist yet.
NOTE
If you need to create a user manually, contact AppDynamics Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Appinux
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Appinux with Azure Active Directory (Azure AD ). Integrating Appinux
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Appinux.
You can enable your users to be automatically signed-in to Appinux (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Appinux, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Appinux single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Appinux supports SP initiated SSO
Appinux supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Appinux, select Appinux from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<Appinux_SUBDOMAIN>.appinux.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Appinux Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Appinux application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.givenname
surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.surname
emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.mail
NAME NAMESPACE SOURCE ATTRIBUTE
name http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.userprincipalname
Role http://schemas.microsoft.com/ws/2008/06/identity/claims/role
user.assignedroles
email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
user.mail
wanshort http://appinux.com/windowsaccountname2
e xtractmailprefix([userprincipalname])
nameidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.employeeid
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type the namespace value shown for that row.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Appinux section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Appinux Single Sign-On
To configure single sign-on on Appinux side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Appinux support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Appinux test user
In this section, a user called Britta Simon is created in Appinux. Appinux supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Appinux,
a new one is created after authentication.
NOTE
If you need to create a user manually, contact Appinux support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Appinux tile in the Access Panel, you should be automatically signed in to the Appinux for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AppNeta Performance Monitor
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate AppNeta Performance Monitor with Azure Active Directory (Azure AD ).
Integrating AppNeta Performance Monitor with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AppNeta Performance Monitor.
You can enable your users to be automatically signed-in to AppNeta Performance Monitor (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AppNeta Performance Monitor, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
AppNeta Performance Monitor single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AppNeta Performance Monitor supports SP initiated SSO
AppNeta Performance Monitor supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AppNeta Performance Monitor, select AppNeta Performance Monitor from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact AppNeta Performance
Monitor Client support team to get this value. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. AppNeta Performance Monitor application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
firstName user.givenname
lastName user.surname
email user.userprincipalname
name user.userprincipalname
NAME SOURCE ATTRIBUTE
groups user.assignedroles
phone user.telephonenumber
title user.jobtitle
NOTE
groups refers to the security group in Appneta which is mapped to a Role in Azure AD. Please refer to this doc which
explains how to create custom roles in Azure AD.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up AppNeta Performance Monitor section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure AppNeta Performance Monitor Single Sign-On
To configure single sign-on on AppNeta Performance Monitor side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to AppNeta Performance Monitor
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AppNeta Performance Monitor test user
In this section, a user called Britta Simon is created in AppNeta Performance Monitor. AppNeta Performance
Monitor supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this
section. If a user doesn't already exist in AppNeta Performance Monitor, a new one is created after authentication.
NOTE
If you need to create a user manually, contact AppNeta Performance Monitor support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the AppNeta Performance Monitor tile in the Access Panel, you should be automatically signed in
to the AppNeta Performance Monitor for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Appraisd with Azure Active
Directory
7/3/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Appraisd with Azure Active Directory (Azure AD ). When you integrate
Appraisd with Azure AD, you can:
Control in Azure AD who has access to Appraisd.
Enable your users to be automatically signed-in to Appraisd with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Appraisd single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Appraisd supports SP and IDP
initiated SSO.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button and
perform the following steps:
a. Click Set additional URLs.
b. In the Relay State text box, type a URL: <TENANTCODE>
c. If you wish to configure the application in SP initiated mode, in the Sign-on URL text box, type a URL
using the following pattern: https://app.appraisd.com/saml/<TENANTCODE>
NOTE
You get the actual Sign-on URL and Relay State value on the Appraisd SSO Configuration page which is explained
later in the tutorial.
5. Appraisd application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. Appraisd application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Appraisd section, copy the appropriate URL (s) based on your requirement.
Configure Appraisd
1. To automate the configuration within Appraisd, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup Appraisd will direct you to the Appraisd application.
From there, provide the admin credentials to sign into Appraisd. The browser extension will automatically
configure the application for you and automate steps 3-7.
3. If you want to setup Appraisd manually, open a new web browser window and sign into your Appraisd
company site as an administrator and perform the following steps:
4. On the top right of the page, click on Settings icon, then navigate to Configuration.
5. From the Left side of menu, click on SAML single sign-on.
6. On the SAML 2.0 Single Sign-On configuration page, perform the following steps:
a. Copy the Default Relay State value and paste it in Relay State textbox in Basic SAML Configuration
on Azure portal.
b. Copy the Service-initiated login URL value and paste it in Sign-on URL textbox in Basic SAML
Configuration on Azure portal.
7. Scroll down the same page under Identifying users, perform the following steps:
a. In the Identity Provider Single Sign-On URL textbox, paste the value of Login URL, which you have
copied from the Azure portal and click Save.
b. In the Identity Provider Issuer URL textbox, paste the value of Azure AD Identifier, which you have
copied from the Azure portal and click Save.
c. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its
content, and then paste it into the X.509 Certificate box and click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B. Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B. Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B. Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Appraisd.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Appraisd.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Appraisd test user
To enable Azure AD users sign in to Appraisd, they must be provisioned into Appraisd. In Appraisd, provisioning is
a manual task.
To provision a user account, perform the following steps:
1. Sign in to Appraisd as a Security Administrator.
2. On the top right of the page, click on Settings icon, then navigate to Administration centre.
3. In the toolbar at the top of the page, click People, then navigate to Add a new user.
a. In First name text box, enter the first name of user like Britta.
b. In Last name text box, enter the last name of user like simon.
c. In Email text box, enter the email of user like B. Simon@contoso.com .
d. Click Add user.
Test SSO
When you select the Appraisd tile in the Access Panel, you should be automatically signed in to the Appraisd for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Apptio
9/19/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Apptio with Azure Active Directory (Azure AD ). When you integrate
Apptio with Azure AD, you can:
Control in Azure AD who has access to Apptio.
Enable your users to be automatically signed-in to Apptio with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Apptio single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Apptio supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Identifier text box, type a URL: urn:federation:apptio
5. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure
AD using this article.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Apptio section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Apptio.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Apptio.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Apptio tile in the Access Panel, you should be automatically signed in to the Apptio for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Apptio with Azure AD
Tutorial: Azure Active Directory integration with
Aravo
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Aravo with Azure Active Directory (Azure AD ). Integrating Aravo with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Aravo.
You can enable your users to be automatically signed-in to Aravo (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Aravo, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Aravo single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Aravo supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Aravo, select Aravo from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<companyname>.aravo.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.aravo.com/aems/login.do
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Aravo Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Aravo section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Aravo Single Sign-On
To configure single sign-on on Aravo side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Aravo support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Aravo test user
In this section, you create a user called Britta Simon in Aravo. Work with Aravo support team to add the users in
the Aravo platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Aravo tile in the Access Panel, you should be automatically signed in to the Aravo for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ARC Facilities
10/7/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ARC Facilities with Azure Active Directory (Azure AD ). When you
integrate ARC Facilities with Azure AD, you can:
Control in Azure AD who has access to ARC Facilities.
Enable your users to be automatically signed-in to ARC Facilities with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ARC Facilities single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ARC Facilities supports IDP initiated SSO
ARC Facilities supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. ARC Facilities application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, ARC Facilities application expects few more attributes to be passed back in SAML
response. In the User Attributes & Claims section on the Group Claims (Preview) dialog, perform the
following steps:
a. Click the pen next to Groups returned in claim.
b. Select All Groups from the radio list.
c. Select Source Attribute of Group ID.
d. Click Save.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up ARC Facilities section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ARC Facilities.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select ARC Facilities.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ARC Facilities tile in the Access Panel, you should be automatically signed in to the ARC
Facilities for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ARC Facilities with Azure AD
Tutorial: Azure Active Directory integration with Arc
Publishing - SSO
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Arc Publishing - SSO with Azure Active Directory (Azure AD ).
Integrating Arc Publishing - SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Arc Publishing - SSO.
You can enable your users to be automatically signed-in to Arc Publishing - SSO (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Arc Publishing - SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Arc Publishing - SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Arc Publishing - SSO supports SP and IDP initiated SSO
Arc Publishing - SSO supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Arc Publishing - SSO, select Arc Publishing - SSO from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://www.okta.com/saml2/service-provider/<Unique ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://arcpublishing-<Customer>.okta.com/sso/saml2/<Unique ID>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Arc
Publishing - SSO Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. Arc Publishing - SSO application expects the SAML assertions in a specific format. Configure the following
claims for this application. You can manage the values of these attributes from the User Attributes section
on application integration page. On the Set up Single Sign-On with SAML page, click Edit button to
open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
firstName user.givenname
lastName user.surname
email user.mail
groups user.assignedroles
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
NOTE
Here the groups attribute is mapped with user.assignedroles. These are custom roles created in Azure AD to map
the group names back in application. You can find more guidance here on how to create custom roles in Azure AD.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Arc Publishing - SSO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Arc Publishing - SSO Single Sign-On
To configure single sign-on on Arc Publishing - SSO side, you need to send the downloaded Certificate
(Base64) and appropriate copied URLs from Azure portal to Arc Publishing - SSO support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Arc Publishing - SSO test user
In this section, a user called Britta Simon is created in Arc Publishing - SSO. Arc Publishing - SSO supports just-in-
time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in Arc Publishing - SSO, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Arc Publishing - SSO support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Arc Publishing - SSO tile in the Access Panel, you should be automatically signed in to the Arc
Publishing - SSO for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ArcGIS Enterprise
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate ArcGIS Enterprise with Azure Active Directory (Azure AD ). Integrating
ArcGIS Enterprise with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ArcGIS Enterprise.
You can enable your users to be automatically signed-in to ArcGIS Enterprise (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ArcGIS Enterprise, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ArcGIS Enterprise single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ArcGIS Enterprise supports SP and IDP initiated SSO
ArcGIS Enterprise supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ArcGIS Enterprise, select ArcGIS Enterprise from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, perform the following steps, if you wish to configure the
application in IDP Initiated mode:
a. In the Identifier text box, type a URL using the following pattern: <EXTERNAL_DNS_NAME>.portal
b. In the Reply URL text box, type a URL using the following pattern:
https://<EXTERNAL_DNS_NAME>/portal/sharing/rest/oauth2/saml/signin2
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<EXTERNAL_DNS_NAME>/portal/sharing/rest/oauth2/saml/signin
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact ArcGIS
Enterprise Client support team to get these values. You will get the Identifier value from Set Identity Provider
section, which is explained later in this tutorial.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Scroll down to the Enterprise Logins via SAML section and select SET ENTERPRISE LOGIN.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ArcGIS Enterprise test user
In this section, a user called Britta Simon is created in ArcGIS Enterprise. ArcGIS Enterprise supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in ArcGIS Enterprise, a new one is created after authentication.
NOTE
If you need to create a user manually, contact ArcGIS Enterprise support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ArcGIS Online
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate ArcGIS Online with Azure Active Directory (Azure AD ). Integrating
ArcGIS Online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ArcGIS Online.
You can enable your users to be automatically signed-in to ArcGIS Online (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ArcGIS Online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ArcGIS Online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ArcGIS Online supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ArcGIS Online, select ArcGIS Online from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
<companyname>.maps.arcgis.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact ArcGIS Online
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. To automate the configuration within ArcGIS Online, you need to install My Apps Secure Sign-in
browser extension by clicking Install the extension.
7. After adding extension to the browser, click on setup ArcGIS Online will direct you to the ArcGIS Online
application. From there, provide the admin credentials to sign into ArcGIS Online. The browser extension
will automatically configure the application for you and automate steps in section Configure ArcGIS
Online Single Sign-On.
Configure ArcGIS Online Single Sign-On
1. If you want to setup ArcGIS Online manually, open a new web browser window and log into your ArcGIS
company site as an administrator and perform the following steps:
2. Click EDIT SETTINGS.
3. Click Security.
5. On the Set Identity Provider configuration page, perform the following steps:
a. In the Name textbox, type your organization’s name.
b. For Metadata for the Enterprise Identity Provider will be supplied using, select A File.
c. To upload your downloaded metadata file, click Choose file.
d. Click SET IDENTITY PROVIDER.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ArcGIS Online test user
In order to enable Azure AD users to log into ArcGIS Online, they must be provisioned into ArcGIS Online.
In the case of ArcGIS Online, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your ArcGIS tenant.
2. Click INVITE MEMBERS.
3. Select Add members automatically without sending an email, and then click NEXT.
a. Enter the Email, First Name, and Last Name of a valid Azure AD account you want to provision.
b. Click ADD AND REVIEW.
5. Review the data you have entered, and then click ADD MEMBERS.
NOTE
The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with ARES
for Enterprise
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ARES for Enterprise with Azure Active Directory (Azure AD ). Integrating
ARES for Enterprise with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ARES for Enterprise.
You can enable your users to be automatically signed-in to ARES for Enterprise (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ARES for Enterprise, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ARES for Enterprise single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ARES for Enterprise supports SP initiated SSO
ARES for Enterprise supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ARES for Enterprise, select ARES for Enterprise from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ARES for Enterprise test user
In this section, a user called Britta Simon is created in ARES for Enterprise. ARES for Enterprise supports just-in-
time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in ARES for Enterprise, a new one is created when you attempt to access ARES for Enterprise.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ARES for Enterprise tile in the Access Panel, you should be automatically signed in to the ARES
for Enterprise for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Ariba
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Ariba with Azure Active Directory (Azure AD ). Integrating Ariba with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Ariba.
You can enable your users to be automatically signed-in to Ariba (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Ariba, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Ariba single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Ariba supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Ariba, select Ariba from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<subdomain>.sourcing.ariba.com
https://<subdomain>.supplier.ariba.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
http://<subdomain>.procurement-2.ariba.com
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. Here we suggest you to
use the unique value of string in the Identifier. Contact Ariba Client support team at 1-866-218-2155 to get these
values.. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Ariba test user
In this section, you create a user called Britta Simon in Ariba. Work with Ariba support team at 1-866-218-2155 to
add the users in the Ariba platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Ariba tile in the Access Panel, you should be automatically signed in to the Ariba for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Asana
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Asana with Azure Active Directory (Azure AD ). Integrating Asana with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Asana.
You can enable your users to be automatically signed-in to Asana (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Asana, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Asana single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Asana supports SP initiated SSO
Asana supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Asana, select Asana from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Asana section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Asana Single Sign-On
1. In a different browser window, sign-on to your Asana application. To configure SSO in Asana, access the
workspace settings by clicking the workspace name on the top right corner of the screen. Then, click on
<your workspace name> Settings.
2. On the Organization settings window, click Administration. Then, click Members must log in via
SAML to enable the SSO configuration. The perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Asana test user
The objective of this section is to create a user called Britta Simon in Asana. Asana supports automatic user
provisioning, which is by default enabled. You can find more details here on how to configure automatic user
provisioning.
If you need to create user manually, please perform following steps:
In this section, you create a user called Britta Simon in Asana.
1. On Asana, go to the Teams section on the left panel. Click the plus sign button.
2. Type the email of the user like britta.simon@contoso.com in the text box and then select Invite.
3. Click Send Invite. The new user will receive an email into their email account. user will need to create and
validate the account.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Asana tile in the Access Panel, you should be automatically signed in to the Asana for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Tutorial: Azure Active Directory integration with ASC
Contracts
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ASC Contracts with Azure Active Directory (Azure AD ). Integrating ASC
Contracts with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ASC Contracts.
You can enable your users to be automatically signed-in to ASC Contracts (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ASC Contracts, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ASC Contracts single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ASC Contracts supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ASC Contracts, select ASC Contracts from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.asccontracts.com/shibboleth
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.asccontracts.com/shibboleth.sso/login
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact ASC Networks Inc.
(ASC) team at 613.599.6178 to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up ASC Contracts section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure ASC Contracts Single Sign-On
To configure single sign-on on ASC Contracts side, call ASC Networks Inc. (ASC ) support at 613.599.6178 and
provide them with the downloaded Federation Metadata XML. They set this application up to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ASC Contracts test user
Work with ASC Networks Inc. (ASC ) support team at 613.599.6178 to get the users added in the ASC Contracts
platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ASC Contracts tile in the Access Panel, you should be automatically signed in to the ASC
Contracts for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Ascentis with Azure Active
Directory
9/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Ascentis with Azure Active Directory (Azure AD ). When you integrate
Ascentis with Azure AD, you can:
Control in Azure AD who has access to Ascentis.
Enable your users to be automatically signed-in to Ascentis with their Azure AD accounts.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Ascentis single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Ascentis supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://services.ascentis.com/iam/samlsso?spEntityID=<clientname>.ascentis.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using any one of the following pattern:
https://selfservice.ascentis.com/<clientname>/STS/signin.aspx?SAMLResponse=true
https://selfservice2.ascentis.com/<clientname>/STS/signin.aspx?SAMLResponse=true
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Ascentis Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Ascentis section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Ascentis test user
In this section, you create a user called Britta Simon in Ascentis. Work with Ascentis support team to add the users
in the Ascentis platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Ascentis tile in the Access Panel, you should be automatically signed in to the Ascentis for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Asset
Bank
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Asset Bank with Azure Active Directory (Azure AD ). Integrating Asset
Bank with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Asset Bank.
You can enable your users to be automatically signed-in to Asset Bank (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Asset Bank, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Asset Bank single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Asset Bank supports SP initiated SSO
Asset Bank supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Asset Bank, select Asset Bank from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.assetbank-server.com/shibboleth
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Asset Bank Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Asset Bank section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Asset Bank Single Sign-On
To configure single sign-on on Asset Bank side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Asset Bank support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Asset Bank test user
In this section, a user called Britta Simon is created in Asset Bank. Asset Bank supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Asset Bank, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Asset Bank support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Atlassian Cloud with Azure Active
Directory
10/27/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Atlassian Cloud with Azure Active Directory (Azure AD ). When you
integrate Atlassian Cloud with Azure AD, you can:
Control in Azure AD who has access to Atlassian Cloud.
Enable your users to be automatically signed-in to Atlassian Cloud with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Atlassian Cloud single sign-on (SSO ) enabled subscription.
To enable Security Assertion Markup Language (SAML ) single sign-on for Atlassian Cloud products, you need
to set up Atlassian Access. Learn more about Atlassian Access.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Atlassian Cloud supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://auth.atlassian.com/saml/<unique ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://auth.atlassian.com/login/callback?connection=saml-<unique ID>
NOTE
The preceding values are not real. Update these values with the actual identifier and reply URL. You will get these real
values from the Atlassian Cloud SAML Configuration screen which is explained later in the Configure Atlassian
Cloud Single Sign-On of tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<instancename>.atlassian.net
NOTE
The Sign on URL value is not real. Paste the value from the instance which you use to signin to the Atlassian Cloud
admin portal.
6. Your Atlassian Cloud application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
Atlassian Cloud application expects nameidentifier to be mapped with user.mail, so you need to edit the
attribute mapping by clicking on Edit icon and change the attribute mapping.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Atlassian Cloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Atlassian Cloud.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Atlassian Cloud.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Configure Atlassian Cloud SSO
1. To automate the configuration within Atlassian Cloud, you need to install My Apps Secure Sign-in
browser extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup Atlassian Cloud will direct you to the Atlassian
Cloud application. From there, provide the admin credentials to sign into Atlassian Cloud. The browser
extension will automatically configure the application for you and automate steps 3-7.
3. If you want to setup Atlassian Cloud manually, open a new web browser window and sign into your
Atlassian Cloud company site as an administrator and perform the following steps:
4. You need to verify your domain before going to configure single sign-on. For more information, see
Atlassian domain verification document.
5. In the left pane, select Security > SAML single sign-on. If you haven't already done so, subscribe to
Atlassian Identity Manager.
NOTE
If you're an existing customer, after you update the SP Identity ID and SP Assertion Consumer Service URL
values in the Azure portal, select Yes, update configuration. If you're a new customer, you can skip this step.
3. In the Email address box, enter the user's email address, and then assign the application access.
4. To send an email invitation to the user, select Invite users. An email invitation is sent to the user and, after
accepting the invitation, the user is active in the system.
NOTE
You can also bulk-create users by selecting the Bulk Create button in the Users section.
Test SSO
When you select the Atlassian Cloud tile in the Access Panel, you should be automatically signed in to the
Atlassian Cloud for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Atlassian Cloud with Azure AD
Atlassian Jira and Confluence admin guide for Azure
Active Directory
10/30/2019 • 7 minutes to read • Edit Online
Overview
The Azure Active Directory (Azure AD ) single sign-on (SSO ) plug-in enables Microsoft Azure AD customers to use
their work or school account for signing in to Atlassian Jira and Confluence Server-based products. It implements
SAML 2.0-based SSO.
How it works
When users want to sign in to the Atlassian Jira or Confluence application, they see the Login with Azure AD
button on the sign-in page. When they select it, they're required to sign in by using the Azure AD organization
sign-in page (that is, their work or school account).
After the users are authenticated, they should be able to sign in to the application. If they are already authenticated
with the ID and password for their work or school account, then they directly sign in to the application.
Sign-in works across Jira and Confluence. If users are signed in to the Jira application and Confluence is opened in
the same browser window, they don't have to provide the credentials for the other app.
Users can also get to the Atlassian product through My Apps under the work or school account. They should be
signed in without being asked for credentials.
NOTE
User provisioning is not done through the plug-in.
Audience
Jira and Confluence admins can use the plug-in to enable SSO by using Azure AD.
Assumptions
Jira and Confluence instances are HTTPS enabled.
Users are already created in Jira or Confluence.
Users have roles assigned in Jira or Confluence.
Admins have access to information required to configure the plug-in.
Jira or Confluence is available outside the company network as well.
The plug-in works with only the on-premises version of Jira and Confluence.
Prerequisites
Note the following information before you install the plug-in:
Jira and Confluence are installed on a Windows 64-bit version.
Jira and Confluence versions are HTTPS enabled.
Jira and Confluence are available on the internet.
Admin credentials are in place for Jira and Confluence.
Admin credentials are in place for Azure AD.
WebSudo is disabled in Jira and Confluence.
Installation
To install the plug-in, follow these steps:
1. Sign in to your Jira or Confluence instance as an admin.
2. Go to the Jira/Confluence administration console and select Add-ons.
3. From the Microsoft Download Center, download the Microsoft SAML SSO Plugin for Jira/ Microsoft SAML
SSO Plugin for Confluence.
The appropriate version of the plug-in appears in the search results.
4. Select the plug-in, and the Universal Plug-in Manager (UPM ) installs it.
After the plug-in is installed, it appears in the User Installed Add-ons section of Manage Add-ons.
Plug-in configuration
Before you start using the plug-in, you must configure it. Select the plug-in, select the Configure button, and
provide the configuration details.
The following image shows the configuration screen in both Jira and Confluence:
Metadata URL: The URL to get federation metadata from Azure AD.
Identifiers: The URL that Azure AD uses to validate the source of the request. It maps to the Identifier
element in Azure AD. The plug-in automatically derives this URL as https://<domain:port>/.
Reply URL: The reply URL in your identity provider (IdP ) that initiates the SAML sign-in. It maps to the
Reply URL element in Azure AD. The plug-in automatically derives this URL as
https://<domain:port>/plugins/servlet/saml/auth.
Sign On URL: The sign-on URL in your IdP that initiates the SAML sign-in. It maps to the Sign On
element in Azure AD. The plug-in automatically derives this URL as
https://<domain:port>/plugins/servlet/saml/auth.
IdP Entity ID: The entity ID that your IdP uses. This box is populated when the metadata URL is resolved.
Login URL: The sign-in URL from your IdP. This box is populated from Azure AD when the metadata URL
is resolved.
Logout URL: The logout URL from your IdP. This box is populated from Azure AD when the metadata URL
is resolved.
X.509 Certificate: Your IdP’s X.509 certificate. This box is populated from Azure AD when the metadata
URL is resolved.
Login Button Name: The name of the sign-in button that your organization wants users to see on the sign-
in page.
SAML User ID Locations: The location where the Jira or Confluence user ID is expected in the SAML
response. It can be in NameID or in a custom attribute name.
Attribute Name: The name of the attribute where the user ID is expected.
Enable Home Realm Discovery: The selection to make if the company is using Active Directory
Federation Services (AD FS )-based sign-in.
Domain Name: The domain name if sign-in is AD FS based.
Enable Single Signout: The selection to make if you want to sign out from Azure AD when a user signs
out from Jira or Confluence.
Troubleshooting
You're getting multiple certificate errors: Sign in to Azure AD and remove the multiple certificates that
are available against the app. Ensure that only one certificate is present.
A certificate is about to expire in Azure AD: Add-ons take care of automatic rollover of the certificate.
When a certificate is about to expire, a new certificate should be marked active and unused certificates
should be deleted. When a user tries to sign in to Jira in this scenario, the plug-in fetches and saves the new
certificate.
You want to disable WebSudo (disable the secure administrator session):
For Jira, secure administrator sessions (that is, password confirmation before accessing
administration functions) are enabled by default. If you want to remove this ability in your Jira
instance, specify the following line in your jira-config.properties file: ira.websudo.is.disabled = true
Plug-in FAQ
Please refer below FAQs if you have any query regarding this plug-in.
What does the plug-in do?
The plug-in provides single sign-on (SSO ) capability for Atlassian Jira (including Jira Core, Jira Software, Jira
Service Desk) and Confluence on-premises software. The plug-in works with Azure Active Directory (Azure AD ) as
an identity provider (IdP ).
Which Atlassian products does the plug-in work with?
The plug-in works with on-premises versions of Jira and Confluence.
Does the plug-in work on cloud versions?
No. The plug-in supports only on-premises versions of Jira and Confluence.
Which versions of Jira and Confluence does the plug-in support?
The plug-in supports these versions:
Jira Core and Software: 6.0 to 7.12
Jira Service Desk: 3.0.0 to 3.5.0
JIRA also supports 5.2. For more details, click Microsoft Azure Active Directory single sign-on for JIRA 5.2
Confluence: 5.0 to 5.10
Confluence: 6.0.1
Confluence: 6.1.1
Confluence: 6.2.1
Confluence: 6.3.4
Confluence: 6.4.0
Confluence: 6.5.0
Confluence: 6.6.2
Confluence: 6.7.0
Confluence: 6.8.1
Confluence: 6.9.0
Confluence: 6.10.0
Confluence: 6.11.0
Confluence: 6.12.0
Is the plug-in free or paid?
It's a free add-on.
Do I need to restart Jira or Confluence after I deploy the plug-in?
A restart is not required. You can start using the plug-in immediately.
How do I get support for the plug-in?
You can reach out to the Azure AD SSO Integration Team for any support needed for this plug-in. The team
responds in 24-48 business hours.
You can also raise a support ticket with Microsoft through the Azure portal channel.
Would the plug-in work on a Mac or Ubuntu installation of Jira and Confluence?
We have tested the plug-in only on 64-bit Windows Server installations of Jira and Confluence.
Does the plug-in work with IdPs other than Azure AD?
No. It works only with Azure AD.
What version of SAML does the plug-in work with?
It works with SAML 2.0.
Does the plug-in do user provisioning?
No. The plug-in provides only SAML 2.0-based SSO. The user has to be provisioned in the application before the
SSO sign-in.
Does the plug-in support cluster versions of Jira and Confluence?
No. The plug-in works with on-premises versions of Jira and Confluence.
Does the plug-in work with HTTP versions of Jira and Confluence?
No. The plug-in works with HTTPS -enabled installations only.
Tutorial: Azure Active Directory integration with
Atomic Learning
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Atomic Learning with Azure Active Directory (Azure AD ). Integrating
Atomic Learning with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Atomic Learning.
You can enable your users to be automatically signed-in to Atomic Learning (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Atomic Learning, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Atomic Learning single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Atomic Learning supports SP initiated SSO
Atomic Learning supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Atomic Learning, select Atomic Learning from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Atomic Learning Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Atomic Learning section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Atomic Learning Single Sign-On
To configure single sign-on on Atomic Learning side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Atomic Learning support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Atomic Learning test user
In this section, a user called Britta Simon is created in Atomic Learning. Atomic Learning supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Atomic Learning, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Atomic Learning tile in the Access Panel, you should be automatically signed in to the Atomic
Learning for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Attendance Management Services
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Attendance Management Services with Azure Active Directory (Azure
AD ). Integrating Attendance Management Services with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Attendance Management Services.
You can enable your users to be automatically signed-in to Attendance Management Services (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Attendance Management Services, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Attendance Management Services single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Attendance Management Services supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Attendance Management Services, select Attendance Management Services
from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://id.obc.jp/<tenant information >/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Attendance
Management Services Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Attendance Management Services section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Attendance Management Services Single Sign-On
1. In a different browser window, sign-on to your Attendance Management Services company site as
administrator.
2. Click on SAML authentication under the Security management section.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Attendance Management Services test user
To enable Azure AD users to sign in to Attendance Management Services, they must be provisioned into
Attendance Management Services. In the case of Attendance Management Services, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Attendance Management Services company site as an administrator.
2. Click on User management under the Security management section.
3. Click New rules login.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AuditBoard
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate AuditBoard with Azure Active Directory (Azure AD ). Integrating
AuditBoard with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AuditBoard.
You can enable your users to be automatically signed-in to AuditBoard (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AuditBoard, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
AuditBoard single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AuditBoard supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AuditBoard, select AuditBoard from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.auditboardapp.com/api/v1/sso/saml/metadata.xml
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.auditboardapp.com/api/v1/sso/saml/assert
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
d. In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.auditboardapp.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
AuditBoard Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AuditBoard test user
In this section, you create a user called Britta Simon in AuditBoard. Work with AuditBoard support team to add the
users in the AuditBoard platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the AuditBoard tile in the Access Panel, you should be automatically signed in to the AuditBoard
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Autotask Endpoint Backup
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Autotask Endpoint Backup with Azure Active Directory (Azure AD ).
Integrating Autotask Endpoint Backup with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Autotask Endpoint Backup.
You can enable your users to be automatically signed-in to Autotask Endpoint Backup (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Autotask Endpoint Backup, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Autotask Endpoint Backup single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Autotask Endpoint Backup supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Autotask Endpoint Backup, select Autotask Endpoint Backup from result panel
then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.backup.autotask.net/singlesignon/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.backup.autotask.net/singlesignon/saml/SSO
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Autotask Endpoint
Backup Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Autotask Endpoint Backup section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Autotask Endpoint Backup Single Sign-On
To configure single sign-on on Autotask Endpoint Backup side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Autotask Endpoint Backup support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Autotask Endpoint Backup test user
In this section, you create a user called Britta Simon in Autotask Endpoint Backup. Work with Autotask Endpoint
Backup support team to add the users in the Autotask Endpoint Backup platform. Users must be created and
activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Autotask Endpoint Backup tile in the Access Panel, you should be automatically signed in to the
Autotask Endpoint Backup for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Autotask Workplace
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Autotask Workplace with Azure Active Directory (Azure AD ). Integrating
Autotask Workplace with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Autotask Workplace.
You can enable your users to be automatically signed-in to Autotask Workplace (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Autotask Workplace, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Autotask Workplace single sign-on enabled subscription
An Autotask Workplace single-sign on enabled subscription
You must be an administrator or super administrator in Workplace.
You must have an administrator account in the Azure AD.
The users that will utilize this feature must have accounts within Workplace and the Azure AD, and their email
addresses for both must match.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Autotask Workplace supports SP and IDP initiated SSO
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Autotask Workplace, select Autotask Workplace from result panel then click Add
button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.awp.autotask.net/singlesignon/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.awp.autotask.net/singlesignon/saml/SSO
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.awp.autotask.net/loginsso
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Autotask Workplace Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Autotask Workplace section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Autotask Workplace Single Sign-On
1. In a different web browser window, Log in to Workplace Online using the administrator credentials.
NOTE
When configuring the IdP, a subdomain will need to be specified. To confirm the correct subdomain, login to
Workplace Online. Once logged in, make note to the subdomain in the URL. The subdomain is the part between the
“https://“ and “.awp.autotask.net/“ and should be us, eu, ca, or au.
a. Select the XML Metadata File option, and then upload the downloaded Federation Metadata XML
from Azure portal.
b. Click ENABLE SSO.
c. Select the I confirm this information is correct and I trust this IdP check box.
d. Click APPROVE.
NOTE
If you require assistance with configuring Autotask Workplace, please see this page to get assistance with your Workplace
account.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Autotask Workplace test user
In this section, you create a user called Britta Simon in Autotask Workplace. Please work with Autotask Workplace
support team to add the users in the Autotask Workplace platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Autotask Workplace tile in the Access Panel, you should be automatically signed in to the
Autotask Workplace for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
AwardSpring
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate AwardSpring with Azure Active Directory (Azure AD ). Integrating
AwardSpring with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to AwardSpring.
You can enable your users to be automatically signed-in to AwardSpring (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with AwardSpring, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
AwardSpring single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
AwardSpring supports SP and IDP initiated SSO
AwardSpring supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type AwardSpring, select AwardSpring from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.awardspring.com/SignIn/SamlMetaData
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.awardspring.com/SignIn/SamlAcs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<subdomain>.awardspring.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
AwardSpring Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. AwardSpring application expects the SAML assertions in a specific format. Configure the following claims
for this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
Email user.mail
Username user.userprinicipalname
NOTE
The StudentID attribute is mapped with the actual Student ID which needs to be passed back in claims. Contact
AwardSpring Client support team to get this value.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up AwardSpring section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure AwardSpring Single Sign-On
To configure single sign-on on AwardSpring side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to AwardSpring support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create AwardSpring test user
In this section, a user called Britta Simon is created in AwardSpring. AwardSpring supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in AwardSpring, a new one is created after authentication.
NOTE
If you need to create a user manually, contact AwardSpring support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the AwardSpring tile in the Access Panel, you should be automatically signed in to the
AwardSpring for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
BambooHR
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate BambooHR with Azure Active Directory (Azure AD ). Integrating
BambooHR with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BambooHR.
You can enable your users to be automatically signed-in to BambooHR (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BambooHR, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BambooHR single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BambooHR supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BambooHR, select BambooHR from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: BambooHR-SAML
NOTE
The Sign on URL value is not real. Update the value with actual sign-on URL. Contact BambooHR Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up BambooHR section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BambooHR Single Sign-On
1. In a new window, sign in to your BambooHR company site as an administrator.
2. On the home page, do the following:
a. Select Apps.
b. In the Apps pane, select Single Sign-On.
c. Select SAML Single Sign-On.
3. In the SAML Single Sign-On pane, do the following:
a. Into the SSO Login Url box, paste the Login URL that you copied from the Azure portal in step 6.
b. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its
content, and then paste it into the X.509 Certificate box.
c. Select Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BambooHR test user
To enable Azure AD users to sign in to BambooHR, set them up manually in BambooHR by doing the following:
1. Sign in to your BambooHR site as an administrator.
2. In the toolbar at the top, select Settings.
3. Select Overview.
4. In the left pane, select Security > Users.
5. Type the username, password, and email address of the valid Azure AD account that you want to set up.
6. Select Save.
NOTE
To set up Azure AD user accounts, you can also use BambooHR user account-creation tools or APIs.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Bambu by Sprout Social
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bambu by Sprout Social with Azure Active Directory (Azure AD ).
Integrating Bambu by Sprout Social with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bambu by Sprout Social.
You can enable your users to be automatically signed-in to Bambu by Sprout Social (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bambu by Sprout Social, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bambu by Sprout Social single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bambu by Sprout Social supports IDP initiated SSO
Bambu by Sprout Social supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bambu by Sprout Social, select Bambu by Sprout Social from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Bambu by Sprout Social section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Bambu by Sprout Social Single Sign-On
To configure single sign-on on Bambu by Sprout Social side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Bambu by Sprout Social support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bambu by Sprout Social test user
In this section, a user called Britta Simon is created in Bambu by Sprout Social. Bambu by Sprout Social supports
just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user
doesn't already exist in Bambu by Sprout Social, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bambu by Sprout Social tile in the Access Panel, you should be automatically signed in to the
Bambu by Sprout Social for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with BC in
the Cloud
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate BC in the Cloud with Azure Active Directory (Azure AD ). Integrating BC
in the Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BC in the Cloud.
You can enable your users to be automatically signed-in to BC in the Cloud (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BC in the Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BC in the Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BC in the Cloud supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BC in the Cloud, select BC in the Cloud from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This value is not real. Update this value with the actual Sign-On URL. Contact BC in the Cloud Client support team to
get this value.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up BC in the Cloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BC in the Cloud Single Sign-On
To configure single sign-on on BC in the Cloud side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to BC in the Cloud support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BC in the Cloud test user
In this section, you create a user called Britta Simon in BC in the Cloud. Work with BC in the Cloud support team to
add the users in the BC in the Cloud platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BC in the Cloud tile in the Access Panel, you should be automatically signed in to the BC in the
Cloud for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
BeeLine
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate BeeLine with Azure Active Directory (Azure AD ). Integrating BeeLine
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BeeLine.
You can enable your users to be automatically signed-in to BeeLine (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BeeLine, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BeeLine single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BeeLine supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BeeLine, select BeeLine from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://projects.beeline.net/<instancename>
b. In the Reply URL text box, type a URL using the following pattern:
https://projects.beeline.net/<instancename>/SSO_External.ashx
https://projects.beeline.net/<companyname>/SSO_External.ashx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact BeeLine Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Beeline application expects the SAML assertions in a specific format. Please work with BeeLine support
team first to identify the correct user identifier which will be mapped into the application. Also please take
the guidance from BeeLine support team about the attribute which they want to use for this mapping. You
can manage the value of this attribute from the User Attributes tab of the application. The following
screenshot shows an example for this. Here we have mapped the User Identifier claim with the
userprincipalname attribute, which provides unique user ID, which will be sent to the Beeline application
in the every successful SAML Response.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up BeeLine section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BeeLine Single Sign-On
To configure single sign-on on BeeLine side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to BeeLine support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BeeLine test user
In this section, you create a user called Britta Simon in Beeline. Beeline application needs all the users to be
provisioned in the application before doing Single Sign On. So work with the BeeLine support team to provision
all these users into the application.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BeeLine tile in the Access Panel, you should be automatically signed in to the BeeLine for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Benchling
8/6/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Benchling with Azure Active Directory (Azure AD ). Integrating Benchling
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Benchling.
You can enable your users to be automatically signed-in to Benchling (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Benchling, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Benchling single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Benchling supports SP and IDP initiated SSO
Benchling supports Just in Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Benchling, select Benchling from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.benchling.com/ext/saml/metadata.xml
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.benchling.com/ext/saml/signin:finish
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.benchling.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Benchling Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Benchling application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Benchling application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NAME SOURCE ATTRIBUTE
FirstName user.givenname
LastName user.surname
Email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Benchling Single Sign-On
To configure single sign-on on Benchling side, you need to send the App Federation Metadata Url to Benchling
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Benchling test user
In this section, a user called Britta Simon is created in Benchling. Benchling supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Benchling, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Benchling tile in the Access Panel, you should be automatically signed in to the Benchling for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
BenefitHub
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate BenefitHub with Azure Active Directory (Azure AD ). Integrating
BenefitHub with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BenefitHub.
You can enable your users to be automatically signed-in to BenefitHub (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BenefitHub, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BenefitHub single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BenefitHub supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BenefitHub, select BenefitHub from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type the value: urn:benefithub:passport
5. BenefitHub application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NOTE
This attribute value is not real. Update this value with actual organizationid. Contact BenefitHub support team to get
the actual organizationid.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
NOTE
Before you can configure the SAML assertion, you need to contact your BenefitHub support and request the value of
the unique identifier attribute for your tenant. You need this value to configure the custom claim for your application.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up BenefitHub section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BenefitHub Single Sign-On
To configure single sign-on on BenefitHub side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to BenefitHub support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BenefitHub test user
In this section, you create a user called Britta Simon in BenefitHub. Work with BenefitHub support team to add the
users in the BenefitHub platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BenefitHub tile in the Access Panel, you should be automatically signed in to the BenefitHub for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Benefitsolver
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Benefitsolver with Azure Active Directory (Azure AD ). Integrating
Benefitsolver with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Benefitsolver.
You can enable your users to be automatically signed-in to Benefitsolver (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Benefitsolver, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Benefitsolver single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Benefitsolver supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Benefitsolver, select Benefitsolver from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
c. In the Reply URL text box, type the URL using the following pattern:
https://www.benefitsolver.com/benefits/BenefitSolverView?page_name=single_signon_saml
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Benefitsolver Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Benefitsolver application expects the SAML assertions in a specific format. Configure the following claims
for this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
ClientID You need to get this value from your Benefitsolver Client
support team.
ClientKey You need to get this value from your Benefitsolver Client
support team.
LogoutURL You need to get this value from your Benefitsolver Client
support team.
EmployeeID You need to get this value from your Benefitsolver Client
support team.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Benefitsolver section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Benefitsolver Single Sign-On
To configure single sign-on on Benefitsolver side, you need to send the downloaded Metadata XML and
appropriate copied URLs from Azure portal to Benefitsolver support team. They set this setting to have the SAML
SSO connection set properly on both sides.
NOTE
Your Benefitsolver support team has to do the actual SSO configuration. You will get a notification when SSO has been
enabled for your subscription.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Benefitsolver test user
In this section, you create a user called Britta Simon in Benefitsolver. Work with Benefitsolver support team to add
the users in the Benefitsolver platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Benefitsolver tile in the Access Panel, you should be automatically signed in to the Benefitsolver
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate BenSelect with Azure Active
Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate BenSelect with Azure Active Directory (Azure AD ). When you integrate
BenSelect with Azure AD, you can:
Control in Azure AD who has access to BenSelect.
Enable your users to be automatically signed-in to BenSelect with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
BenSelect single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
BenSelect supports IDP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://www.benselect.com/enroll/login.aspx?Path=<tenant name>
NOTE
The value is not real. Update the value with the actual Reply URL. Contact BenSelect Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. BenSelect application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
NOTE
You need to mention that this integration requires the SHA256 algorithm (SHA1 is not supported) to set the SSO on the
appropriate server like app2101 etc.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create BenSelect test user
In this section, you create a user called Britta Simon in BenSelect. Work with BenSelect support team to add the
users in the BenSelect platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BenSelect tile in the Access Panel, you should be automatically signed in to the BenSelect for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Bersin
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bersin with Azure Active Directory (Azure AD ). Integrating Bersin with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bersin.
You can enable your users to be automatically signed-in to Bersin (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bersin, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bersin single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bersin supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bersin, select Bersin from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
do the following step:
a. In the Identifier text box, type a URL using the following pattern: https://www.bersin.com/shibboleth
5. Click Set additional URLs and do the following steps if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://www.bersin.com/Login.aspx
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Bersin section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Bersin Single Sign-On
To configure single sign-on on Bersin side, send the downloaded Federation Metadata XML and appropriate
copied URLs from Azure portal to Bersin support team. They set this setting to have the SAML SSO connection
set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, then in the Select Role dialog, select the
appropriate role for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Bersin test user
In this section, you create a user called Britta Simon in Bersin. Work with the Bersin support team to add the users
in the Bersin platform or the domain that must be added to an allow list for the Bersin platform. If the domain is
added by the team, users will get automatically provisioned to the Bersin platform. Users must be created and
activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bersin tile in the Access Panel, you should be automatically signed in to the Bersin for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with BetterWorks
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate BetterWorks with Azure Active Directory (Azure AD ). When you
integrate BetterWorks with Azure AD, you can:
Control in Azure AD who has access to BetterWorks.
Enable your users to be automatically signed-in to BetterWorks with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
BetterWorks single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
BetterWorks supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL: https://app.betterworks.com/saml2/metadata/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.betterworks.com
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up BetterWorks section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BetterWorks tile in the Access Panel, you should be automatically signed in to the BetterWorks
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try BetterWorks with Azure AD
Tutorial: Azure Active Directory integration with BGS
Online
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate BGS Online with Azure Active Directory (Azure AD ). Integrating BGS
Online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BGS Online.
You can enable your users to be automatically signed-in to BGS Online (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BGS Online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BGS Online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BGS Online supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BGS Online, select BGS Online from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier textbox, type a URL using the following pattern:
For production environment, use this pattern https://<company name>.millwardbrown.report
b. In the Reply URL textbox, type a URL using the following pattern:
For production environment, use this pattern
https://<company name>.millwardbrown.report/sso/saml/AssertionConsumerService.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact BGS Online support
team to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up BGS Online section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BGS Online Single Sign-On
To configure single sign-on on BGS Online side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to BGS Online support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BGS Online test user
In this section, you create a user called Britta Simon in BGS Online. Work with BGS Online support team to add
the users in the BGS Online platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BGS Online tile in the Access Panel, you should be automatically signed in to the BGS Online
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Bime
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bime with Azure Active Directory (Azure AD ). Integrating Bime with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bime.
You can enable your users to be automatically signed-in to Bime (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bime, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bime single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bime supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bime, select Bime from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant-name>.Bimeapp.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Bime Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
7. On the Set up Bime section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Bime Single Sign-On
1. In a different web browser window, log into your Bime company site as an administrator.
2. In the toolbar, click Admin, and then Account.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bime test user
In order to enable Azure AD users to log in to Bime, they must be provisioned into Bime. In the case of Bime,
provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Log in to your Bime tenant.
2. In the toolbar, click Admin, and then Users.
a. In the First name textbox, enter the first name of user like Britta.
b. In the Last name textbox, enter the last name of user like Simon.
c. In the Email textbox, enter the email of user like brittasimon@contoso.com.
d. Click Save.
NOTE
You can use any other Bime user account creation tools or APIs provided by Bime to provision Azure AD user accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bime tile in the Access Panel, you should be automatically signed in to the Bime for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Birst
Agile Business Analytics
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Birst Agile Business Analytics with Azure Active Directory (Azure AD ).
Integrating Birst Agile Business Analytics with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Birst Agile Business Analytics.
You can enable your users to be automatically signed-in to Birst Agile Business Analytics (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Birst Agile Business Analytics, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Birst Agile Business Analytics single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Birst Agile Business Analytics supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Birst Agile Business Analytics, select Birst Agile Business Analytics from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
The URL depends on the datacenter that your Birst account is located:
For US datacenter use following the pattern:
https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=TENANTIDPID
NOTE
This value is not real. Update the value with the actual Sign-On URL. Contact Birst Agile Business Analytics
Client support team to get the value.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Birst Agile Business Analytics section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Birst Agile Business Analytics Single Sign-On
To configure single sign-on on Birst Agile Business Analytics side, you need to send the downloaded Certificate
(Base64) and appropriate copied URLs from Azure portal to Birst Agile Business Analytics support team. They set
this setting to have the SAML SSO connection set properly on both sides.
NOTE
Mention to Birst team that this integration needs SHA256 Algorithm (SHA1 will not be supported) so that they can set the
SSO on the appropriate server like app2101 etc.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Birst Agile Business Analytics test user
In this section, you create a user called Britta Simon in Birst Agile Business Analytics. Work with Birst Agile
Business Analytics support team to add the users in the Birst Agile Business Analytics platform. Users must be
created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Birst Agile Business Analytics tile in the Access Panel, you should be automatically signed in to
the Birst Agile Business Analytics for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with BIS
9/20/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate BIS with Azure Active Directory (Azure AD ). When you integrate BIS
with Azure AD, you can:
Control in Azure AD who has access to BIS.
Enable your users to be automatically signed-in to BIS with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
BIS single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
BIS supports SP initiated SSO
BIS supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL: https://www.bistrainer.com/sso/biscr.cfm
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up BIS section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BIS.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select BIS.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BIS tile in the Access Panel, you should be automatically signed in to the BIS for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try BIS with Azure AD
Tutorial: Azure Active Directory integration with
BitaBIZ
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate BitaBIZ with Azure Active Directory (Azure AD ). Integrating BitaBIZ with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BitaBIZ.
You can enable your users to be automatically signed-in to BitaBIZ (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BitaBIZ, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BitaBIZ single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BitaBIZ supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BitaBIZ, select BitaBIZ from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL using the following pattern: https://www.bitabiz.com/<instanceId>
NOTE
The value in the above URL is for demonstration only. Update the value with the actual identifier, which is explained
later in the tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
7. On the Set up BitaBIZ section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BitaBIZ Single Sign-On
1. In a different web browser window, sign-on to your BitaBIZ tenant as an administrator.
2. Click on SETUP ADMIN.
4. Scroll down to the section Microsoft Azure AD (Enable single sign on) and perform following steps:
a. Copy the value from the Entity ID (”Identifier” in Azure AD ) textbox and paste it into the Identifier
textbox on the Basic SAML Configuration section in Azure portal.
b. In the Azure AD Single Sign-On Service URL textbox, paste Login URL, which you have copied from
Azure portal.
c. In the Azure AD SAML Entity ID textbox, paste Azure Ad Identifier, which you have copied from
Azure portal.
d. Open your downloaded Certificate(Base64) file in notepad, copy the content of it into your clipboard,
and then paste it to the Azure AD Signing Certificate (Base64 encoded) textbox.
e. Add your business e-mail domain name that is, mycompany.com in Domain name textbox to assign
SSO to the users in your company with this email domain (NOT MANDATORY ).
f. Mark SSO enabled the BitaBIZ account.
g. Click Save Azure AD configuration to save and activate the SSO configuration.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BitaBIZ test user
To enable Azure AD users to log in to BitaBIZ, they must be provisioned into BitaBIZ.
In the case of BitaBIZ, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your BitaBIZ company site as an administrator.
2. Click on SETUP ADMIN.
3. Click on Add users under Organization section.
5. On the Add new employee dialog page, perform the following steps:
a. In the First Name textbox, type the first name of user like Britta.
b. In the Last Name textbox, type the last name of user like Simon.
c. In the Email textbox, type the email address of user like Brittasimon@contoso.com.
d. Select a date in Date of employment.
e. There are other non-mandatory user attributes which can be set up for the user. Please refer the
Employee Setup Doc for more details.
f. Click Save employee.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Bitly
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Bitly with Azure Active Directory (Azure AD ). When you integrate Bitly
with Azure AD, you can:
Control in Azure AD who has access to Bitly.
Enable your users to be automatically signed-in to Bitly with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Bitly single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Bitly supports SP and IDP initiated SSO
Bitly supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://bitly.com/sso/<subdomain>/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://bitly.com/sso/<subdomain>?acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://bitly.com/sso/<subdomain>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Bitly
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Bitly.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Bitly.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bitly tile in the Access Panel, you should be automatically signed in to the Bitly for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Bitly with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Blackboard Learn
8/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Blackboard Learn with Azure Active Directory (Azure AD ). When you
integrate Blackboard Learn with Azure AD, you can:
Control in Azure AD who has access to Blackboard Learn.
Enable your users to be automatically signed-in to Blackboard Learn with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Blackboard Learn single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Blackboard Learn supports SP initiated SSO
Blackboard Learn supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<subdomain>.blackboard.com/
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.blackboard.com/auth-saml/saml/SSO/entity-id/SAML_AD
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Blackboard Learn
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Blackboard Learn section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Blackboard Learn tile in the Access Panel, you should be automatically signed in to the
Blackboard Learn for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Blackboard Learn with Azure AD
Tutorial: Azure Active Directory integration with
Blackboard Learn - Shibboleth
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Blackboard Learn - Shibboleth with Azure Active Directory (Azure AD ).
Integrating Blackboard Learn - Shibboleth with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Blackboard Learn - Shibboleth.
You can enable your users to be automatically signed-in to Blackboard Learn - Shibboleth (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Blackboard Learn - Shibboleth, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Blackboard Learn - Shibboleth single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Blackboard Learn - Shibboleth supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Blackboard Learn - Shibboleth, select Blackboard Learn - Shibboleth from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
c. In the Reply URL text box, type a URL using the following pattern:
https://<yourblackoardlearnserver>.blackboardlearn.com/Shibboleth.sso/SAML2/POST
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Blackboard Learn - Shibboleth Client support team to get these values. You can also refer to the patterns shown in
the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Blackboard Learn - Shibboleth section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Blackboard Learn - Shibboleth Single Sign-On
To configure single sign-on on Blackboard Learn - Shibboleth side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to Blackboard Learn - Shibboleth
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Blackboard Learn - Shibboleth test user
In this section, you create a user called Britta Simon in Blackboard Learn - Shibboleth. Work with Blackboard Learn
- Shibboleth support team to add the users in the Blackboard Learn - Shibboleth platform. Users must be created
and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Blackboard Learn - Shibboleth tile in the Access Panel, you should be automatically signed in to
the Blackboard Learn - Shibboleth for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Blink
8/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Blink with Azure Active Directory (Azure AD ). When you integrate
Blink with Azure AD, you can:
Control in Azure AD who has access to Blink.
Enable your users to be automatically signed-in to Blink with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Blink single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Blink supports SP initiated SSO
Blink supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using one of the following pattern:
https://app.joinblink.com
https://<SUBDOMAIN>.joinblink.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://api.joinblink.com/saml/o-<TENANTID>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Blink Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. Blink Meetings application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Blink Meetings application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
first_name user.givenname
second_name user.surname
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Blink section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Blink.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Blink.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Blink tile in the Access Panel, you should be automatically signed in to the Blink for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Slack with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Blue Access for Members (BAM)
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Blue Access for Members (BAM ) with Azure Active Directory (Azure
AD ). When you integrate Blue Access for Members (BAM ) with Azure AD, you can:
Control in Azure AD who has access to Blue Access for Members (BAM ).
Enable your users to be automatically signed-in to Blue Access for Members (BAM ) with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Blue Access for Members (BAM ) single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Blue Access for Members (BAM ) supports IDP initiated SSO
Configure and test Azure AD single sign-on for Blue Access for
Members (BAM)
Configure and test Azure AD SSO with Blue Access for Members (BAM ) using a test user called B.Simon. For
SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Blue
Access for Members (BAM ).
To configure and test Azure AD SSO with Blue Access for Members (BAM ), complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Blue Access for Members (BAM ) SSO - to configure the single sign-on settings on application
side.
Create Blue Access for Members (BAM ) test user - to have a counterpart of B.Simon in Blue Access
for Members (BAM ) that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: <Custom Domain Value>
b. In the Reply URL text box, type a URL using the following pattern:
https://<CUSTOMURL>/affwebservices/public/saml2assertionconsumer
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Relay State. Contact Blue
Access for Members (BAM) Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. Blue Access for Members (BAM ) application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes.
6. In addition to above, Blue Access for Members (BAM ) application expects few more attributes to be passed
back in SAML response which are shown below. These attributes are also pre populated but you can review
them as per your requirements.
ClientID <ClientID>
UID <UID>
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Blue Access for Members (BAM ) section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Blue Access for Members (BAM ) tile in the Access Panel, you should be automatically signed in
to the Blue Access for Members (BAM ) for which you set up SSO. For more information about the Access Panel,
see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Blue Access for Members (BAM ) with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with BlueJeans for Azure AD
10/18/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate BlueJeans for Azure AD with Azure Active Directory (Azure AD ). When
you integrate BlueJeans for Azure AD with Azure AD, you can:
Control in Azure AD who has access to BlueJeans for Azure AD.
Enable your users to be automatically signed-in to BlueJeans for Azure AD with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
BlueJeans for Azure AD single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
BlueJeans for Azure AD supports SP initiated SSO
BlueJeans for Azure AD supports Automated user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD single sign-on for BlueJeans for Azure AD
Configure and test Azure AD SSO with BlueJeans for Azure AD using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in BlueJeans for
Azure AD.
To configure and test Azure AD SSO with BlueJeans for Azure AD, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure BlueJeans for Azure AD SSO - to configure the single sign-on settings on application side.
a. Create BlueJeans for Azure AD test user - to have a counterpart of B.Simon in BlueJeans for Azure
AD that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern: https://<companyname>.bluejeans.com
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact BlueJeans for Azure AD Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up BlueJeans for Azure AD section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. Click Choose File, to upload the base-64 encoded certificate that you have downloaded from the Azure
portal.
b. In the Login URL textbox, paste the value of Login URL which you have copied from Azure portal.
c. In the Password Change URL textbox, paste the value of Change Password URL which you have
copied from Azure portal.
d. In the Logout URL textbox, paste the value of Logout URL which you have copied from Azure portal.
5. Move on with the following steps:
a. In the User Id textbox, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .
b. In the Email textbox, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .
c. Click SAVE CHANGES.
Create BlueJeans for Azure AD test user
The objective of this section is to create a user called B.Simon in BlueJeans for Azure AD. BlueJeans for Azure AD
supports automatic user provisioning, which is by default enabled. You can find more details here on how to
configure automatic user provisioning.
If you need to create user manually, perform following steps:
1. Sign in to your BlueJeans for Azure AD company site as an administrator.
2. Go to ADMIN > MANAGE USERS > ADD USER.
IMPORTANT
The ADD USER tab is only available if, in the SECUTIRY tab, Enable automatic provisioning is unchecked.
NOTE
You can use any other BlueJeans for Azure AD user account creation tools or APIs provided by BlueJeans for Azure AD to
provision Azure AD user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BlueJeans for Azure AD tile in the Access Panel, you should be automatically signed in to the
BlueJeans for Azure AD for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try BlueJeans for Azure AD with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with BeyondTrust Remote Support
11/14/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate BeyondTrust Remote Support with Azure Active Directory (Azure AD ).
When you integrate BeyondTrust Remote Support with Azure AD, you can:
Control in Azure AD who has access to BeyondTrust Remote Support.
Enable your users to be automatically signed-in to BeyondTrust Remote Support with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
BeyondTrust Remote Support single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
BeyondTrust Remote Support supports SP initiated SSO
BeyondTrust Remote Support supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern: https://<HOSTNAME>.bomgar.com/saml
b. In the Identifier box, type a URL using the following pattern: https://<HOSTNAME>.bomgar.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<HOSTNAME>.bomgar.com/saml/sso
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. You will get
these values explained later in the tutorial.
5. BeyondTrust Remote Support application expects the SAML assertions in a specific format, which requires
you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes.
6. In addition to above, BeyondTrust Remote Support application expects few more attributes to be passed
back in SAML response which are shown below. These attributes are also pre populated but you can review
them as per your requirements.
Givenname user.givenname
Emailaddress user.mail
Name user.userprincipalname
Username user.userprincipalname
Groups user.groups
NOTE
When assigning Azure AD Groups for the BeyondTrust Remote Support application, the ‘Groups returned in claim’
option will need to be modified from None to SecurityGroup. The Groups will be imported into the application as their
Object IDs. The Object ID of the Azure AD Group can be found by checking the Properties in the Azure Active
Directory interface. This will be required to reference and assign Azure AD Groups to the correct group policies.
7. When setting the Unique User Identifier, this value must be set to NameID -Format: Persistent. We require
this to be a Persistent identifier to correctly identify and associate the user into the correct group policies for
permissions. Click on the edit icon to open the User Attributes & Claims dialog to edit the Unique User
Identifier value.
8. On the Manage Claim section, click on the Choose name identifier format and set the value to
Persistent and click Save.
9. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
10. On the Set up BeyondTrust Remote Support section, copy the appropriate URL (s) based on your
requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
The groups and e-mail attribute are not necessary for this implementation. If utilizing Azure AD groups and assigning them
to BeyondTrust Remote Support Group Policies for permissions, the Object ID of the group will need to be referenced via its
properties in the Azure portal and placed in the ‘Available Groups’ section. Once this has been completed, the Object ID/AD
Group will now be available for assignment to a group policy for permissions.
NOTE
Alternatively, a default group policy can be set on the SAML2 Security Provider. By defining this option, this will assign all
users who authenticate through SAML the permissions specified within the group policy. The General Members policy is
included within BeyondTrust Remote Support/Privileged Remote Access with limited permissions, which can be used to test
authentication and assign users to the correct policies. Users will not populate into the SAML2 Users list via /login > Users &
Security until the first successful authentication attempt. Additional information on Group policies can be found at the
following link: https://www.beyondtrust.com/docs/remote-support/getting-started/admin/group-policies.htm
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the BeyondTrust Remote Support tile in the Access Panel, you should be automatically signed in to
the BeyondTrust Remote Support for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try BeyondTrust Remote Support with Azure AD
Tutorial: Azure Active Directory integration with
Bonusly
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bonusly with Azure Active Directory (Azure AD ). Integrating Bonusly
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bonusly.
You can enable your users to be automatically signed-in to Bonusly (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bonusly, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Bonusly single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bonusly supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bonusly, select Bonusly from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Reply URL. Contact Bonusly Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
7. On the Set up Bonusly section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Bonusly Single Sign-On
1. In a different browser window, sign in to your Bonusly tenant.
2. In the toolbar on the top, click Settings and then select Integrations and apps.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bonusly test user
In order to enable Azure AD users to sign in to Bonusly, they must be provisioned into Bonusly. In the case of
Bonusly, provisioning is a manual task.
NOTE
You can use any other Bonusly user account creation tools or APIs provided by Bonusly to provision Azure AD user accounts.
NOTE
The Azure AD account holder receives an email that includes a link to confirm the account before it becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Boomi
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Boomi with Azure Active Directory (Azure AD ). When you integrate
Boomi with Azure AD, you can:
Control in Azure AD who has access to Boomi.
Enable your users to be automatically signed-in to Boomi with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Boomi single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Boomi supports IDP initiated SSO
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL: https://platform.boomi.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://platform.boomi.com/sso/<boomi-tenant>/saml
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Boomi Client support team to
get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. Boomi application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, Boomi application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
NAME SOURCE ATTRIBUTE
FEDERATION_ID user.mail
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Boomi section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
The user will not receive a welcome notification email containing a password that can be used to log in to the
AtomSphere account because their password is managed through the identity provider. You may use any other
Boomi user account creation tools or APIs provided by Boomi to provision Azure AD user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Boomi tile in the Access Panel, you should be automatically signed in to the Boomi for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Boomi with Azure AD
Tutorial: Azure Active Directory integration with
BorrowBox
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate BorrowBox with Azure Active Directory (Azure AD ). Integrating
BorrowBox with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to BorrowBox.
You can enable your users to be automatically signed-in to BorrowBox (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with BorrowBox, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
BorrowBox single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
BorrowBox supports SP and IDP initiated SSO
BorrowBox supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type BorrowBox, select BorrowBox from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://fe.bolindadigital.com/wldcs_bol_fo/b2i/mainPage.html?b2bSite=<ID>
NOTE
The value is not real. Update the value with the actual Sign-on URL. Contact BorrowBox Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Your BorrowBox application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. BorrowBox
application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping
by clicking on Edit icon and change the attribute mapping.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up BorrowBox section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure BorrowBox Single Sign-On
To configure single sign-on on BorrowBox side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to BorrowBox support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create BorrowBox test user
In this section, a user called Britta Simon is created in BorrowBox. BorrowBox supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in BorrowBox, a new one is created after authentication.
NOTE
If you need to create a user manually, contact BorrowBox support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Box
8/16/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Box with Azure Active Directory (Azure AD ). When you integrate Box
with Azure AD, you can:
Control in Azure AD who has access to Box.
Enable your users to be automatically signed-in to Box with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Box single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Box supports SP initiated SSO
Box supports Just In Time user provisioning
Box supports Automated user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.account.box.com
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact Box Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create a user manually, contact Box support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Box tile in the Access Panel, you should be automatically signed in to the Box for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Box with Azure AD
Tutorial: Azure Active Directory integration with
Boxcryptor
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Boxcryptor with Azure Active Directory (Azure AD ). Integrating
Boxcryptor with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Boxcryptor.
You can enable your users to be automatically signed-in to Boxcryptor (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Boxcryptor, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Boxcryptor single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Boxcryptor supports SP initiated SSO
Boxcryptor supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Boxcryptor, select Boxcryptor from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Boxcryptor section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Boxcryptor Single Sign-On
To configure single sign-on on Boxcryptor side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Boxcryptor support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Boxcryptor test user
In this section, you create a user called Britta Simon in Boxcryptor. Work with Boxcryptor support team to add the
users or the domain that must be added to an allow list for the Boxcryptor platform. If the domain is added by the
team, users will get automatically provisioned to the Boxcryptor platform. Users must be created and activated
before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Boxcryptor tile in the Access Panel, you should be automatically signed in to the Boxcryptor for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Bpm’online
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bpm’online with Azure Active Directory (Azure AD ). Integrating
Bpm’online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bpm’online.
You can enable your users to be automatically signed-in to Bpm’online (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bpm’online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Bpm’online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bpm’online supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Bpm’online, select Bpm’online from the result panel then click the Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<client site name>.bpmonline.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<client site name>.bpmonline.com/ServiceModel/AuthService.svc/SsoLogin
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<client site name>.bpmonline.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Bpm’online Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bpm’online test user
In this section, you create a user called Britta Simon in Bpm’online. Work with Bpm’online support team to add the
users in the Bpm’online platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bpm’online tile in the Access Panel, you should be automatically signed in to the Bpm’online
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Brandfolder
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Brandfolder with Azure Active Directory (Azure AD ). Integrating
Brandfolder with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Brandfolder.
You can enable your users to be automatically signed-in to Brandfolder (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Brandfolder, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Brandfolder single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Brandfolder supports IDP initiated SSO
Brandfolder supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Brandfolder, select Brandfolder from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://brandfolder.com/organizations/<ORG_SLUG>/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://brandfolder.com/organizations/<ORG_SLUG>/saml
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Brandfolder Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Brandfolder test user
In this section, a user called Britta Simon is created in Brandfolder. Brandfolder supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Brandfolder, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Brandfolder tile in the Access Panel, you should be automatically signed in to the Brandfolder
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Braze
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Braze with Azure Active Directory (Azure AD ). When you integrate
Braze with Azure AD, you can:
Control in Azure AD who has access to Braze.
Enable your users to be automatically signed-in to Braze with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Braze single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Braze supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.braze.com/auth/saml/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.braze.com/sign_in
NOTE
For the subdomain, use the coordinating subdomain listed in your Braze instance URL. For example, if your instance is
US-01, your URL is https://dashboard-01.braze.com. This means that your subdomain will be dashboard-01.
6. Braze application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Braze application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
email user.userprincipalname
first_name user.givenname
last_name user.surname
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Braze section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Braze tile in the Access Panel, you should be automatically signed in to the Braze for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Braze with Azure AD
Tutorial: Azure Active Directory integration with
Bridge
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bridge with Azure Active Directory (Azure AD ). Integrating Bridge with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bridge.
You can enable your users to be automatically signed-in to Bridge (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bridge, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bridge single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bridge supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bridge, select Bridge from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company name>.bridgeapp.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Bridge Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up Bridge section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Bridge Single Sign-On
To configure single sign-on on Bridge side, you need to send the downloaded Certificate (Raw) and appropriate
copied URLs from Azure portal to Bridge support team. They set this setting to have the SAML SSO connection
set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bridge test user
In this section, you create a user called Britta Simon in Bridge. Work with Bridge support team to add the users in
the Bridge platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bridge tile in the Access Panel, you should be automatically signed in to the Bridge for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Bridgeline Unbound
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bridgeline Unbound with Azure Active Directory (Azure AD ). Integrating
Bridgeline Unbound with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bridgeline Unbound.
You can enable your users to be automatically signed-in to Bridgeline Unbound (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bridgeline Unbound, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bridgeline Unbound single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bridgeline supports SP and IDP initiated SSO
Bridgeline Unbound supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bridgeline Unbound, select Bridgeline Unbound from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: iApps_UPSTT_<ENVIRONMENTNAME>
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.iapps.com/SAMLAssertionService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.iapps.com/CommonLogin/login?<INSTANCENAME>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Bridgeline Unbound Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Bridgeline Unbound section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Bridgeline Unbound Single Sign-On
To configure single sign-on on Bridgeline Unbound side, you need to send the downloaded Certificate
(Base64) and appropriate copied URLs from Azure portal to Bridgeline Unbound support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Bridgeline Unbound test user
In this section, a user called Britta Simon is created in Bridgeline Unbound. Bridgeline Unbound supports just-in-
time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in Bridgeline Unbound, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Bridgeline Unbound support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bridgeline Unbound tile in the Access Panel, you should be automatically signed in to the
Bridgeline Unbound for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Bright Pattern Omnichannel Contact
Center
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Bright Pattern Omnichannel Contact Center with Azure Active
Directory (Azure AD ). When you integrate Bright Pattern Omnichannel Contact Center with Azure AD, you can:
Control in Azure AD who has access to Bright Pattern Omnichannel Contact Center.
Enable your users to be automatically signed-in to Bright Pattern Omnichannel Contact Center with their Azure
AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Bright Pattern Omnichannel Contact Center single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Bright Pattern Omnichannel Contact Center supports SP and IDP initiated SSO
Bright Pattern Omnichannel Contact Center supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: <SUBDOMAIN>_sso
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.brightpattern.com/agentdesktop/sso/redirect
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.brightpattern.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Bright
Pattern Omnichannel Contact Center Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
6. Bright Pattern Omnichannel Contact Center application expects the SAML assertions in a specific format,
which requires you to add custom attribute mappings to your SAML token attributes configuration. The
following screenshot shows the list of default attributes.
7. In addition to above, Bright Pattern Omnichannel Contact Center application expects few more attributes to
be passed back in SAML response which are shown below. These attributes are also pre populated but you
can review them as per your requirement.
NAME NAMESPACE
firstName user.givenname
lastName user.surname
email user.mail
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Bright Pattern Omnichannel Contact Center section, copy the appropriate URL (s) based
on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bright Pattern Omnichannel Contact Center tile in the Access Panel, you should be
automatically signed in to the Bright Pattern Omnichannel Contact Center for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Bright Pattern Omnichannel Contact Center with Azure AD
Tutorial: Azure Active Directory integration with
Brightidea
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Brightidea with Azure Active Directory (Azure AD ). Integrating
Brightidea with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Brightidea.
You can enable your users to be automatically signed-in to Brightidea (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Brightidea, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Brightidea single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Brightidea supports SP and IDP initiated SSO
Brightidea supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Brightidea, select Brightidea from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file and wish to
configure in IDP intiated mode perform the following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in Brightidea section textbox:
NOTE
If the Identifier and Reply URL values do not get auto polulated, then fill in the values manually according to your
requirement.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.brightidea.com
6. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Brightidea section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Brightidea Single Sign-On
1. In a different web browser window, sign in to Brightidea using the administrator credentials.
2. To get to the SSO feature in your Brightidea system, navigate to Enterprise Setup -> Authentication Tab.
There you will see two sub tabs: Auth Selection & SAML Profiles.
3. Select Auth Selection. By default, it only shows two standard methods: Brightidea Login & Registration.
When an SSO method added, it will show up in the list.
For Upload Metadata, click choose file and upload the downloaded metadata file from the Azure
portal.
NOTE
After uploading the metadata file, the remaining fields Single Sign-on Service, Identity Provider Issuer,
Upload Public Key will populate automatically.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Brightidea test user
In this section, a user called Britta Simon is created in Brightidea. Brightidea supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Brightidea, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Brightidea tile in the Access Panel, you should be automatically signed in to the Brightidea for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Brightspace by Desire2Learn
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Brightspace by Desire2Learn with Azure Active Directory (Azure AD ).
Integrating Brightspace by Desire2Learn with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Brightspace by Desire2Learn.
You can enable your users to be automatically signed-in to Brightspace by Desire2Learn (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Brightspace by Desire2Learn, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Brightspace by Desire2Learn single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Brightspace by Desire2Learn supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Brightspace by Desire2Learn, select Brightspace by Desire2Learn from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<companyname>.tenants.brightspace.com/samlLogin
https://<companyname>.desire2learn.com/shibboleth-sp
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.desire2learn.com/d2l/lp/auth/login/samlLogin.d2l
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Brightspace by
Desire2Learn Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Brightspace by Desire2Learn section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Brightspace by Desire2Learn Single Sign-On
To configure single sign-on on Brightspace by Desire2Learn side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Brightspace by Desire2Learn support team.
They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Brightspace by Desire2Learn test user
In this section, you create a user called Britta Simon in Brightspace by Desire2Learn. Work with Brightspace by
Desire2Learn support team to add the users in the Brightspace by Desire2Learn platform. Users must be created
and activated before you use single sign-on.
NOTE
You can use any other Brightspace by Desire2Learn user account creation tools or APIs provided by Brightspace by
Desire2Learn to provision Azure Active Directory user accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Brightspace by Desire2Learn tile in the Access Panel, you should be automatically signed in to
the Brightspace by Desire2Learn for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Bugsnag
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Bugsnag with Azure Active Directory (Azure AD ). Integrating Bugsnag
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Bugsnag.
You can enable your users to be automatically signed-in to Bugsnag (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Bugsnag, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Bugsnag single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Bugsnag supports SP and IDP initiated SSO
Bugsnag supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Bugsnag, select Bugsnag from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://app.bugsnag.com/user/sign_in/saml/<org_slug>/acs
NOTE
The Reply URL value is not real. Update this value with the actual Reply URL. Contact Bugsnag Client support team to
get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Bugsnag test user
In this section, a user called Britta Simon is created in Bugsnag. Bugsnag supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Bugsnag, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bugsnag tile in the Access Panel, you should be automatically signed in to the Bugsnag for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Bynder with Azure Active Directory
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Bynder with Azure Active Directory (Azure AD ). When you integrate
Bynder with Azure AD, you can:
Control in Azure AD who has access to Bynder.
Enable your users to be automatically signed-in to Bynder with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Bynder single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Bynder supports SP and IDP initiated SSO
Bynder supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<company name>.getbynder.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.getbynder.com/sso/SAML/authenticate/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<company name>.getbynder.com/login/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Bynder
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. Bynder application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application
integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User
Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
a. Click the pen next to Groups returned in claim.
b. Select Security groups from the radio list.
c. Select Source Attribute of Group ID.
d. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
9. On the Set up Bynder section, copy the appropriate URL (s) based on your requirement.
Configure Bynder SSO
To configure single sign-on on Bynder side, you need to send the downloaded Metadata XML and appropriate
copied URLs from Azure portal to Bynder support team. They set this setting to have the SAML SSO connection
set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Bynder.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Bynder.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Bynder test user
In this section, a user called Britta Simon is created in Bynder. Bynder supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Bynder,
a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Bynder support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Bynder tile in the Access Panel, you should be automatically signed in to the Bynder for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with CA
PPM
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate CA PPM with Azure Active Directory (Azure AD ). Integrating CA PPM
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to CA PPM.
You can enable your users to be automatically signed-in to CA PPM (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with CA PPM, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
CA PPM single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
CA PPM supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type CA PPM, select CA PPM from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://ca.ondemand.saml.20.post.<companyname>
NOTE
This value is not real. Update this value with the actual Identifier. Contact CA PPM Client support team to get this
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up CA PPM section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure CA PPM Single Sign-On
To configure single sign-on on CA PPM side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to CA PPM support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create CA PPM test user
In this section, you create a user called Britta Simon in CA PPM. Work with CA PPM support team to add the users
in the CA PPM platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CA PPM tile in the Access Panel, you should be automatically signed in to the CA PPM for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with CakeHR
10/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate CakeHR with Azure Active Directory (Azure AD ). When you integrate
CakeHR with Azure AD, you can:
Control in Azure AD who has access to CakeHR.
Enable your users to be automatically signed-in to CakeHR with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
CakeHR single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
CakeHR supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern: https://<yourcakedomain>.cake.hr/
b. In the Reply URL text box, type a URL using the following pattern:
https://<yourcakedomain>.cake.hr/services/saml/consume
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact CakeHR Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT value and save it on your Notepad.
7. On the Set up CakeHR section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up CakeHR will direct you to the CakeHR application.
From there, provide the admin credentials to sign into CakeHR. The browser extension will automatically
configure the application for you and automate steps 3-5.
3. If you want to setup CakeHR manually, open a new web browser window and sign into your CakeHR
company site as an administrator and perform the following steps:
4. On the top-right corner of the page, click on Profile and then navigate to Settings.
5. From the left side of the menu bar, click on INTEGRATIONS > SAML SSO and perform the following
steps:
a. In Full name text box, enter the name of user like B.Simon.
b. In Work email text box, enter the email of user like B.Simon@contoso.com .
c. Click CREATE ACCOUNT.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CakeHR tile in the Access Panel, you should be automatically signed in to the CakeHR for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try CakeHR with Azure AD
Tutorial: Azure Active Directory integration with
Canvas
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Canvas with Azure Active Directory (Azure AD ). Integrating Canvas with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Canvas.
You can enable your users to be automatically signed-in to Canvas (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Canvas, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Canvas single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Canvas supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Canvas, select Canvas from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant-name>.instructure.com/saml2
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Canvas Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
7. On the Set up Canvas section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Canvas Single Sign-On
1. In a different web browser window, log in to your Canvas company site as an administrator.
2. Go to Courses > Managed Accounts > Microsoft.
3. In the navigation pane on the left, select Authentication, and then click Add New SAML Config.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Canvas test user
To enable Azure AD users to log in to Canvas, they must be provisioned into Canvas. In the case of Canvas, user
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your Canvas tenant.
2. Go to Courses > Managed Accounts > Microsoft.
3. Click Users.
5. On the Add a New User dialog page, perform the following steps:
a. In the Full Name textbox, enter the name of user like BrittaSimon.
b. In the Email textbox, enter the email of user like brittasimon@contoso.com.
c. In the Login textbox, enter the user’s Azure AD email address like brittasimon@contoso.com.
d. Select Email the user about this account creation.
e. Click Add User.
NOTE
You can use any other Canvas user account creation tools or APIs provided by Canvas to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Capriza Platform
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Capriza Platform with Azure Active Directory (Azure AD ). Integrating
Capriza Platform with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Capriza Platform.
You can enable your users to be automatically signed-in to Capriza Platform (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Capriza Platform, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Capriza Platform single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Capriza Platform supports SP initiated SSO
Capriza Platform supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Capriza Platform, select Capriza Platform from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Capriza Platform Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Capriza Platform section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Capriza Platform Single Sign-On
To configure single sign-on on Capriza Platform side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to Capriza Platform support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Capriza Platform test user
The objective of this section is to create a user called Britta Simon in Capriza. Capriza supports just-in-time
provisioning, which is by default enabled. Please make sure that your domain name is configured with
Capriza for user provisioning. After that only the just-in-time user provisioning will work.
There is no action item for you in this section. A new user will be created during an attempt to access Capriza if it
doesn't exist yet.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Capriza Platform tile in the Access Panel, you should be automatically signed in to the Capriza
Platform for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Carbonite Endpoint Backup with
Azure Active Directory
8/8/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Carbonite Endpoint Backup with Azure Active Directory (Azure AD ).
When you integrate Carbonite Endpoint Backup with Azure AD, you can:
Control in Azure AD who has access to Carbonite Endpoint Backup.
Enable your users to be automatically signed-in to Carbonite Endpoint Backup with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Carbonite Endpoint Backup single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Carbonite Endpoint Backup supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type one of the following URLs:
https://red-us.mysecuredatavault.com
https://red-apac.mysecuredatavault.com
https://red-fr.mysecuredatavault.com
https://red-emea.mysecuredatavault.com
https://kamino.mysecuredatavault.com
b. In the Reply URL text box, type one of the following URLs:
https://red-
us.mysecuredatavault.com/AssertionConsumerService.aspx
https://red-
apac.mysecuredatavault.com/AssertionConsumerService.aspx
https://red-
fr.mysecuredatavault.com/AssertionConsumerService.aspx
https://red-
emea.mysecuredatavault.com/AssertionConsumerService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type one of the following URLs:
https://red-us.mysecuredatavault.com/
https://red-apac.mysecuredatavault.com/
https://red-fr.mysecuredatavault.com/
https://red-emea.mysecuredatavault.com/
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Carbonite Endpoint Backup section, copy the appropriate URL (s) based on your
requirement.
3. If you want to setup Carbonite Endpoint Backup manually, open a new web browser window and sign into
your Carbonite Endpoint Backup company site as an administrator and perform the following steps:
4. Click on the Company from the left pane.
a. In the Identity provider name textbox, paste the Azure AD Identifier value, which you have
copied from the Azure portal.
b. In the Identity provider URL textbox, paste the Login URL value, which you have copied from the
Azure portal.
c. Click on Choose file to upload the downloaded Certificate(Base64) file from the Azure portal.
d. Click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Carbonite Endpoint Backup.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Carbonite Endpoint Backup.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Carbonite Endpoint Backup test user
1. In a different web browser window, sign in to your Carbonite Endpoint Backup company site as an
administrator.
2. Click on the Users from the left pane and then click Add user.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Carlson Wagonlit Travel
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Carlson Wagonlit Travel with Azure Active Directory (Azure AD ).
Integrating Carlson Wagonlit Travel with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Carlson Wagonlit Travel.
You can enable your users to be automatically signed-in to Carlson Wagonlit Travel (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Carlson Wagonlit Travel, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Carlson Wagonlit Travel single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Carlson Wagonlit Travel supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Carlson Wagonlit Travel, select Carlson Wagonlit Travel from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set-up Carlson Wagonlit Travel section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Carlson Wagonlit Travel Single Sign-On
To configure single sign-on on Carlson Wagonlit Travel side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Carlson Wagonlit Travel support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Carlson Wagonlit Travel test user
In this section, you create a user called Britta Simon in Carlson Wagonlit Travel. Work with Carlson Wagonlit Travel
support team to add the users in the Carlson Wagonlit Travel platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Carlson Wagonlit Travel tile in the Access Panel, you should be automatically signed in to the
Carlson Wagonlit Travel for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with CBRE ServiceInsight
9/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate CBRE ServiceInsight with Azure Active Directory (Azure AD ). When
you integrate CBRE ServiceInsight with Azure AD, you can:
Control in Azure AD who has access to CBRE ServiceInsight.
Enable your users to be automatically signed-in to CBRE ServiceInsight with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
CBRE ServiceInsight single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
CBRE ServiceInsight supports SP initiated SSO
CBRE ServiceInsight supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL: https://adfs4.mainstreamsasp.com/adfs/ls/
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact CBRE ServiceInsight Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try CBRE ServiceInsight with Azure AD
Tutorial: Azure Active Directory integration with
Central Desktop
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Central Desktop with Azure Active Directory (Azure AD ). Integrating
Central Desktop with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Central Desktop.
You can enable your users to be automatically signed-in to Central Desktop (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Central Desktop, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Central Desktop single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Central Desktop supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Central Desktop, select Central Desktop from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<companyname>.centraldesktop.com/saml2-metadata.php
https://<companyname>.imeetcentral.com/saml2-metadata.php
c. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.centraldesktop.com/saml2-assertion.php
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Central
Desktop Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up Central Desktop section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Central Desktop Single Sign-On
1. Sign in to your Central Desktop tenant.
2. Go to Settings. Select Advanced, and then select Single Sign On.
a. Select Certificate.
b. In the SSO Certificate list, select RSH SHA256.
c. Open your downloaded certificate in Notepad. Then copy the content of certificate and paste it into the
SSO Certificate field.
d. Select Display a link to your SAMLv2 login page.
e. Select Update.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Central Desktop test user
For Azure AD users to be able to sign in, they must be provisioned in the Central Desktop application. This section
describes how to create Azure AD user accounts in Central Desktop.
NOTE
To provision Azure AD user accounts, you can use any other Central Desktop user account creation tools or APIs that are
provided by Central Desktop.
To provision user accounts to Central Desktop:
1. Sign in to your Central Desktop tenant.
2. Select People and then select Add Internal Members.
3. In the Email Address of New Members box, type an Azure AD account that you want to provision, and
then select Next.
NOTE
The users that you add receive an email that includes a confirmation link for activating their accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Ceridian Dayforce HCM
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Ceridian Dayforce HCM with Azure Active Directory (Azure AD ).
Integrating Ceridian Dayforce HCM with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Ceridian Dayforce HCM.
You can enable your users to be automatically signed-in to Ceridian Dayforce HCM (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Ceridian Dayforce HCM, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Ceridian Dayforce HCM single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Ceridian Dayforce HCM supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Ceridian Dayforce HCM, select Ceridian Dayforce HCM from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
ENVIRONMENT URL
ENVIRONMENT URL
c. In the Reply URL textbox, type the URL used by Azure AD to post the response.
ENVIRONMENT URL
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Ceridian Dayforce HCM Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. Ceridian Dayforce HCM application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
name user.extensionattribute2
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, select the user attribute you want to use for your implementation. For
example, if you want to use the EmployeeID as unique user identifier and you have stored the attribute value
in the ExtensionAttribute2, then select user.extensionattribute2.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Metadata XML from the given options as per your requirement and save it on
your computer.
8. On the Set up Ceridian Dayforce HCM section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Ceridian Dayforce HCM Single Sign-On
To configure single sign-on on Ceridian Dayforce HCM side, you need to send the downloaded Metadata XML
and appropriate copied URLs from Azure portal to Ceridian Dayforce HCM support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Ceridian Dayforce HCM test user
In this section, you create a user called Britta Simon in Ceridian Dayforce HCM. Work with Ceridian Dayforce HCM
support team to add the users in the Ceridian Dayforce HCM platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Ceridian Dayforce HCM tile in the Access Panel, you should be automatically signed in to the
Ceridian Dayforce HCM for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cerner Central
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cerner Central with Azure Active Directory (Azure AD ). Integrating
Cerner Central with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cerner Central.
You can enable your users to be automatically signed-in to Cerner Central (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cerner Central, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Cerner Central single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cerner Central supports IDP initiated SSO
Cerner Central supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cerner Central, select Cerner Central from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<instancename>.cernercentral.com/session-api/protocol/saml2/metadata
https://<instancename>.sandboxcernercentral.com/session-api/protocol/saml2/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<instancename>.cernercentral.com/session-api/protocol/saml2/sso
https://<instancename>.sandboxcernercentral.com/session-api/protocol/saml2/sso
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Cerner Central Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cerner Central test user
Cerner Central application allows authentication from any federated identity provider. If a user is able to sign in to
the application home page, they are federated and have no need for any manual provisioning. You can find more
details here on how to configure automatic user provisioning.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cerner Central tile in the Access Panel, you should be automatically signed in to the Cerner
Central for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Tutorial: Azure Active Directory integration with
Certain Admin SSO
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Certain Admin SSO with Azure Active Directory (Azure AD ). Integrating
Certain Admin SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Certain Admin SSO.
You can enable your users to be automatically signed-in to Certain Admin SSO (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Certain Admin SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Certain Admin SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Certain Admin SSO supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Certain Admin SSO, select Certain Admin SSO from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.certain.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Certain Admin SSO
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up Certain Admin SSO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Certain Admin SSO Single Sign-On
To configure single sign-on on Certain Admin SSO side, you need to send the downloaded Certificate (Raw)
and appropriate copied URLs from Azure portal to Certain Admin SSO support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Certain Admin SSO test user
In this section, you create a user called Britta Simon in Certain Admin SSO. Work with Certain Admin SSO
support team to add the users in the Certain Admin SSO platform. Users must be created and activated before you
use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Certain Admin SSO tile in the Access Panel, you should be automatically signed in to the
Certain Admin SSO for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Certent Equity Management
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Certent Equity Management with Azure Active Directory (Azure AD ).
Integrating Certent Equity Management with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Certent Equity Management.
You can enable your users to be automatically signed-in to Certent Equity Management (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Certent Equity Management, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Certent Equity Management single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Certent Equity Management supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Certent Equity Management, select Certent Equity Management from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.certent.com/sys/sso/saml/acs.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Certent Integration
Analyst assigned by Customer Success Manager to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. Certent Equity Management application expects the SAML assertions in a specific format, which requires
you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes. Click Edit icon to open User Attributes dialog.
6. For classic SSO, Certent Equity Management application expects few more attributes to be passed back in
SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to
add SAML token attribute as shown in the below table:
COMPANY user.companyname
USER user.userprincipalname
ROLE user.assignedroles
NOTE
Please click here to know how to configure Role in Azure AD
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Certent Equity Management section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Certent Equity Management Single Sign-On
To configure single sign-on on Certent Equity Management side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Certent Integration Analyst assigned by
Customer Success Manager. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Certent Equity Management test user
In this section, you create a user called Britta Simon in Certent Equity Management. Work with Certent Integration
Analyst assigned by Customer Success Manager to add the users in the Certent Equity Management platform.
Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Certent Equity Management tile in the Access Panel, you should be automatically signed in to
the Certent Equity Management for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Certify
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Certify with Azure Active Directory (Azure AD ). Integrating Certify with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Certify.
You can enable your users to be automatically signed-in to Certify (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Certify, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Certify single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Certify supports IDP initiated SSO
Certify supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Certify, select Certify from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up Certify section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Certify Single Sign-On
To configure single sign-on on Certify side, you need to send the downloaded Certificate (Raw) and appropriate
copied URLs from Azure portal to Certify support team. They set this setting to have the SAML SSO connection
set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Certify test user
In this section, a user called Britta Simon is created in Certify. Certify supports just-in-time user provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Certify, a new
one is created after authentication.
NOTE
If you need to create an user manually, you need to contact the Certify support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Certify tile in the Access Panel, you should be automatically signed in to the Certify for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cezanne HR Software
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cezanne HR Software with Azure Active Directory (Azure AD ).
Integrating Cezanne HR Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cezanne HR Software.
You can enable your users to be automatically signed-in to Cezanne HR Software (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cezanne HR Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cezanne HR Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cezanne HR Software supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cezanne HR Software, select Cezanne HR Software from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
c. In the Reply URL textbox, type a URL using the following pattern:
https://w3.cezanneondemand.com:443/cezanneondemand/-/<tenantidentifier>/Saml/samlp
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact Cezanne HR
Software Client support team to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Cezanne HR Software section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Cezanne HR Software Single Sign-On
1. In a different web browser window, sign-on to your Cezanne HR Software tenant as an administrator.
2. On the left navigation pane, click System Setup. Go to Security Settings. Then navigate to Single Sign-
On Configuration.
3. In the Allow users to log in using the following Single Sign-On (SSO ) Service panel, check the SAML
2.0 box and select the Advanced Configuration option.
4. Click Add New button.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cezanne HR Software test user
In order to enable Azure AD users to log into Cezanne HR Software, they must be provisioned into Cezanne HR
Software. In the case of Cezanne HR Software, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log into your Cezanne HR Software company site as an administrator.
2. On the left navigation pane, click System Setup. Go to Manage Users. Then navigate to Add New User.
3. On PERSON DETAILS section, perform below steps:
6. Choose your Identity Provider for the Identity Provider and in the text box of User Identifier, enter the
email address of Britta Simon account.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Chargebee with Azure Active
Directory
8/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Chargebee with Azure Active Directory (Azure AD ). When you
integrate Chargebee with Azure AD, you can:
Control in Azure AD who has access to Chargebee.
Enable your users to be automatically signed-in to Chargebee with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Chargebee single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Chargebee supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<domainname>.chargebee.com
b. In the Reply URL text box, type a URL using the following pattern:
https://app.chargebee.com/saml/<domainname>/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<domainname>.chargebee.com
NOTE
<domainname> is the name of the domain that the user creates after claiming the account. In case of any other
information, contact Chargebee Client support team. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Chargebee section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. On the New Customer page, fill the respective fields shown below and click Create Customer for user
creation.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Chargebee tile in the Access Panel, you should be automatically signed in to the Chargebee for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cherwell
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cherwell with Azure Active Directory (Azure AD ). Integrating Cherwell
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cherwell.
You can enable your users to be automatically signed-in to Cherwell (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cherwell, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Cherwell single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cherwell supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cherwell, select Cherwell from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Cherwell Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Cherwell section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Cherwell Single Sign-On
To configure single sign-on on Cherwell side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Cherwell support team. They set this setting to have the SAML SSO
connection set properly on both sides.
NOTE
Your Cherwell support team has to do the actual SSO configuration. You will get a notification when SSO has been enabled
for your subscription.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Cherwell test user
To enable Azure AD users to sign in to Cherwell, they must be provisioned into Cherwell. In the case of Cherwell,
the user accounts need to be created by your Cherwell support team.
NOTE
You can use any other Cherwell user account creation tools or APIs provided by Cherwell to provision Azure Active Directory
user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Chromeriver
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Chromeriver with Azure Active Directory (Azure AD ). Integrating
Chromeriver with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Chromeriver.
You can enable your users to be automatically signed-in to Chromeriver (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Chromeriver, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Chromeriver single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Chromeriver supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Chromeriver, select Chromeriver from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.chromeriver.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.chromeriver.com/login/sso/saml/consume?customerId=<uniqueid>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Chromeriver Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Chromeriver section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Chromeriver Single Sign-On
To configure single sign-on on Chromeriver side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Chromeriver support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Chromeriver test user
To enable Azure AD users to log in to Chromeriver, they must be provisioned into Chromeriver. In the case of
Chromeriver, the user accounts need to be created by your Chromeriver support team.
NOTE
You can use any other Chromeriver user account creation tools or APIs provided by Chromeriver to provision Azure Active
Directory user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ChronicX®
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ChronicX® with Azure Active Directory (Azure AD ). Integrating
ChronicX® with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ChronicX®.
You can enable your users to be automatically signed-in to ChronicX® (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ChronicX®, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ChronicX® single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ChronicX® supports SP initiated SSO
ChronicX® supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ChronicX®, select ChronicX® from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact ChronicX® Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up ChronicX® section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure ChronicX Single Sign-On
To configure single sign-on on ChronicX® side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to ChronicX® support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ChronicX test user
In this section, a user called Britta Simon is created in ChronicX®. ChronicX® supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in ChronicX®, a new one is created after authentication.
NOTE
If you need to create a user manually, contact ChronicX® support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cimpl
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cimpl with Azure Active Directory (Azure AD ). Integrating Cimpl with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cimpl.
You can enable your users to be automatically signed-in to Cimpl (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cimpl, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cimpl single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cimpl supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cimpl, select Cimpl from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://sso.etelesolv.com/<TENANTNAME>
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact Cimpl team at +1
866-982-8250 to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Cimpl section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Cimpl Single Sign-On
To configure single sign-on on Cimpl side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Cimpl support at +1 866-982-8250. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cimpl test user
The objective of this section is to create a user called Britta Simon in Cimpl. Work with Cimpl support at +1 866-
982-8250 to add the users in the Cimpl account.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cimpl tile in the Access Panel, you should be automatically signed in to the Cimpl for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Cisco
Cloud
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cisco Cloud with Azure Active Directory (Azure AD ). Integrating Cisco
Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cisco Cloud.
You can enable your users to be automatically signed-in to Cisco Cloud (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cisco Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cisco Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cisco Cloud supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cisco Cloud, select Cisco Cloud from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: <subdomain>.cisco.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.cisco.com/sp/ACS.saml2
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.cloudapps.cisco.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Cisco
Cloud Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Your Cisco Cloud application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Cisco Cloud application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NAME SOURCE ATTRIBUTE
country user.country
company user.companyname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Cisco Cloud Single Sign-On
To configure single sign-on on Cisco Cloud side, you need to send the App Federation Metadata Url to Cisco
Cloud support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cisco Cloud test user
In this section, you create a user called Britta Simon in Cisco Cloud. Work with Cisco Cloud support team to add
the users in the Cisco Cloud platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cisco Cloud tile in the Access Panel, you should be automatically signed in to the Cisco Cloud
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate The Cloud Security Fabric with
Azure Active Directory
9/3/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate The Cloud Security Fabric with Azure Active Directory (Azure AD ).
When you integrate The Cloud Security Fabric with Azure AD, you can:
Control in Azure AD who has access to The Cloud Security Fabric.
Enable your users to be automatically signed-in to The Cloud Security Fabric with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
The Cloud Security Fabric single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
The Cloud Security Fabric supports SP initiated SSO
https://platform.cloudlock.com
https://app.cloudlock.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://platform.cloudlock.com/gate/saml/sso/<subdomain>
https://app.cloudlock.com/gate/saml/sso/<subdomain>
NOTE
The Identifier value is not real. Update the value with the actual Identifier. Contact The Cloud Security Fabric Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. To Modify the Signing options as per your requirement, click Edit button to open SAML Signing
Certificate dialog.
a. Select the Sign SAML response and assertion option for Signing Option.
b. Select the SHA -256 option for Signing Algorithm.
c. Click Save.
7. On the Set up The Cloud Security Fabric section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create The Cloud Security Fabric test user
In this section, you create a user called B.Simon in The Cloud Security Fabric. Work with The Cloud Security Fabric
support team to add the users in the The Cloud Security Fabric platform. Users must be created and activated
before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the The Cloud Security Fabric tile in the Access Panel, you should be automatically signed in to the
The Cloud Security Fabric for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory Single sign-on (SSO)
integration with Cisco Webex
9/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cisco Webex with Azure Active Directory (Azure AD ). When you
integrate Cisco Webex with Azure AD, you can:
Control in Azure AD who has access to Cisco Webex.
Enable your users to be automatically signed-in to Cisco Webex with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cisco Webex single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Cisco Webex supports SP initiated
SSO and supports Automated user provisioning.
4. On the Basic SAML Configuration section, upload the downloaded Service Provider metadata file and
configure the application by performing the following steps:
NOTE
You will get the Service Provider Metadata file from the Configure Cisco Webex section, which is explained later in
the tutorial.
6. In addition to above, Cisco Webex application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NAME SOURCE ATTRIBUTE
uid user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Cisco Webex section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. In the Add Assignment dialog, click the Assign button.
3. Select Integrate a 3rd-party identity provider. (Advanced) and go to the next screen.
4. On the Import Idp Metadata page, either drag and drop the Azure AD metadata file onto the page or use
the file browser option to locate and upload the Azure AD metadata file. Then, select Require certificate
signed by a certificate authority in Metadata (more secure) and click Next.
5. Select Test SSO Connection, and when a new browser tab opens, authenticate with Azure AD by signing
in.
6. Return to the Cisco Cloud Collaboration Management browser tab. If the test was successful, select This
test was successful. Enable Single Sign-On option and click Next.
Create Cisco Webex test user
In this section, you create a user called B.Simon in Cisco Webex. In this section, you create a user called B.Simon in
Cisco Webex.
1. Go to the Cisco Cloud Collaboration Management with your full administrator credentials.
2. Click Users and then Manage Users.
3. In the Manage User window, select Manually add or modify users and click Next.
4. Select Names and Email address. Then, fill out the textbox as follows:
a. In the First Name textbox, type first name of user like B.
b. In the Last Name textbox, type last name of user like Simon.
c. In the Email address textbox, type email address of user like b.simon@contoso.com.
5. Click the plus sign to add B.Simon. Then, click Next.
6. In the Add Services for Users window, click Save and then Finish.
Test SSO
When you select the Cisco Webex tile in the Access Panel, you should be automatically signed in to the Cisco
Webex for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Cisco Webex with Azure AD
Tutorial: Azure Active Directory integration with Cisco
Umbrella
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cisco Umbrella with Azure Active Directory (Azure AD ). Integrating
Cisco Umbrella with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cisco Umbrella.
You can enable your users to be automatically signed-in to Cisco Umbrella (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cisco Umbrella, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cisco Umbrella single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cisco Umbrella supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cisco Umbrella, select Cisco Umbrella from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
a. If you wish to configure the application in SP intiated mode, perform the following steps:
b. Click Set additional URLs.
c. In the Sign-on URL textbox, type a URL: https://login.umbrella.com/sso
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Metadata XML from the given options as per your requirement and save it on
your computer.
6. On the Set up Cisco Umbrella section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Cisco Umbrella Single Sign-On
1. In a different browser window, sign-on to your Cisco Umbrella company site as administrator.
2. From the left side of menu, click Admin and navigate to Authentication and then click on SAML.
3. Choose Other and click on NEXT.
5. On the Upload Metadata tab, if you had pre-configured SAML, select Click here to change them option
and follow the below steps.
6. In the Option A: Upload XML file, upload the Federation Metadata XML file that you downloaded from
the Azure portal and after uploading metadata the below values get auto populated automatically then click
NEXT.
7. Under Validate SAML Configuration section, click TEST YOUR SAML CONFIGURATION.
8. Click SAVE.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cisco Umbrella test user
To enable Azure AD users to log in to Cisco Umbrella, they must be provisioned into Cisco Umbrella.
In the case of Cisco Umbrella, provisioning is a manual task.
To provision a user account, perform the following steps:
1. In a different browser window, sign-on to your Cisco Umbrella company site as administrator.
2. From the left side of menu, click Admin and navigate to Accounts.
3. On the Accounts page, click on Add on the top right side of the page and perform the following steps.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Cisco Webex Meetings
10/7/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cisco Webex Meetings with Azure Active Directory (Azure AD ). When
you integrate Cisco Webex Meetings with Azure AD, you can:
Control in Azure AD who has access to Cisco Webex Meetings.
Enable your users to be automatically signed-in to Cisco Webex Meetings with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cisco Webex Meetings single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Cisco Webex Meetings supports SP and IDP initiated SSO
Cisco Webex Meetings supports Just In Time user provisioning
Configure and test Azure AD single sign-on for Cisco Webex Meetings
Configure and test Azure AD SSO with Cisco Webex Meetings using a test user called B.Simon. For SSO to work,
you need to establish a link relationship between an Azure AD user and the related user in Cisco Webex Meetings.
To configure and test Azure AD SSO with Cisco Webex Meetings, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Cisco Webex Meetings SSO - to configure the single sign-on settings on application side.
a. Create Cisco Webex Meetings test user - to have a counterpart of B.Simon in Cisco Webex Meetings
that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
NOTE
You will get the Service Provider Metadata file from Configure Cisco Webex Meetings SSO section, which is
explained later in the tutorial.
4. If you wish to configure the application in SP initiated mode, perform the following steps:
a. On the Basic SAML Configuration section, click the edit/pen icon.
b. In the Sign on URL textbox, type the URL using the following pattern:
https://<customername>.my.webex.com
5. Cisco Webex Meetings application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Cisco Webex Meetings application expects few more attributes to be passed back in
SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to
add SAML token attribute as shown in the below table:
firstname user.givenname
lastname user.surname
email user.mail
uid user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, select the attribute value shown for that row from the drop-down list.
f. Click Save.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Cisco Webex Meetings section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
f. Click Save.
NOTE
This configuration is only for the customers that use Webex UserID in email format.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cisco Webex Meetings tile in the Access Panel, you should be automatically signed in to the
Cisco Webex Meetings for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ServiceNow with Azure AD
Tutorial: Azure Active Directory integration with Citrix
NetScaler
7/16/2019 • 9 minutes to read • Edit Online
In this tutorial, you learn how to integrate Citrix NetScaler with Azure Active Directory (Azure AD ). Integrating
Citrix NetScaler with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Citrix NetScaler.
You can enable your users to be automatically signed-in to Citrix NetScaler (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Citrix NetScaler, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Citrix NetScaler single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Citrix NetScaler supports SP initiated SSO
Citrix NetScaler supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Citrix NetScaler, select Citrix NetScaler from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://<<Your FQDN>>
c. In the Reply URL (Assertion Consumer Service URL ) text box, type a URL using the following pattern:
https://<<Your FQDN>>/CitrixAuthService/AuthService.asmx
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Citrix NetScaler
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
NOTE
In order to get SSO working, these URLs should be accessible from public sites. You need to enable the firewall or
other security settings on Netscaler side to enble Azure AD to post the token on the configured ACS URL.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Citrix NetScaler section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Citrix NetScaler Single Sign-On
1. In a different web browser window, sign-on to your Citrix NetScaler tenant as an administrator.
2. Make sure that the NetScaler Firmware Version = NS12.1: Build 48.13.nc.
e. On the Security tab, make the changes as shown in the screenshot below and click OK.
7. Make the ICA Connections connecting on Session Reliability Port 2598 as shown in the below screenshot.
8. On the SAML section, add the Servers as shown in the screenshot below.
9. On the SAML section, add the Policies as shown in the screenshot below.
13. On the Manage Authentication Methods - Corp pop-up, perform the following steps:
a. Select User name and password.
b. Select Pass-through from NetScaler Gateway.
c. Click OK.
14. On the Configure Trusted Domains pop-up, perform the following steps:
a. Select Deployment option as Use Receiver for HTML5 if local Receiver is unavailable.
b. Click OK.
20. On the Manage Beacons pop-up, perform the following steps:
a. Select the Internal beacon as Use the service URL.
b. Click Add to add your URL's in the External beacons textbox.
c. Click OK.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Citrix NetScaler test user
In this section, a user called Britta Simon is created in Citrix NetScaler. Citrix NetScaler supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Citrix NetScaler, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Citrix NetScaler Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Citrix
ShareFile
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Citrix ShareFile with Azure Active Directory (Azure AD ). Integrating
Citrix ShareFile with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Citrix ShareFile.
You can enable your users to be automatically signed-in to Citrix ShareFile (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Citrix ShareFile, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Citrix ShareFile single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Citrix ShareFile supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Citrix ShareFile, select Citrix ShareFile from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) textbox, type a URL using the following pattern:
https://<tenant-name>.sharefile.com
https://<tenant-name>.sharefile.com/saml/info
https://<tenant-name>.sharefile1.com/saml/info
https://<tenant-name>.sharefile1.eu/saml/info
https://<tenant-name>.sharefile.eu/saml/info
c. In the Reply URL textbox, type a URL using the following pattern:
https://<tenant-name>.sharefile.com/saml/acs
https://<tenant-name>.sharefile.eu/saml/<URL path>
https://<tenant-name>.sharefile.com/saml/<URL path>
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Citrix
ShareFile Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Citrix ShareFile section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Citrix ShareFile Single Sign-On
1. In a different web browser window, log into your Citrix ShareFile company site as an administrator.
2. In the toolbar on the top, click Admin.
3. In the left navigation pane, select Configure Single Sign-On.
4. On the Single Sign-On/ SAML 2.0 Configuration dialog page under Basic Settings, perform the
following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Citrix ShareFile test user
In order to enable Azure AD users to log into Citrix ShareFile, they must be provisioned into Citrix ShareFile. In the
case of Citrix ShareFile, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your Citrix ShareFile tenant.
2. Click Manage Users > Manage Users Home > + Create Employee.
3. On the Basic Information section, perform below steps:
a. In the Email Address textbox, type the email address of Britta Simon as brittasimon@contoso.com.
b. In the First Name textbox, type first name of user as Britta.
c. In the Last Name textbox, type last name of user as Simon.
4. Click Add User.
NOTE
The Azure AD account holder will receive an email and follow a link to confirm their account before it becomes
active.You can use any other Citrix ShareFile user account creation tools or APIs provided by Citrix ShareFile to
provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Civic Platform with Azure Active
Directory
7/25/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Civic Platform with Azure Active Directory (Azure AD ). When you
integrate Civic Platform with Azure AD, you can:
Control in Azure AD who has access to Civic Platform.
Enable your users to be automatically signed-in to Civic Platform with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Civic Platform single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Civic Platform supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.accela.com
NOTE
The Sign on URL value is not real. Update this value with the actual Sign on URL. Contact Civic Platform Client
support team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
6. Navigate to Azure Active Directory > App registrations in Azure AD, select your application.
7. Copy the Directory (tenant) ID and store it into Notepad.
8. Copy the Application ID and store it into Notepad.
9. Navigate to Azure Active Directory > App registrations in Azure AD, select your application. Select
Certificates & secrets.
10. Select Client secrets -> New client secret.
11. Provide a description of the secret, and a duration. When done, select Add.
NOTE
After saving the client secret, the value of the client secret is displayed. Copy this value because you aren't able to
retrieve the key later.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Civic Platform test user
In this section, you create a user called B.Simon in Civic Platform. Work with Civic Platform support team to add
the users in the Civic Platform Client support team. Users must be created and activated before you use single
sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Civic Platform tile in the Access Panel, you should be automatically signed in to the Civic
Platform for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Clarizen
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Clarizen with Azure Active Directory (Azure AD ). Integrating Clarizen
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Clarizen.
You can enable your users to be automatically signed-in to Clarizen (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Clarizen, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Clarizen single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Clarizen supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Clarizen, select Clarizen from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a value: Clarizen
b. In the Reply URL text box, type a URL using the following pattern:
https://.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx
NOTE
These are not the real values. You have to use the actual identifier and reply URL. Here we suggest that you use the
unique value of a string as the identifier. To get the actual values, contact the Clarizen support team.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Clarizen section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Clarizen Single Sign-On
1. In a different web browser window, sign in to your Clarizen company site as an administrator.
2. Click your username, and then click Settings.
3. Click the Global Settings tab. Then, next to Federated Authentication, click edit.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Clarizen test user
The objective of this section is to create a user called Britta Simon in Clarizen.
If you need to create user manually, please perform following steps:
To enable Azure AD users to sign in to Clarizen, you must provision user accounts. In the case of Clarizen,
provisioning is a manual task.
1. Sign in to your Clarizen company site as an administrator.
2. Click People.
a. In the Email box, type the email address of the Britta Simon account.
b. Click Invite.
NOTE
The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Clear
Review
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Clear Review with Azure Active Directory (Azure AD ). Integrating Clear
Review with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Clear Review.
You can enable your users to be automatically signed-in to Clear Review (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Clear Review, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Clear Review single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Clear Review supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Clear Review, select Clear Review from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<customer name>.clearreview.com/sso/metadata/
b. In the Reply URL text box, type a URL using the following pattern:
https://<customer name>.clearreview.com/sso/acs/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<customer name>.clearreview.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Clear
Review Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Clear Review application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. Clear
Review application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute
mapping by clicking on Edit icon and change the attribute mapping.
7. On the User Attributes & Claims dialog, perform the following steps:
a. Click Edit icon on the right of Name identifier value.
b. From the Source attribute list, select the user.mail attribute value for that row.
c. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Clear Review section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Clear Review Single Sign-On
1. To configure single sign-on on Clear Review side, open the Clear Review portal with admin credentials.
2. Select Admin from the left navigation.
3. In the Integrations section at the bottom of the page click the Change button to the right of Single Sign-
On Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Clear Review test user
In this section, you create a user called Britta Simon in Clear Review. Please work with Clear Review support team
to add the users in the Clear Review platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Clear Review tile in the Access Panel, you should be automatically signed in to the Clear Review
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ClearCompany
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ClearCompany with Azure Active Directory (Azure AD ). Integrating
ClearCompany with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ClearCompany.
You can enable your users to be automatically signed-in to ClearCompany (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ClearCompany, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ClearCompany single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ClearCompany supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ClearCompany, select ClearCompany from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL using the following pattern: https://api.clearcompany.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<companyname>.clearcompany.com
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact ClearCompany Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up ClearCompany section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure ClearCompany Single Sign-On
To configure single sign-on on ClearCompany side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to ClearCompany support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ClearCompany test user
In this section, you create a user called Britta Simon in ClearCompany. Work with ClearCompany support team to
add the users in the ClearCompany platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ClearCompany tile in the Access Panel, you should be automatically signed in to the
ClearCompany for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Clever
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Clever with Azure Active Directory (Azure AD ). Integrating Clever with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Clever.
You can enable your users to be automatically signed-in to Clever (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Clever, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Clever single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Clever supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Clever, select Clever from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact Clever Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. Clever application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application
integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User
Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
clever.teacher.credentials.district_username user.userprincipalname
clever.student.credentials.district_username user.userprincipalname
clever.staff.credentials.district_username user.userprincipalname
NAME SOURCE ATTRIBUTE
Firstname user.givenname
Lastname user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Clever Single Sign-On
1. In a different web browser window, log in to your Clever company site as an administrator.
2. In the toolbar, click Instant Login.
NOTE
Before you can Test single sign-on, You have to contact Clever Client support team to enable Office 365 SSO in the
back end.
NOTE
The Login URL is a custom value. Contact Clever Client support team to get this value.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Clever test user
To enable Azure AD users to log in to Clever, they must be provisioned into Clever.
In case of Clever, Work with Clever Client support team to add the users in the Clever platform. Users must be
created and activated before you use single sign-on.
NOTE
You can use any other Clever user account creation tools or APIs provided by Clever to provision Azure AD user accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Clever tile in the Access Panel, you should be automatically signed in to the Clever for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Clever Nelly with Azure Active
Directory
7/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Clever Nelly with Azure Active Directory (Azure AD ). When you integrate
Clever Nelly with Azure AD, you can:
Control in Azure AD who has access to Clever Nelly.
Enable your users to be automatically signed-in to Clever Nelly with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure
Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Clever Nelly single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Clever Nelly supports SP and IDP initiated
SSO.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the
values for the following fields:
a. In the Identifier text box, type a URL:
Test https://test.elephantsdontforget.com/plato
Production https://secure.elephantsdontforget.com/plato
Test https://test.elephantsdontforget.com/plato/callback?
client_name=SAML2Client
Production https://secure.elephantsdontforget.com/plato/callback?
client_name=SAML2Client
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated
mode:
In the Sign-on URL text box, type a URL:
Test https://test.elephantsdontforget.com/plato/sso/microsoft/index.xhtml
Production https://secure.elephantsdontforget.com/plato/sso/microsoft/index.xhtml
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Clever Nelly Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy button to
copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the
screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the
user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Clever Nelly test user
In this section, you create a user called Britta Simon in Clever Nelly. Work with Clever Nelly support team to add the users
in the Clever Nelly platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Clever Nelly tile in the Access Panel, you should be automatically signed in to the Clever Nelly for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ClickTime
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ClickTime with Azure Active Directory (Azure AD ). Integrating ClickTime
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ClickTime.
You can enable your users to be automatically signed-in to ClickTime (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ClickTime, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ClickTime single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ClickTime supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ClickTime, select ClickTime from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: https://app.clicktime.com/sp/
b. In the Reply URL text box, type a URL using the following pattern:
https://app.clicktime.com/Login/
https://app.clicktime.com/App/Login/Consume.aspx
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up ClickTime section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure ClickTime Single Sign-On
1. In a different web browser window, log into your ClickTime company site as an administrator.
2. In the toolbar on the top, click Preferences, and then click Security Settings.
3. In the Single Sign-On Preferences configuration section, perform the following steps:
a. Select Allow sign-in using Single Sign-On (SSO ) with Azure AD.
b. In the Identity Provider Endpoint textbox, paste Login URL which you have copied from Azure portal.
c. Open the base-64 encoded certificate downloaded from Azure portal in Notepad, copy the content,
and then paste it into the X.509 Certificate textbox.
d. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ClickTime test user
In order to enable Azure AD users to log into ClickTime, they must be provisioned into ClickTime.
In the case of ClickTime, provisioning is a manual task.
NOTE
You can use any other ClickTime user account creation tools or APIs provided by ClickTime to provision Azure AD user
accounts.
To provision a user account, perform the following steps:
1. Log in to your ClickTime tenant.
2. In the toolbar on the top, click Company, and then click People.
a. In the full name textbox, type full name of user like Britta Simon.
b. In the email address textbox, type the email of user like brittasimon@contoso.com.
NOTE
If you want to, you can set additional properties of the new person object.
c. Click Save.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ClickTime tile in the Access Panel, you should be automatically signed in to the ClickTime for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ClickUp Productivity Platform
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ClickUp Productivity Platform with Azure Active Directory (Azure AD ).
Integrating ClickUp Productivity Platform with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ClickUp Productivity Platform.
You can enable your users to be automatically signed-in to ClickUp Productivity Platform (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ClickUp Productivity Platform, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ClickUp Productivity Platform single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ClickUp Productivity Platform supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ClickUp Productivity Platform, select ClickUp Productivity Platform from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://api.clickup.com/v1/team/<team_id>/microsoft
NOTE
The Identifier value is not real. Update this value with the actual Identifier, which is explained later in this tutorial.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. On the Configure Microsoft Single Sign On page, perform the following steps:
a. Click Copy to copy the Entity ID value and paste it into the Identifier (Entity ID ) textbox in the Basic
SAML Configuration section in the Azure portal.
b. In the Azure Federation Metadata URL textbox, paste the App Federation Metadata Url value, which
you have copied from the Azure portal and then click Save.
5. To complete the setup, click Authenticate With Microsoft to complete setup and authenticate with
microsoft account.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ClickUp Productivity Platform test user
1. In a different web browser window, sign-on to your ClickUp Productivity Platform tenant as an
administrator.
2. Click on the User profile and select Users.
3. Enter the email address of the user in the textbox and click Invite.
NOTE
The user will get the notification and they must accept the invitation to activate the account.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cloud Management Portal for Microsoft Azure
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cloud Management Portal for Microsoft Azure with Azure Active
Directory (Azure AD ). Integrating Cloud Management Portal for Microsoft Azure with Azure AD provides you with
the following benefits:
You can control in Azure AD who has access to Cloud Management Portal for Microsoft Azure.
You can enable your users to be automatically signed-in to Cloud Management Portal for Microsoft Azure
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cloud Management Portal for Microsoft Azure, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cloud Management Portal for Microsoft Azure single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cloud Management Portal for Microsoft Azure supports SP initiated SSO
Adding Cloud Management Portal for Microsoft Azure from the gallery
To configure the integration of Cloud Management Portal for Microsoft Azure into Azure AD, you need to add
Cloud Management Portal for Microsoft Azure from the gallery to your list of managed SaaS apps.
To add Cloud Management Portal for Microsoft Azure from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cloud Management Portal for Microsoft Azure, select Cloud Management
Portal for Microsoft Azure from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://portal.newsignature.com/<instancename>
https://portal.igcm.com/<instancename>
https://<subdomain>.igcm.com
https://<subdomain>.newsignature.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.igcm.com/<instancename>
https://<subdomain>.newsignature.com
https://<subdomain>.newsignature.com/<instancename>
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Cloud
Management Portal for Microsoft Azure Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Cloud Management Portal for Microsoft Azure section, copy the appropriate URL (s) as
per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Cloud Management Portal for Microsoft Azure Single Sign-On
To configure single sign-on on Cloud Management Portal for Microsoft Azure side, you need to send the
downloaded Certificate (Base64) and appropriate copied URLs from Azure portal to Cloud Management Portal
for Microsoft Azure support team. They set this setting to have the SAML SSO connection set properly on both
sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. In the applications list, select Cloud Management Portal for Microsoft Azure.
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cloud Management Portal for Microsoft Azure test user
In this section, you create a user called Britta Simon in Cloud Management Portal for Microsoft Azure. Work
with Cloud Management Portal for Microsoft Azure support team to add the users in the Cloud Management
Portal for Microsoft Azure platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cloud Management Portal for Microsoft Azure tile in the Access Panel, you should be
automatically signed in to the Cloud Management Portal for Microsoft Azure for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Cloudmore
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cloudmore with Azure Active Directory (Azure AD ). When you
integrate Cloudmore with Azure AD, you can:
Control in Azure AD who has access to Cloudmore.
Enable your users to be automatically signed-in to Cloudmore with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cloudmore single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Cloudmore supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://www.cloudmore.com
6. Click Save.
7. Cloudmore application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
8. In addition to above, Cloudmore application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirements.
Test_name user.companyname
Mail user.userprincipalname
9. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cloudmore tile in the Access Panel, you should be automatically signed in to the Cloudmore for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Cloudmore with Azure AD
Tutorial: Azure Active Directory integration with
CloudPassage
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate CloudPassage with Azure Active Directory (Azure AD ). Integrating
CloudPassage with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to CloudPassage.
You can enable your users to be automatically signed-in to CloudPassage (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with CloudPassage, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
CloudPassage single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
CloudPassage supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type CloudPassage, select CloudPassage from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Reply URL text box, type a URL using the following pattern:
https://portal.cloudpassage.com/saml/consume/accountid . You can get your value for this attribute by clicking
SSO Setup documentation in the Single Sign-on Settings section of your CloudPassage portal.
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact CloudPassage
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. CloudPassage application expects the SAML assertions in a specific format. Configure the following claims
for this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
firstname user.givenname
lastname user.surname
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up CloudPassage section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure CloudPassage Single Sign-On
1. In a different browser window, sign-on to your CloudPassage company site as administrator.
2. In the menu on the top, click Settings, and then click Site Administration.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create CloudPassage test user
The objective of this section is to create a user called Britta Simon in CloudPassage.
To create a user called Britta Simon in CloudPassage, perform the following steps:
1. Sign-on to your CloudPassage company site as an administrator.
2. In the toolbar on the top, click Settings, and then click Site Administration.
3. Click the Users tab, and then click Add New User.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Cloud Service PICCO
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Cloud Service PICCO with Azure Active Directory (Azure AD ).
Integrating Cloud Service PICCO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Cloud Service PICCO.
You can enable your users to be automatically signed-in to Cloud Service PICCO (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Cloud Service PICCO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Cloud Service PICCO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Cloud Service PICCO supports SP initiated SSO
Cloud Service PICCO supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Cloud Service PICCO, select Cloud Service PICCO from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: <SUB DOMAIN>.cloudservicepicco.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<SUB DOMAIN>.cloudservicepicco.com/app
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Cloud
Service PICCO Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Cloud Service PICCO test user
In this section, a user called Britta Simon is created in Cloud Service PICCO. Cloud Service PICCO supports just-in-
time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in Cloud Service PICCO, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cloud Service PICCO tile in the Access Panel, you should be automatically signed in to the
Cloud Service PICCO for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Cobalt
10/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cobalt with Azure Active Directory (Azure AD ). When you integrate
Cobalt with Azure AD, you can:
Control in Azure AD who has access to Cobalt.
Enable your users to be automatically signed-in to Cobalt with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cobalt single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Cobalt supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://brightside-prod-<INSTANCENAME>.cobaltdl.com
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Cobalt Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. Cobalt application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, Cobalt application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirement.
NAME SOURCE ATTRIBUTE
Mail user.mail
Othermail user.othermail
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Cobalt section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cobalt tile in the Access Panel, you should be automatically signed in to the Cobalt for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Cobalt with Azure AD
Tutorial: Integrate Cognidox with Azure Active
Directory
7/24/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cognidox with Azure Active Directory (Azure AD ). When you integrate
Cognidox with Azure AD, you can:
Control in Azure AD who has access to Cognidox.
Enable your users to be automatically signed-in to Cognidox with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cognidox single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Cognidox supports SP and IDP initiated SSO
Cognidox supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: urn:net.cdox.<YOURCOMPANY>
b. In the Reply URL text box, type a URL using the following pattern:
https://<YOURCOMPANY>.cdox.net/auth/postResponse
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<YOURCOMPANY>.cdox.net/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Cognidox Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Cognidox application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Cognidox application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type the namespace shown for that row.
d. Select Source as Transformation.
e. From the Transformation list, type the value shown for that row.
f. From the Parameter 1 list, type the value shown for that row.
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
9. On the Set up Cognidox section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Cognidox test user
In this section, a user called B.Simon is created in Cognidox. Cognidox supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Cognidox, a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cognidox tile in the Access Panel, you should be automatically signed in to the Cognidox for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Collaborative Innovation
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Collaborative Innovation with Azure Active Directory (Azure AD ).
Integrating Collaborative Innovation with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Collaborative Innovation.
You can enable your users to be automatically signed-in to Collaborative Innovation (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Collaborative Innovation, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Collaborative Innovation single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Collaborative Innovation supports SP initiated SSO
Collaborative Innovation supports just in time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Collaborative Innovation, select Collaborative Innovation from result panel
then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<instancename>.foundry.<companyname>.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Collaborative
Innovation Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Collaborative Innovation application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
givenname user.givenname
surname user.surname
emailaddress user.userprincipalname
NAME SOURCE ATTRIBUTE
name user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Collaborative Innovation section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Collaborative Innovation Single Sign-On
To configure single sign-on on Collaborative Innovation side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Collaborative Innovation support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Collaborative Innovation test user
To enable Azure AD users to log in to Collaborative Innovation, they must be provisioned into Collaborative
Innovation.
In case of this application provisioning is automatic as the application supports just in time user provisioning. So
there is no need to perform any steps here.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Collaborative Innovation tile in the Access Panel, you should be automatically signed in to the
Collaborative Innovation for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Comeet Recruiting Software
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Comeet Recruiting Software with Azure Active Directory (Azure AD ).
Integrating Comeet Recruiting Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Comeet Recruiting Software.
You can enable your users to be automatically signed-in to Comeet Recruiting Software (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Comeet Recruiting Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Comeet Recruiting Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Comeet Recruiting Software supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Comeet Recruiting Software, select Comeet Recruiting Software from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://app.comeet.co/adfs_auth/acs/<UNIQUEID>/
b. In the Reply URL text box, type a URL using the following pattern:
https://app.comeet.co/adfs_auth/acs/<UNIQUEID>/
NOTE
These values are not real. Update these values with the actual Identifier, and Reply URL. Contact Comeet Recruiting
Software Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. Comeet Recruiting Software application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
nameidentifier user.mail
comeet_id user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up Comeet Recruiting Software section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Comeet Recruiting Software Single Sign-On
To configure single sign-on on Comeet Recruiting Software side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Comeet Recruiting Software support team.
They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Comeet Recruiting Software test user
In this section, you create a user called Britta Simon in Comeet Recruiting Software. Work with Comeet Recruiting
Software support team to add the users in the Comeet Recruiting Software platform. Users must be created and
activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Comeet Recruiting Software tile in the Access Panel, you should be automatically signed in to
the Comeet Recruiting Software for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Comm100 Live Chat
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Comm100 Live Chat with Azure Active Directory (Azure AD ). Integrating
Comm100 Live Chat with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Comm100 Live Chat.
You can enable your users to be automatically signed-in to Comm100 Live Chat (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Comm100 Live Chat, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Comm100 Live Chat single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Comm100 Live Chat supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Comm100 Live Chat, select Comm100 Live Chat from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. You will update the Sign-on URL value with the actual Sign-on URL, which is
explained later in the tutorial.
5. Comm100 Live Chat application expects the SAML assertions in a specific format. Configure the following
claims for this application. You can manage the values of these attributes from the User Attributes section
on application integration page. On the Set up Single Sign-On with SAML page, click Edit button to
open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up Comm100 Live Chat section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Comm100 Live Chat Single Sign-On
1. In a different web browser window, login to Comm100 Live Chat as a Security Administrator.
2. On the top right side of the page, click My Account.
3. From the left side of menu, click Security and then click Agent Single Sign-On.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Comm100 Live Chat test user
To enable Azure AD users to log in to Comm100 Live Chat, they must be provisioned into Comm100 Live Chat. In
Comm100 Live Chat, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to Comm100 Live Chat as a Security Administrator.
2. On the top right side of the page, click My Account.
3. From the left side of menu, click Agents and then click New Agent.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Communifire
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Communifire with Azure Active Directory (Azure AD ). Integrating
Communifire with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Communifire.
You can enable your users to be automatically signed-in to Communifire (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Communifire, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Communifire single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Communifire supports SP and IDP initiated SSO
Communifire supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Communifire, select Communifire from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.communifire.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.communifire.com/SAML/AssertionConsumerService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.communifire.com/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Communifire Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog and
perform the following step.
a. Select Sign SAML response and assertion from the Signing Option.
b. Click Save
8. On the Set up Communifire section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Communifire Single Sign-On
To configure single sign-on on Communifire side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Communifire support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Communifire test user
The objective of this section is to create a user called Britta Simon in Communifire. Communifire supports just-in-
time provisioning, which is by default enabled. A new user is created after saving the profile details during an
attempt to access Communifire if it doesn't exist yet.
NOTE
If you need to create a user manually, Contact Communifire support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
CompetencyIQ
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate CompetencyIQ with Azure Active Directory (Azure AD ). Integrating
CompetencyIQ with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to CompetencyIQ.
You can enable your users to be automatically signed-in to CompetencyIQ (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with CompetencyIQ, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
CompetencyIQ single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
CompetencyIQ supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type CompetencyIQ, select CompetencyIQ from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact CompetencyIQ Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up CompetencyIQ section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure CompetencyIQ Single Sign-On
To configure single sign-on on CompetencyIQ side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to CompetencyIQ support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create CompetencyIQ test user
In this section, you create a user called Britta Simon in CompetencyIQ. Work with CompetencyIQ support team to
add the users in the CompetencyIQ platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CompetencyIQ tile in the Access Panel, you should be automatically signed in to the
CompetencyIQ for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Compliance ELF
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Compliance ELF with Azure Active Directory (Azure AD ). Integrating
Compliance ELF with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Compliance ELF.
You can enable your users to be automatically signed-in to Compliance ELF (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Compliance ELF, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Compliance ELF single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Compliance ELF supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Compliance ELF, select Compliance ELF from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://sso.cordium.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.complianceelf.com
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact Compliance ELF Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Compliance ELF test user
In this section, you create a user called Britta Simon in Compliance ELF. Work with Compliance ELF support team
to add the users in the Compliance ELF platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Compliance ELF tile in the Access Panel, you should be automatically signed in to the
Compliance ELF for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Concur
8/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Concur with Azure Active Directory (Azure AD ). When you integrate
Concur with Azure AD, you can:
Control in Azure AD who has access to Concur.
Enable your users to be automatically signed-in to Concur with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Concur single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Concur supports SP initiated SSO
Concur supports Just In Time user provisioning
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<customer-domain>.concursolutions.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Concur Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Concur section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
The configuration of your Concur subscription for federated SSO via SAML is a separate task, which you must contact Concur
Client support team to perform.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Concur tile in the Access Panel, you should be automatically signed in to the Concur for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Concur with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Concur Travel and Expense
10/15/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Concur Travel and Expense with Azure Active Directory (Azure AD ).
When you integrate Concur Travel and Expense with Azure AD, you can:
Control in Azure AD who has access to Concur Travel and Expense.
Enable your users to be automatically signed-in to Concur Travel and Expense with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Concur Travel and Expense subscription.
A "Company Administrator" role under your Concur user account. You can test if you have the right access by
going to Concur SSO Self-Service Tool. If you do not have the access, please contact Concur support or
implementation project manager.
Scenario description
In this tutorial, you configure and test Azure AD SSO.
Concur Travel and Expense supports IDP and SP initiated SSO
Concur Travel and Expense supports testing SSO in both production and implementation environment
NOTE
Identifier of this application is a fixed string value for each of the three regions: US, EMEA, and China. So only one instance
can be configured for each region in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
NOTE
Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) are region specific. Please select based on the
datacenter of your Concur entity. If you do not know the datacenter of your Concur entity, please contact Concur
support.
5. On the Set up Single Sign-On with SAML page, click the edit/pen icon for User Attribute to edit the
settings. The Unique User Identifier needs to match Concur user login_id. Usually, you should change
user.userprincipalname to user.mail.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the metadata and save it on your
computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
B.Simon's Concur login id needs to match B.Simon's unique identifier at Azure AD. For example, if B.Simon's Azure AD unique
identifer is B.Simon@contoso.com . B.Simon's Concur login id needs to be B.Simon@contoso.com as well.
NOTE
Self-Service option to configure SSO is not available so work with Concur support team to enable mobile SSO.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Concur Travel and Expense tile in the Access Panel, you should be automatically signed in to the
Concur Travel and Expense for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Concur Travel and Expense with Azure AD
Tutorial: Azure Active Directory integration with
Condeco
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Condeco with Azure Active Directory (Azure AD ). Integrating Condeco
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Condeco.
You can enable your users to be automatically signed-in to Condeco (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Condeco, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Condeco single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Condeco supports SP initiated SSO
Condeco supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Condeco, select Condeco from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Condeco Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Condeco section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Condeco Single Sign-On
To configure single sign-on on Condeco side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Condeco support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Condeco test user
The objective of this section is to create a user called Britta Simon in Condeco. Condeco supports just-in-time
provisioning, which is by default enabled.
There is no action item for you in this section. A new user is created during an attempt to access Condeco if it
doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the Condeco support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Confirmit Horizons
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Confirmit Horizons with Azure Active Directory (Azure AD ). Integrating
Confirmit Horizons with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Confirmit Horizons.
You can enable your users to be automatically signed-in to Confirmit Horizons (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Confirmit Horizons, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Confirmit Horizons single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Confirmit Horizons supports SP and IDP initiated SSO
Confirmit Horizons supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Confirmit Horizons, select Confirmit Horizons from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.confirmit.com/identity/AuthServices/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.com.au/identity/AuthServices/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.ca/identity/AuthServices/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.hk/identity/AuthServices/<UNIQUEID>
https://sso.us.confirmit.com/<UNIQUEID>
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.confirmit.com/identity/AuthServices/<UNIQUEID>/acs
https://<SUBDOMAIN>.confirmit.com.au/identity/AuthServices/<UNIQUEID>/acs
https://<SUBDOMAIN>.confirmit.ca/identity/AuthServices/<UNIQUEID>/acs
https://<SUBDOMAIN>.confirmit.hk/identity/AuthServices/<UNIQUEID>/acs
https://sso.us.confirmit.com/<UNIQUEID>/saml/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.confirmit.com/identity/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.com.au/identity/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.ca/identity/<UNIQUEID>
https://<SUBDOMAIN>.confirmit.hk/identity/<UNIQUEID>
https://sso.us.confirmit.com/<UNIQUEID>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Confirmit Horizons Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Confirmit Horizons test user
In this section, a user called Britta Simon is created in Confirmit Horizons. Confirmit Horizons supports just-in-
time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in Confirmit Horizons, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Confirmit Horizons tile in the Access Panel, you should be automatically signed in to the
Confirmit Horizons for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Confluence SAML SSO by Microsoft
10/4/2019 • 9 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Confluence SAML SSO by Microsoft with Azure Active Directory
(Azure AD ). When you integrate Confluence SAML SSO by Microsoft with Azure AD, you can:
Control in Azure AD who has access to Confluence SAML SSO by Microsoft.
Enable your users to be automatically signed-in to Confluence SAML SSO by Microsoft with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Description:
Use your Microsoft Azure Active Directory account with Atlassian Confluence server to enable single sign-on. This
way all your organization users can use the Azure AD credentials to sign in into the Confluence application. This
plugin uses SAML 2.0 for federation.
Prerequisites
To configure Azure AD integration with Confluence SAML SSO by Microsoft, you need the following items:
An Azure AD subscription
Confluence server application installed on a Windows 64-bit server (on-premises or on the cloud IaaS
infrastructure)
Confluence server is HTTPS enabled
Note the supported versions for Confluence Plugin are mentioned in below section.
Confluence server is reachable on internet particularly to Azure AD Login page for authentication and should
able to receive the token from Azure AD
Admin credentials are set up in Confluence
WebSudo is disabled in Confluence
Test user created in the Confluence server application
NOTE
To test the steps in this tutorial, we do not recommend using a production environment of Confluence. Test the integration
first in development or staging environment of the application and then use the production environment.
NOTE
Please note that our Confluence Plugin also works on Ubuntu Version 16.04
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Confluence SAML SSO by Microsoft supports SP initiated SSO
Configure and test Azure AD single sign-on for Confluence SAML SSO
by Microsoft
Configure and test Azure AD SSO with Confluence SAML SSO by Microsoft using a test user called B.Simon. For
SSO to work, you need to establish a link relationship between an Azure AD user and the related user in
Confluence SAML SSO by Microsoft.
To configure and test Azure AD SSO with Confluence SAML SSO by Microsoft, complete the following building
blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Confluence SAML SSO by Microsoft SSO - to configure the single sign-on settings on
application side.
a. Create Confluence SAML SSO by Microsoft test user - to have a counterpart of B.Simon in
Confluence SAML SSO by Microsoft that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<domain:port>/plugins/servlet/saml/auth
b. In the Identifier box, type a URL using the following pattern: https://<domain:port>/
c. In the Reply URL text box, type a URL using the following pattern:
https://<domain:port>/plugins/servlet/saml/auth
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Port is optional
in case it’s a named URL. These values are received during the configuration of Confluence plugin, which is explained
later in the tutorial.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Confluence SAML SSO by
Microsoft.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Confluence SAML SSO by Microsoft.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Download the plugin from Microsoft Download Center. Manually upload the plugin provided by Microsoft
using Upload add-on menu. The download of plugin is covered under Microsoft Service Agreement.
4. For running the Confluence reverse proxy scenario or load balancer scenario perform the following steps:
NOTE
You should be configuring the server first with the below instructions and then install the plugin.
a. Add below attribute in connector port in server.xml file of JIRA server application.
scheme="https" proxyName="<subdomain.domain.com>" proxyPort="<proxy_port>" secure="true"
b. Change Base URL in System Settings according to proxy/load balancer.
5. Once the plugin is installed, it appears in User Installed add-ons section of Manage Add-on section. Click
Configure to configure the new plugin.
a. In the Metadata URL textbox, paste App Federation Metadata Url value which you have copied
from the Azure portal and click the Resolve button. It reads the IdP metadata URL and populates all
the fields information.
b. Copy the Identifier, Reply URL and Sign on URL values and paste them in Identifier, Reply URL
and Sign on URL textboxes respectively in Basic SAML Configuration section on Azure portal.
c. In Login Button Name type the name of button your organization wants the users to see on login
screen.
d. In Login Button Description type the description of button your organization wants the users to
see on login screen.
e. In SAML User ID Locations, select either User ID is in the NameIdentifier element of the
Subject statement or User ID is in an Attribute element. This ID has to be the Confluence user
ID. If the user ID is not matched, then system will not allow users to sign in.
NOTE
Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the
appropriate attribute name.
f. If you select User ID is in an Attribute element option, then in Attribute name textbox type the
name of the attribute where User ID is expected.
g. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the Enable
Home Realm Discovery option and configure the Domain Name.
h. In Domain Name type the domain name here in case of the ADFS -based login.
i. Check Enable Single Sign out if you wish to sign out from Azure AD when a user signs out from
Confluence.
j. Enable Force Azure Login checkbox, if you wish to sign in through Azure AD credentials only.
NOTE
To enable the default login form for admin login on the login page when the force azure login is enabled, add
the query parameter in the browser URL. https://<domain:port>/login.action?force_azure_login=false
NOTE
For more information about installation and troubleshooting, visit MS Confluence SSO Connector Admin
Guide. There is also an FAQ for your assistance.
Create Confluence SAML SSO by Microsoft test user
To enable Azure AD users to sign in to Confluence on-premises server, they must be provisioned into Confluence
SAML SSO by Microsoft. For Confluence SAML SSO by Microsoft, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Confluence on-premises server as an administrator.
2. Hover on cog and click the User management.
3. Under Users section, click Add users tab. On the Add a User dialog page, perform the following steps:
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Confluence SAML SSO by Microsoft tile in the Access Panel, you should be automatically
signed in to the Confluence SAML SSO by Microsoft for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Confluence SAML SSO by Microsoft with Azure AD
Tutorial: Azure Active Directory integration with
Consent2Go
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Consent2Go with Azure Active Directory (Azure AD ). Integrating
Consent2Go with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Consent2Go.
You can enable your users to be automatically signed-in to Consent2Go (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Consent2Go, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Consent2Go single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Consent2Go supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Consent2Go, select Consent2Go from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Consent2Go test user
In this section, you create a user called Britta Simon in Consent2Go. Work with Consent2Go support team to add
the users in the Consent2Go platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Consent2Go tile in the Access Panel, you should be automatically signed in to the Consent2Go
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Contentful
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Contentful with Azure Active Directory (Azure AD ). When you
integrate Contentful with Azure AD, you can:
Control in Azure AD who has access to Contentful.
Enable your users to be automatically signed-in to Contentful with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Contentful single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Contentful supports SP and IDP initiated SSO
Contentful supports Just In Time user provisioning
NOTE
The identifier of this application is a fixed string value. Only one instance can be configured in one tenant.
4. In the Basic SAML Configuration section, if you want to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, copy the ACS (Assertion Consumer Service) URL from the SSO setup page
in Contentful. It will look like this: https://be.contentful.com/sso/<organization_id>/consume
5. Click Set additional URLs and perform the following step if you want to configure the application in SP
initiated mode:
In the Sign-on URL text box, copy the same ACS (Assertion Consumer Service) URL. It will look like
this: https://be.contentful.com/sso/<organization_id>/login
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL by copying the ACS
(Assertion Consumer Service) URL from the SSO setup page in Contentful.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. In the Set up Contentful section, copy the login URL to configure Contentful SSO.
5. In the Users and groups dialog box, select B.Simon from the Users list, then click the Select button at the
bottom of the page.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user from the list and then click the Select button at the bottom of the page.
7. In the Add Assignment dialog box, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Contentful tile in the Access Panel, you should be automatically signed in to the Contentful for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Contentful with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ContractWorks
9/6/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ContractWorks with Azure Active Directory (Azure AD ). When you
integrate ContractWorks with Azure AD, you can:
Control in Azure AD who has access to ContractWorks.
Enable your users to be automatically signed-in to ContractWorks with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ContractWorks single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ContractWorks supports SP and IDP initiated SSO
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
In the Identifier text box, type a URL: https://login.securedocs.com/saml/metadata
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ContractWorks tile in the Access Panel, you should be automatically signed in to the
ContractWorks for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ContractWorks with Azure AD
Tutorial: Integrate Continuity Control with Azure
Active Directory
6/17/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Continuity Control (Control) with Azure Active Directory (Azure AD ).
When you integrate Control with Azure AD, you can:
Manage in Azure AD who has access to Control.
Enable your users to be automatically signed-in to Control with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
A Control single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Control supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following field:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.continuity.net/auth/saml
NOTE
The value is not real. Update the value with the correct subdomain. Your SSO subdomain can be configured at
Control Authentication Strategies. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
7. On the Set up Control section, copy the Login URL and save it on your computer.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Control test user
In this section, you create a user called Britta Simon in Control. Work with Control support team to add the users in
the Control platform. Use Britta Simon's Azure AD User name to populate her Identity Provider User ID in
Control. Users must be created, and their Identity Provider User ID set, in Control before they can use single
sign-on.
Test SSO
When you select the Control tile in the Access Panel, you should be automatically signed in to the Control for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Convene
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Convene with Azure Active Directory (Azure AD ). Integrating Convene
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Convene.
You can enable your users to be automatically signed-in to Convene (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Convene, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Convene single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Convene supports SP initiated SSO
Convene supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Convene, select Convene from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://portal.convene.me.uk/saml/acs/<UID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Convene Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Convene application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
nameidentifier user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Convene section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Convene Single Sign-On
To configure single sign-on on Convene side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Convene support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Convene test user
In this section, a user called Britta Simon is created in Convene. Convene supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Convene, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Convene support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Convercent
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Convercent with Azure Active Directory (Azure AD ). Integrating
Convercent with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Convercent.
You can enable your users to be automatically signed-in to Convercent (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Convercent, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Convercent single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Convercent supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Convercent, select Convercent from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL using the following pattern: https://<instancename>.convercent.com/
5. Click Set additional URLs and perform the following steps if you wish to configure the application in SP
initiated mode:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<instancename>.convercent.com/
b. In the Relay State text box, type a URL using the following pattern:
https://<instancename>.convercent.com/
NOTE
These values are not real. Update these values with the actual Identifier, Sign-On URL and Relay State. Contact
Convercent Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Convercent section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Convercent Single Sign-On
To configure single sign-on on Convercent side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Convercent support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Convercent test user
In this section, you create a user called Britta Simon in Convercent. Work with Convercent support team to add the
users in the Convercent platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Convercent tile in the Access Panel, you should be automatically signed in to the Convercent
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Coralogix
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Coralogix with Azure Active Directory (Azure AD ). Integrating Coralogix
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Coralogix.
You can enable your users to be automatically signed in to Coralogix (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
For more information about SaaS app integration with Azure AD, see What is application access and single sign-
on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Coralogix, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a one-month trial.
A Coralogix single-sign-on enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Coralogix supports SP -initiated SSO.
4. In the search box, enter Coralogix. Select Coralogix from the results pane, and then select the Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box.
4. In the Basic SAML Configuration dialog box, take the following steps:
a. In the Sign on URL box, enter a URL with the following pattern: https://<SUBDOMAIN>.coralogix.com
or
https://aws-client-prod.coralogix.com/saml/metadata.xml
NOTE
The sign-on URL value isn't real. Update the value with the actual sign-on URL. Contact the Coralogix Client support
team to get the value. You can also refer to the patterns in the Basic SAML Configuration section in the Azure
portal.
5. The Coralogix application expects the SAML assertions in a specific format. Configure the following claims
for this application. You can manage the values of these attributes from the User Attributes section on the
application integration page. On the Set up Single Sign-On with SAML page, select the Edit button to
open the User Attributes dialog box.
6. In the User Claims section in the User Attributes dialog box, edit the claims by using the Edit icon. You
can also add the claims by using Add new claim to configure the SAML token attribute as shown in the
previous image. Then take the following steps:
a. Select the Edit icon to open the Manage user claims dialog box.
b. From the Choose name identifier format list, select Email address.
c. From the Source attribute list, select user.mail.
d. Select Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select
Download to download the Federation Metadata XML from the given options according to your
requirements. Then save it on your computer.
4. Select the Add user button. Then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list. Then click the Select button at
the bottom of the screen.
6. If you're expecting a role value in the SAML assertion, in the Select Role dialog box, select the appropriate
role for the user from the list. Then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select the Assign button.
Create a Coralogix test user
In this section, you create a user called Britta Simon in Coralogix. Work with the Coralogix support team to add the
users in the Coralogix platform. You must create and activate users before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the MyApps portal.
When you select the Coralogix tile in the MyApps portal, you should be automatically signed in to Coralogix. For
more information about the MyApps portal, see What is the MyApps portal?.
Additional resources
List of tutorials on how to integrate SaaS apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory Single sign-on (SSO)
integration with Cornerstone OnDemand
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Cornerstone OnDemand with Azure Active Directory (Azure AD ).
When you integrate Cornerstone OnDemand with Azure AD, you can:
Control in Azure AD who has access to Cornerstone OnDemand.
Enable your users to be automatically signed-in to Cornerstone OnDemand with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Cornerstone OnDemand single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Cornerstone OnDemand supports SP initiated SSO
Cornerstone OnDemand supports Automated user provisioning
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company>.csod.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Cornerstone
OnDemand Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Cornerstone OnDemand section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
You can use any other Cornerstone OnDemand user account creation tools or APIs provided by Cornerstone OnDemand to
provision Azure AD user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Cornerstone OnDemand tile in the Access Panel, you should be automatically signed in to the
Cornerstone OnDemand for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Cornerstone OnDemand with Azure AD
Tutorial: Azure Active Directory integration with
Corptax
6/13/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Corptax with Azure Active Directory (Azure AD ). Integrating Corptax
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Corptax.
You can enable your users to be automatically signed-in to Corptax (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Corptax, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Corptax single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Corptax supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Corptax, select Corptax from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click
Download to download Federation Metadata XML and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Corptax test user
In this section, you create a user called Britta Simon in Corptax. Work with Corptax support team to add the users
in the Corptax platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel. When you click the
Corptax tile in the Access Panel, you should be redirected to the below Corptax page-
In Environment text box, type your appropriate environment, you should be automatically signed in to the
Corptax for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Costpoint with Azure Active
Directory
10/3/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Costpoint with Azure Active Directory (Azure AD ). When you integrate
Costpoint with Azure AD, you can:
Control in Azure AD who has access to Costpoint.
Enable your users to be automatically signed-in to Costpoint with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A Costpoint single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you will configure and test Azure AD SSO in a test environment. Costpoint supports SP and IDP
initiated SSO.
5. In the Add from the gallery section, enter Costpoint in the search box.
6. In the results list, select Costpoint, and then add the app. Wait a few seconds while the app is added to your
tenant.
2. In the Basic SAML Configuration section, if you have the Service Provider metadata file, complete these
steps:
NOTE
You get the Service Provider metadata file in Generate Costpoint metadata. How to use the file is explained later in
the tutorial.
a. Select the Upload metadata file button, then select the Costpoint SP Federation Metadata XML
file previously generated by Costpoint, and then select the Add button to upload the file.
b. When the metadata file is successfully uploaded, the Identifier and Reply URL values are auto
populated in the Costpoint section.
NOTE
If the Identifier and Reply URL values are not auto polulated, enter the values manually according to your
requirement. Verify that Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) are
correctly set, and that ACS URL is a valid Costpoint URL that ends with /LoginServlet.cps.
c. Select Set additional URLs. For Relay State, enter a value using the following pattern:
system=[your system] (for example, system=DELTEKCP ).
3. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Copy icon to copy the App Federation Metadata Url and save it to Notepad.
Configure Costpoint
1. Return to Costpoint Configuration Utility. In the IdP Federation Metadata XML text box, paste the
contents of the App Federation Metadata Url file.
2. Continue the instructions from the DeltekCostpoint711Security.pdf guide to finish the Costpoint SAML
setup.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal named B.Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory > Users > All users.
5. In the Users and groups dialog box, In the Users list, select B.Simon. Then, choose Select.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user from the list, and then choose Select.
7. In the Add Assignment dialog box, select Assign.
Create a Costpoint test user
In this section, you create a user in Costpoint. Assume the user id is B.SIMON and the user's name is B.Simon.
Work with the Costpoint Client support team to add the user in the Costpoint platform. The user must be created
and activated before they can use single sign-on.
After the user is created, the user's Authentication Method selection must be Active Directory, the SAML
Single Sign-on check box must be selected, and the user name from Azure Active Directory must be Active
Directory or Certificate ID (shown in the following screenshot).
Test SSO
When you select the Costpoint tile in the Access Panel, you should be automatically signed in to the Costpoint
application because you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of tutorials to integrate SaaS apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Coupa
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Coupa with Azure Active Directory (Azure AD ). Integrating Coupa with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Coupa.
You can enable your users to be automatically signed-in to Coupa (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Coupa, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Coupa single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Coupa supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Coupa, select Coupa from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact Coupa Client support
team to get this value.
ENVIRONMENT URL
Sandbox sso-stg1.coupahost.com
Production sso-prd1.coupahost.com
ENVIRONMENT URL
Sandbox https://sso-stg1.coupahost.com/sp/ACS.saml2
Production https://sso-prd1.coupahost.com/sp/ACS.saml2
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Coupa section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Coupa Single Sign-On
1. Sign on to your Coupa company site as an administrator.
2. Go to Setup > Security Control.
3. In the Log in using Coupa credentials section, perform the following steps:
a. Select Log in using SAML.
b. Click Browse to upload the metadata downloaded from the Azure portal.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Coupa test user
In order to enable Azure AD users to log into Coupa, they must be provisioned into Coupa.
In the case of Coupa, provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Log in to your Coupa company site as administrator.
2. In the menu on the top, click Setup, and then click Users.
3. Click Create.
a. Type the Login, First name, Last Name, Single Sign-On ID, Email attributes of a valid Azure Active
Directory account you want to provision into the related textboxes.
b. Click Create.
NOTE
The Azure Active Directory account holder will get an email with a link to confirm the account before it becomes
active.
NOTE
You can use any other Coupa user account creation tools or APIs provided by Coupa to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate CPQSync by Cincom with Azure
Active Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate CPQSync by Cincom with Azure Active Directory (Azure AD ). When
you integrate CPQSync by Cincom with Azure AD, you can:
Control in Azure AD who has access to CPQSync by Cincom.
Enable your users to be automatically signed-in to CPQSync by Cincom with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
CPQSync by Cincom single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
CPQSync by Cincom supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://cincom.oktapreview.com/sso/saml2/<CUSTOMURL>
b. In the Reply URL text box, type a URL using the following pattern:
https://cincom.okta.com/sso/saml2/<CUSTOMDOMAIN>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://cincom.okta.com/
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact CPQSync by Cincom
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
7. On the Set up CPQSync by Cincom section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CPQSync by Cincom tile in the Access Panel, you should be automatically signed in to the
CPQSync by Cincom for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with CS
Stars
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate CS Stars with Azure Active Directory (Azure AD ). Integrating CS Stars
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to CS Stars.
You can enable your users to be automatically signed-in to CS Stars (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with CS Stars, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
CS Stars single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
CS Stars supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type CS Stars, select CS Stars from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.csstars.com/enterprise/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact CS Stars Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up CS Stars section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure CS Stars Single Sign-On
To configure single sign-on on CS Stars side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to CS Stars support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create CS Stars test user
In this section, you create a user called Britta Simon in CS Stars. Work with CS Stars support team to add the users
in the CS Stars platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CS Stars tile in the Access Panel, you should be automatically signed in to the CS Stars for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with CyberArk SAML Authentication
10/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate CyberArk SAML Authentication with Azure Active Directory (Azure
AD ). When you integrate CyberArk SAML Authentication with Azure AD, you can:
Control in Azure AD who has access to CyberArk SAML Authentication.
Enable your users to be automatically signed-in to CyberArk SAML Authentication with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
CyberArk SAML Authentication single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
CyberArk SAML Authentication supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://<PVWA DNS or IP>/passwordvault/api/auth/saml/logon
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<PVWA DNS or IP>/PasswordVault/v10/logon/saml
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact CyberArk SAML
Authentication Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up CyberArk SAML Authentication section, copy the appropriate URL (s) based on your
requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CyberArk SAML Authentication tile in the Access Panel, you should be automatically signed in
to the CyberArk SAML Authentication for which you set up SSO. For more information about the Access Panel,
see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try CyberArk SAML Authentication with Azure AD
Tutorial: Azure Active Directory integration with
CylancePROTECT
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate CylancePROTECT with Azure Active Directory (Azure AD ). Integrating
CylancePROTECT with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to CylancePROTECT.
You can enable your users to be automatically signed-in to CylancePROTECT (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with CylancePROTECT, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
CylancePROTECT single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
CylancePROTECT supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type CylancePROTECT, select CylancePROTECT from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, click Edit button to open Basic SAML Configuration
dialog.
a. In the Identifier textbox, type the URL:
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up CylancePROTECT section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure CylancePROTECT Single Sign-On
To configure single sign-on on CylancePROTECT side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to console administrator. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create CylancePROTECT test user
In this section, you create a user called Britta Simon in CylancePROTECT. Work with console administrator to add
the users in the CylancePROTECT platform. The Azure Active Directory account holder will receive an email and
follow a link to confirm their account before it becomes active.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the CylancePROTECT tile in the Access Panel, you should be automatically signed in to the
CylancePROTECT for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
DATABASICS
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate DATABASICS with Azure Active Directory (Azure AD ). Integrating
DATABASICS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to DATABASICS.
You can enable your users to be automatically signed-in to DATABASICS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with DATABASICS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
DATABASICS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
DATABASICS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type DATABASICS, select DATABASICS from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact DATABASICS Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up DATABASICS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure DATABASICS Single Sign-On
To configure single sign-on on DATABASICS side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to DATABASICS support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create DATABASICS test user
In this section, you create a user called Britta Simon in DATABASICS. Work with DATABASICS support team to add
the users in the DATABASICS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the DATABASICS tile in the Access Panel, you should be automatically signed in to the
DATABASICS for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Datahug
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Datahug with Azure Active Directory (Azure AD ). Integrating Datahug
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Datahug.
You can enable your users to be automatically signed-in to Datahug (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Datahug, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Datahug single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Datahug supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Datahug, select Datahug from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://apps.datahug.com/identity/<uniqueID>
b. In the Reply URL text box, type a URL using the following pattern:
https://apps.datahug.com/identity/<uniqueID>/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Datahug Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog and
perform the following steps.
a. Select Sign SAML assertion from the Signing Option.
b. Select SHA -1 from the Signing Algorithm.
c. Click Save
8. On the Set up Datahug section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Datahug Single Sign-On
To configure single sign-on on Datahug side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Datahug support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Datahug test user
To enable Azure AD users to sign in to Datahug, they must be provisioned into Datahug.
When Datahug, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Datahug company site as an administrator.
2. Hover over the cog in the top right-hand corner and click Settings
4. Type the email of the person you would like to create an account for and click Add.
NOTE
You can send registration mail to user by selecting Send welcome email checkbox. If you are creating an account for
Salesforce do not send the welcome email.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Dealpath
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Dealpath with Azure Active Directory (Azure AD ). Integrating Dealpath
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Dealpath.
You can enable your users to be automatically signed-in to Dealpath (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Dealpath, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Dealpath single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Dealpath supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Dealpath, select Dealpath from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://api.dealpath.com/saml/metadata/<ID>
NOTE
The Identifier value is not real. Update the value with the actual Identifier. Contact Dealpath Client support team to
get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Dealpath section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Dealpath Single Sign-On
1. In a different web browser window, sign in to Dealpath as an Administrator.
2. In the top right, click Admin Tools and navigate to Integrations, then in SAML 2.0 Authentication
section click Update Settings:
3. In the Set up SAML 2.0 authentication page, perform the following steps:
a. In the SAML SSO URL textbox, paste the value of Login URL, which you have copied from Azure portal.
b. In the Identity Provider Issuer textbox, paste the value of Azure Ad Identifier, which you have copied
from Azure portal.
c. Copy the content of the downloaded certificate(Base64) file in notepad, and then paste it into the Public
Certificate textbox.
d. Click Update settings.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Dealpath test user
In this section, you create a user called Britta Simon in Dealpath. Work with Dealpath Client support team to add
the users in the Dealpath platform. Users must be created and activated before you use single sign-on
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Dealpath tile in the Access Panel, you should be automatically signed in to the Dealpath for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Degreed
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Degreed with Azure Active Directory (Azure AD ). Integrating Degreed
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Degreed.
You can enable your users to be automatically signed-in to Degreed (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Degreed, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Degreed single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Degreed supports SP initiated SSO
Degreed supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Degreed, select Degreed from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://degreed.com/<instancename>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Degreed Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Degreed section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Degreed Single Sign-On
To configure single sign-on on Degreed side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Degreed support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Degreed test user
The objective of this section is to create a user called Britta Simon in Degreed. Degreed supports just-in-time
provisioning, which is by default enabled.
There is no action item for you in this section. A new user is created during an attempt to access Degreed if it
doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the Degreed support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Deputy
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Deputy with Azure Active Directory (Azure AD ). Integrating Deputy with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Deputy.
You can enable your users to be automatically signed-in to Deputy (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Deputy, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Deputy single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Deputy supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Deputy, select Deputy from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.<region>.au.deputy.com
https://<subdomain>.<region>.ent-au.deputy.com
https://<subdomain>.<region>.na.deputy.com
https://<subdomain>.<region>.ent-na.deputy.com
https://<subdomain>.<region>.eu.deputy.com
https://<subdomain>.<region>.ent-eu.deputy.com
https://<subdomain>.<region>.as.deputy.com
https://<subdomain>.<region>.ent-as.deputy.com
https://<subdomain>.<region>.la.deputy.com
https://<subdomain>.<region>.ent-la.deputy.com
https://<subdomain>.<region>.af.deputy.com
https://<subdomain>.<region>.ent-af.deputy.com
https://<subdomain>.<region>.an.deputy.com
https://<subdomain>.<region>.ent-an.deputy.com
https://<subdomain>.<region>.deputy.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.<region>.au.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-au.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.na.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-na.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.eu.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-eu.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.as.deputy.com/exec/devapp/samlacs.
https://<subdomain>.<region>.ent-as.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.la.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-la.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.af.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-af.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.an.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.ent-an.deputy.com/exec/devapp/samlacs
https://<subdomain>.<region>.deputy.com/exec/devapp/samlacs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<your-subdomain>.<region>.deputy.com
NOTE
Deputy region suffix is optional, or it should use one of these: au | na | eu |as |la |af |an |ent-au |ent-na |ent-eu |ent-as |
ent-la | ent-af | ent-an
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Deputy
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Deputy section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Deputy Single Sign-On
1. Navigate to the following URL:https://(your-subdomain).deputy.com/exec/config/system_config. Go to
Security Settings and click Edit.
2. On this Security Settings page, perform below steps.
d. In the SAML SSO URL textbox, replace <your subdomain> with your subdomain.
e. In the SAML SSO URL textbox, replace <saml sso url> with the Login URL you have copied from the
Azure portal.
f. Click Save Settings.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Deputy test user
To enable Azure AD users to log in to Deputy, they must be provisioned into Deputy. In case of Deputy,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your Deputy company site as an administrator.
2. On the top navigation pane, click People.
3. Click the Add People button and click Add a single person.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Deskradar with Azure Active
Directory
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Deskradar with Azure Active Directory (Azure AD ). When you
integrate Deskradar with Azure AD, you can:
Control in Azure AD who has access to Deskradar.
Enable your users to be automatically signed-in to Deskradar with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Deskradar single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Deskradar supports SP and IDP
initiated SSO.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://YOURDOMAIN.deskradar.cloud
b. In the Reply URL text box, type a URL using the following pattern:
https://YOURDOMAIN.deskradar.cloud/auth/sso/saml/consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://YOURDOMAIN.deskradar.cloud/auth/sso/saml/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Replace
YOURDOMAIN with your Deskradar instance domain. Contact Deskradar Client support team to get these values.
You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Deskradar application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
FirstName user.givenname
LastName user.surname
Email user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok.
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Deskradar section, copy the appropriate URL (s) based on your requirement.
3. If you want to setup Deskradar manually, open a new web browser window and sign into your Deskradar
company site as an administrator and perform the following steps:
4. Open Team panel by clicking the icon in the Sidebar.
5. Switch to Authentication tab.
6. On the SAML 2.0 tab, perform the following steps:
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Deskradar test user
In this section, you create a user called Britta Simon in Deskradar. Work with Deskradar Client support team to
add the users in the Deskradar platform. Users must be created and activated before you use single sign-on.
Test SSO
When you select the Deskradar tile in the Access Panel, you should be automatically signed in to the Deskradar for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
DigiCert
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate DigiCert with Azure Active Directory (Azure AD ). Integrating DigiCert
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to DigiCert.
You can enable your users to be automatically signed-in to DigiCert (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with DigiCert, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
DigiCert single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
DigiCert supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type DigiCert, select DigiCert from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. DigiCert application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
nameidentifier user.userprincipalname
digicertrole CanAccessCertCentral
NOTE
The value of company attribute is not real. Update this value with actual company code. To get the value of
company attribute contact DigiCert support team.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up DigiCert section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure DigiCert Single Sign-On
To configure single sign-on on DigiCert side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to DigiCert support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create DigiCert test user
In this section, you create a user called Britta Simon in DigiCert. Work with DigiCert support team to add the users
in the DigiCert platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the DigiCert tile in the Access Panel, you should be automatically signed in to the DigiCert for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with direct
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate direct with Azure Active Directory (Azure AD ). Integrating direct with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to direct.
You can enable your users to be automatically signed-in to direct (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with direct, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
direct single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
direct supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type direct, select direct from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://direct4b.com/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up direct section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure direct Single Sign-On
To configure single sign-on on direct side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to direct support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create direct test user
In this section, you create a user called Britta Simon in direct. Work with direct support team to add the users in the
direct platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
1. If you wish to test in IDP Initiated Mode:
When you click the direct tile in the Access Panel, you should get automatically signed-on to your direct
application.
2. If you wish to test in SP Initiated Mode:
a. Click on the direct tile in the Access Panel and you will be redirected to the application sign-on page.
b. Input your subdomain in the textbox displayed and press '次へ (Next)' and you should get automatically
signed-on to your direct application .
When you click the direct tile in the Access Panel, you should be automatically signed in to the direct for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Directions on Microsoft
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Directions on Microsoft with Azure Active Directory (Azure AD ).
Integrating Directions on Microsoft with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Directions on Microsoft.
You can enable your users to be automatically signed-in to Directions on Microsoft (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Directions on Microsoft, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Directions on Microsoft single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Directions on Microsoft supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Directions on Microsoft, select Directions on Microsoft from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://www.directionsonmicrosoft.com/user/login
https://<subdomain>.devcloud.acquia-sites.com/<companyname>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://rhelmdirectionsonmicrosoftcomtest.devcloud.acquia-sites.com/simplesaml/<companyname>
https://www.directionsonmicrosoft.com/simplesaml/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Directions on
Microsoft Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Directions on Microsoft section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Directions on Microsoft Single Sign-On
To configure single sign-on on Directions on Microsoft side, you need to send the downloaded Metadata XML
to Directions on Microsoft support team. To enable the Directions on Microsoft support team to locate your
federated site membership, include your company information in your email.
NOTE
Single sign-on for Directions on Microsoft needs to be enabled by the Directions on Microsoft Client support team. You will
receive a notification when single sign-on has been enabled.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Directions on Microsoft test user
There is no action item for you to configure user provisioning to Directions on Microsoft.
When an assigned user tries to log in to Directions on Microsoft using the access panel, Directions on Microsoft
checks whether the user exists. If there is no user account available yet, it is automatically created by Directions on
Microsoft.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Directions on Microsoft tile in the Access Panel, you should be automatically signed in to the
Directions on Microsoft for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Discovery Benefits SSO
10/10/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Discovery Benefits SSO with Azure Active Directory (Azure AD ). When
you integrate Discovery Benefits SSO with Azure AD, you can:
Control in Azure AD who has access to Discovery Benefits SSO.
Enable your users to be automatically signed-in to Discovery Benefits SSO with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Discovery Benefits SSO single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Discovery Benefits SSO supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD single sign-on for Discovery Benefits SSO
Configure and test Azure AD SSO with Discovery Benefits SSO using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in Discovery
Benefits SSO.
To configure and test Azure AD SSO with Discovery Benefits SSO, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Discovery Benefits SSO SSO - to configure the single sign-on settings on application side.
a. Create Discovery Benefits SSO test user - to have a counterpart of B.Simon in Discovery Benefits
SSO that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Discovery Benefits SSO application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes. Click Edit icon to open User Attributes dialog.
a. Click on Edit icon to open the Unique User Identifier (Name ID ) dialog.
b. Click on Edit icon to open the Manage transformation dialog.
c. In the Transformation textbox, type the ToUppercase() shown for that row.
d. In the Parameter 1 textbox, type the parameter like <Name Identifier value> .
e. Click Add.
NOTE
Discovery Benefits SSO requires a fixed string value to be passed in Unique User Identifier (Name ID) field to get
this integration working. Azure AD currently doesn't support this feature so as a work around, you can use ToUpper
or ToLower transformations of NameID to set a fixed string value as shown above in the screenshot.
f. We have auto-populated the additional claims which are required for SSO configuration ( SSOInstance and
SSOID ). Use the Edit icon to map the values as per your organization.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Discovery Benefits SSO section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Discovery Benefits SSO tile in the Access Panel, you should be automatically signed in to the
Discovery Benefits SSO for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Discovery Benefits SSO with Azure AD
Tutorial: Integrate Displayr with Azure Active
Directory
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Displayr with Azure Active Directory (Azure AD ). When you integrate
Displayr with Azure AD, you can:
Control in Azure AD who has access to Displayr.
Enable your users to be automatically signed-in to Displayr with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Displayr single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Displayr supports SP initiated SSO.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: <YOURDOMAIN>.displayr.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Displayr Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section
in the Azure portal.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. Displayr application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Displayr application expects few more attributes to be passed back in SAML response.
In the User Attributes & Claims section on the Group Claims (Preview) dialog, perform the following
steps:
a. Click the pen next to Groups returned in claim.
2. After adding extension to the browser, click on Setup Displayr will direct you to the Displayr application.
From there, provide the admin credentials to sign into Displayr. The browser extension will automatically
configure the application for you and automate steps 3-6.
3. If you want to set up Displayr manually, open a new web browser window and sign into your Displayr
company site as an administrator and perform the following steps:
4. Click on Settings then navigate to Account.
5. Switch to Settings from the top menu and scroll down the page for clicking Configure Single Sign On
(SAML ).
6. On the Single Sign On (SAML ) page, perform the following steps:
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Displayr test user
To enable Azure AD users, sign in to Displayr, they must be provisioned into Displayr. In Displayr, provisioning is a
manual task.
To provision a user account, perform the following steps:
1. Sign in to Displayr as an Administrator.
2. Click on Settings then navigate to Account.
3. Switch to Settings from the top menu and scroll down the page, until Users section then click on New
User.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate dmarcian with Azure Active
Directory
8/6/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate dmarcian with Azure Active Directory (Azure AD ). When you integrate
dmarcian with Azure AD, you can:
Control in Azure AD who has access to dmarcian.
Enable your users to be automatically signed-in to dmarcian with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
dmarcian single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
dmarcian supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://us.dmarcian.com/sso/saml/<ACCOUNT_ID>/sp.xml
https://dmarcian-eu.com/sso/saml/<ACCOUNT_ID>/sp.xml
https://dmarcian-ap.com/sso/saml/<ACCOUNT_ID>/sp.xml
b. In the Reply URL text box, type a URL using the following pattern:
https://us.dmarcian.com/login/<ACCOUNT_ID>/handle/
https://dmarcian-eu.com/login/<ACCOUNT_ID>/handle/
https://dmarcian-ap.com/login/<ACCOUNT_ID>/handle/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://us.dmarcian.com/login/<ACCOUNT_ID>
https://dmarcian-eu.com/login/<ACCOUNT_ID>
https://dmarciam-ap.com/login/<ACCOUNT_ID>
NOTE
These values are not real. You will update these values with the actual Identifier, Reply URL and Sign-On URL which is
explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
2. After adding extension to the browser, click on Setup dmarcian will direct you to the dmarcian application.
From there, provide the admin credentials to sign into dmarcian. The browser extension will automatically
configure the application for you and automate steps 3-6.
3. If you want to setup dmarcian manually, open a new web browser window and sign into your dmarcian
company site as an administrator and perform the following steps:
4. Click on Profile on the top-right corner and navigate to Preferences.
5. Scroll down and click on Single Sign-On section, then click on Configure.
6. On the SAML Single Sign-On page set the Status as Enabled and perform the following steps:
Under Add dmarcian to your Identity Provider section, click COPY to copy the Assertion
Consumer Service URL for your instance and paste it in Reply URL textbox in Basic SAML
Configuration section on Azure portal.
Under Add dmarcian to your Identity Provider section, click COPY to copy the Entity ID for
your instance and paste it in Identifier textbox in Basic SAML Configuration section on Azure
portal.
Under Set up Authentication section, in the Identity Provider Metadata textbox paste the App
Federation Metadata Url, which you have copied from Azure portal.
Under Set up Authentication section, in the Attribute Statements textbox paste the url
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Under Set up Login URL section, copy the Login URL for your instance and paste it in Sign-on
URL textbox in Basic SAML Configuration section on Azure portal.
NOTE
You can modify the Login URL according to your organization.
Click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to dmarcian.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select dmarcian.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create dmarcian test user
To enable Azure AD users to sign in to dmarcian, they must be provisioned into dmarcian. In dmarcian,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to dmarcian as a Security Administrator.
2. Click on Profile on the top right-corner and navigate to Manage Users.
3. On the right side of SSO Users section, click on Add New User.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with DocuSign
9/27/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate DocuSign with Microsoft Azure Active Directory (Azure AD ). When
you integrate DocuSign with Azure AD, you can:
Use Azure AD to control who has access to DocuSign.
Enable automatic sign-in to DocuSign for your users through their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.
To learn more about software as a service (SaaS ) app integration with Azure AD, see Single sign-on to applications
in Azure AD.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A DocuSign subscription that's single sign-on (SSO ) enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD SSO in a test environment to verify that:
DocuSign supports service provider (SP )-initiated SSO.
DocuSign supports just-in-time user provisioning.
DocuSign supports automatic user provisioning.
b. In the Identifier (Entity ID ) box, enter a URL using the following pattern:
https://<subdomain>.docusign.com/organizations/<OrganizationID>/saml2
NOTE
These bracketed values are placeholders. Replace them with the values in the actual sign-on URL and Identifier. These
details are explained in the "View SAML 2.0 Endpoints" section later in this tutorial.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64). Select Download to download the certificate and save it on your computer.
6. In the Set up DocuSign section, copy the appropriate URL (or URLs) based on your requirements.
4. Select Add user, and then in the Add Assignment dialog box, select Users and groups.
5. In the Users and groups dialog box, select B.Simon from the Users list, and then press the Select button
at the bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then press the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select the Assign button.
2. After you add the extension to the browser, select Setup DocuSign. You're directed to the DocuSign
application. From there, provide the admin credentials to sign in to DocuSign. The browser extension
automatically configures the application and automates steps 3 through 5.
3. If you want to set up DocuSign manually, open a new web browser window and sign in to your DocuSign
company site as an administrator.
4. In the upper-right corner of the page, select the profile logo, and then select Go to Admin.
7. In the Claim a Domain dialog box, in the Domain Name box, type your company domain, and then select
CLAIM. Make sure you verify the domain and that its status is active.
a. In the Name box, type a unique name for your configuration. Don't use spaces.
b. In the Identity Provider Issuer box, paste the Azure AD Identifier value, which you copied from the
Azure portal.
c. In the Identity Provider Login URL box, paste the Login URL value, which you copied from Azure
portal.
d. In the Identity Provider Logout URL box, paste the value of Logout URL, which you copied from
Azure portal.
e. Select Sign AuthN request.
f. For Send AuthN request by, select POST.
g. For Send logout request by, select GET.
h. In the Custom Attribute Mapping section, select ADD NEW MAPPING.
i. Choose the field you want to map to the Azure AD claim. In this example, the emailaddress claim is
mapped with the value of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress . That's the
default claim name from Azure AD for the email claim. Select SAVE.
NOTE
Use the appropriate User identifier to map the user from Azure AD to DocuSign user mapping. Select the proper
field, and enter the appropriate value based on your organization settings.
j. In the Identity Provider Certificates section, select ADD CERTIFICATE, upload the certificate you
downloaded from Azure AD portal, and select SAVE.
k. In the Identity Providers section, select ACTIONS, and then select Endpoints.
l. In the View SAML 2.0 Endpoints section of the DocuSign admin portal, follow these steps:
a. Copy the Service Provider Issuer URL, and then paste it into the Identifier box in Basic SAML
Configuration section in the Azure portal.
b. Copy the Service Provider Login URL, and then paste it into the Sign On URL box in Basic
SAML Configuration section in the Azure portal.
c. Select Close.
Test SSO
In this section, you test your Azure AD single sign-on configuration by using the Access Panel.
When you select the DocuSign tile in the Access Panel, you should be automatically signed in to the DocuSign
instance for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
Tutorials about how to integrate SaaS apps with Azure AD
What is application access and single sign-on in Azure AD?
What is Conditional Access in Azure AD?
Try DocuSign with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Check Point CloudGuard Dome9 Arc
11/8/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Check Point CloudGuard Dome9 Arc with Azure Active Directory
(Azure AD ). When you integrate Check Point CloudGuard Dome9 Arc with Azure AD, you can:
Control in Azure AD who has access to Check Point CloudGuard Dome9 Arc.
Enable your users to be automatically signed-in to Check Point CloudGuard Dome9 Arc with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Check Point CloudGuard Dome9 Arc single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Check Point CloudGuard Dome9 Arc supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL: https://secure.dome9.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://secure.dome9.com/sso/saml/<yourcompanyname>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://secure.dome9.com/sso/saml/<yourcompanyname>
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the
<company name> value from the Configure Check Point CloudGuard Dome9 Arc SSO section, which is explained
later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
6. Check Point CloudGuard Dome9 Arc application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes.
7. In addition to above, Check Point CloudGuard Dome9 Arc application expects few more attributes to be
passed back in SAML response which are shown below. These attributes are also pre populated but you can
review them as per your requirement.
memberof user.assignedroles
NOTE
Click here to know how to create roles in Azure AD.
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Check Point CloudGuard Dome9 Arc section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. If you want to setup Check Point CloudGuard Dome9 Arc manually, open a new web browser window and
sign into your Check Point CloudGuard Dome9 Arc company site as an administrator and perform the
following steps:
4. Click on the Profile Settings on the right top corner and then click Account Settings.
a. Enter company name in the Account ID textbox. This value is to be used in the Reply and Sign on URL
mentioned in Basic SAML Configuration section of Azure portal.
b. In the Issuer textbox, paste the value of Azure AD Identifier, which you have copied form the Azure
portal.
c. In the Idp endpoint url textbox, paste the value of Login URL, which you have copied form the Azure
portal.
d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard,
and then paste it to the X.509 certificate textbox.
e. Click Save.
Create Check Point CloudGuard Dome9 Arc test user
To enable Azure AD users to sign in to Check Point CloudGuard Dome9 Arc, they must be provisioned into
application. Check Point CloudGuard Dome9 Arc supports just-in-time provisioning but for that to work properly,
user have to select particular Role and assign the same to the user.
NOTE
For Role creation and other details contact Check Point CloudGuard Dome9 Arc Client support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Check Point CloudGuard Dome9 Arc tile in the Access Panel, you should be automatically
signed in to the Check Point CloudGuard Dome9 Arc for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Check Point CloudGuard Dome9 Arc with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Domo
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Domo with Azure Active Directory (Azure AD ). When you integrate
Domo with Azure AD, you can:
Control in Azure AD who has access to Domo.
Enable your users to be automatically signed-in to Domo with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Domo single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Domo supports SP initiated SSO
Domo supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<companyname>.domo.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.domo.com
https://<companyname>.beta.domo.com
https://<companyname>.demo.domo.com
https://<companyname>.dev.domo.com
https://<companyname>.fastage1.domo.com
https://<companyname>.frdev.domo.com
https://<companyname>.gastage.domo.com
https://<companyname>.load.domo.com
https://<companyname>.local.domo.com
https://<companyname>.qa.domo.com
https://<companyname>.stage.domo.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Domo Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Domo section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Domo tile in the Access Panel, you should be automatically signed in to the Domo for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Domo with Azure AD
Tutorial: Azure Active Directory integration with
Dossier
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Dossier with Azure Active Directory (Azure AD ). Integrating Dossier with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Dossier.
You can enable your users to be automatically signed-in to Dossier (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Dossier, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Dossier single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Dossier supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Dossier, select Dossier from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<SUBDOMAIN>.dossiersystems.com/azuresso/account/SignIn
https://dossier.<CLIENTDOMAINNAME>/azuresso/account/SignIn
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: Dossier/<CLIENTNAME>
NOTE
For identifier value it should be in the format of Dossier/<CLIENTNAME> or any user personalized value.
c. In the Reply URL textbox, type a URL using the following pattern:
https://<SUBDOMAIN>.dossiersystems.com/azuresso
https://dossier.<CLIENTDOMAINNAME>/azuresso
NOTE
These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact Dossier
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click the copy
button to copy App Federation Metadata Url from the given options as per your requirement and save it
on your computer.
6. On the Set up Dossier section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Dossier Single Sign-On
To configure single sign-on on Dossier side, you need to send the App Federation Metadata Url to Dossier
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Dossier test user
In this section, you create a user called Britta Simon in Dossier. Work with Dossier support team to add the users in
the Dossier platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Dossier tile in the Access Panel, you should be automatically signed in to the Dossier for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Dovetale
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Dovetale with Azure Active Directory (Azure AD ). Integrating Dovetale
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Dovetale.
You can enable your users to be automatically signed-in to Dovetale (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Dovetale, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Dovetale single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Dovetale supports SP and IDP initiated SSO
Dovetale supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Dovetale, select Dovetale from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: <COMPANYNAME>.dovetale.com
NOTE
The value is not real. Update the value with the actual Sign-on URL. Contact Dovetale Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Dovetale application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
email user.mail
first_name user.givenname
name user.userprincipalname
last_name user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Dovetale test user
In this section, a user called Britta Simon is created in Dovetale. Dovetale supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Dovetale, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Dovetale support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Dow
Jones Factiva
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Dow Jones Factiva with Azure Active Directory (Azure AD ). Integrating
Dow Jones Factiva with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Dow Jones Factiva.
You can enable your users to be automatically signed-in to Dow Jones Factiva (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Dow Jones Factiva, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Dow Jones Factiva single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Dow Jones Factiva supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Dow Jones Factiva, select Dow Jones Factiva from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Dow Jones Factiva section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Dow Jones Factiva Single Sign-On
To configure single sign-on on Dow Jones Factiva side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Dow Jones Factiva support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Dow Jones Factiva test user
In this section, you create a user called Britta Simon in Dow Jones Factiva. Work with Dow Jones Factiva support
team to add the users in the Dow Jones Factiva platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Dow Jones Factiva tile in the Access Panel, you should be automatically signed in to the Dow
Jones Factiva for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Darwinbox
8/23/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Darwinbox with Azure Active Directory (Azure AD ). When you
integrate Darwinbox with Azure AD, you can:
Control in Azure AD who has access to Darwinbox.
Enable your users to be automatically signed-in to Darwinbox with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Darwinbox single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Darwinbox supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.darwinbox.in/
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.darwinbox.in/adfs/module.php/saml/sp/metadata.php/<CUSTOMID>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Darwinbox Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Darwinbox section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Darwinbox.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Darwinbox.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Darwinbox tile in the Access Panel, you should be automatically signed in to the Darwinbox for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Darwinbox with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Drift
10/17/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Drift with Azure Active Directory (Azure AD ). When you integrate Drift
with Azure AD, you can:
Control in Azure AD who has access to Drift.
Enable your users to be automatically signed-in to Drift with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Drift single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Drift supports SP and IDP initiated SSO
Drift supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
a. Click Set additional URLs.
b. In the Relay State text box, type a URL: https://app.drift.com
c. If you wish to configure the application in SP initiated mode perform the following step:
d. In the Sign-on URL text box, type a URL: https://start.drift.com
5. Your Drift application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, Drift application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirement.
Name user.displayname
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Drift section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup Drift will direct you to the Drift application. From
there, provide the admin credentials to sign into Drift. The browser extension will automatically configure
the application for you and automate steps 3-4.
3. If you want to setup Drift manually, open a new web browser window and sign into your Drift company site
as an administrator and perform the following steps:
4. From the left side of menu bar, click on Settings icon > App Settings > Authentication and perform the
following steps:
a. Upload the Federation Metadata XML that you have downloaded from the Azure portal, into the
Upload Identity Provider metadata file text box.
b. After uploading the metadata file, the remaining values get auto populated on the page automatically.
c. Click Enable SAML.
Create Drift test user
In this section, a user called Britta Simon is created in Drift. Drift supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Drift, a new one
is created after authentication.
NOTE
If you need to create a user manually, contact Drift support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Drift tile in the Access Panel, you should be automatically signed in to the Drift for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Drift with Azure AD
Tutorial: Integrate Dropbox for Business with Azure
Active Directory
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Dropbox for Business with Azure Active Directory (Azure AD ). When
you integrate Dropbox for Business with Azure AD, you can:
Control in Azure AD who has access to Dropbox for Business.
Enable your users to be automatically signed-in to Dropbox for Business with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Dropbox for Business single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Dropbox for Business supports
SP initiated SSO
Dropbox for Business supports Just In Time user provisioning
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://www.dropbox.com/sso/<id>
NOTE
The preceding Sign-on URL value is not real value. You will update the value with the actual Sign-on URL, which is
explained later in the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Dropbox for Business section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Dropbox for Business SSO
1. To automate the configuration within Dropbox for Business, you need to install My Apps Secure Sign-in
browser extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup Dropbox for Business will direct you to the Dropbox
for Business application. From there, provide the admin credentials to sign into Dropbox for Business. The
browser extension will automatically configure the application for you and automate steps 3-8.
3. If you want to setup Dropbox for Business manually, open a new web browser window and go on your
Dropbox for Business tenant and sign on to your Dropbox for business tenant. and perform the following
steps:
4. Click on the User Icon and select Settings tab.
a. Select Required as an option from the dropdown for the Single sign-on.
b. Click on Add sign-in URL and in the Identity provider sign-in URL textbox, paste the Login URL
value which you have copied from the Azure portal and then select Done.
c. Click Upload certificate, and then browse to your Base64 encoded certificate file which you have
downloaded from the Azure portal.
d. Click on Copy link and paste the copied value into the Sign-on URL textbox of Dropbox for Business
Domain and URLs section on Azure portal.
e. Click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called Britta Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter Britta Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to Dropbox for Business.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Dropbox for Business.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Dropbox for Business test user
In this section, a user called Britta Simon is created in Dropbox for Business. Dropbox for Business supports just-
in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user
doesn't already exist in Dropbox for Business, a new one is created after authentication.
NOTE
If you need to create a user manually, Contact Dropbox for Business Client support team
Test SSO
When you select the Dropbox for Business tile in the Access Panel, you should be automatically signed in to the
Dropbox for Business for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Druva
10/22/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Druva with Azure Active Directory (Azure AD ). When you integrate
Druva with Azure AD, you can:
Control in Azure AD who has access to Druva.
Enable your users to be automatically signed-in to Druva with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Druva single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Druva supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
6. Click Save.
7. Druva application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
8. In addition to above, Druva application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
emailAddress user.email
NAME SOURCE ATTRIBUTE
9. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
10. On the Set up Druva section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. In ID Provider Login URL textbox, paste the value of Login URL, which you have copied from
Azure portal.
b. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and
then paste it to the ID Provider Certificate textbox
NOTE
To Enable Single Sign-On for administrators, select Administrators log into Druva Cloud through SSO
provider and Allow failsafe access to Druva Cloud administrators(recommended) checkboxes. Druva
recommends to enable Failsafe for Administrators so that they have to access the DCP console in case of
any failures in IdP. It also enables the administrators to use both SSO and DCP password to access the DCP
console.
c. Click Save. This enables the access to Druva Cloud Platform using SSO.
Create Druva test user
In this section, a user called B.Simon is created in Druva. Druva supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Druva, a new one
is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Druva tile in the Access Panel, you should be automatically signed in to the Druva for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Druva with Azure AD
Tutorial: Azure Active Directory integration with
Dynamic Signal
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Dynamic Signal with Azure Active Directory (Azure AD ). Integrating
Dynamic Signal with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Dynamic Signal.
You can enable your users to be automatically signed-in to Dynamic Signal (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Dynamic Signal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Dynamic Signal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Dynamic Signal supports SP initiated SSO
Dynamic Signal supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Dynamic Signal, select Dynamic Signal from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<subdomain>.voicestorm.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.voicestorm.com/User/SsoResponse
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Dynamic Signal Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Dynamic Signal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Dynamic Signal Single Sign-On
To configure single sign-on on Dynamic Signal side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Dynamic Signal support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Dynamic Signal test user
In this section, a user called Britta Simon is created in Dynamic Signal. Dynamic Signal supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Dynamic Signal, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Dynamic Signal support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Dynamic Signal tile in the Access Panel, you should be automatically signed in to the Dynamic
Signal for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Dynatrace
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Dynatrace with Azure Active Directory (Azure AD ). When you integrate
Dynatrace with Azure AD, you can:
Control in Azure AD who has access to Dynatrace.
Enable your users to be automatically signed-in to Dynatrace with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Dynatrace single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Dynatrace supports SP and IDP initiated SSO
Dynatrace supports Just In Time user provisioning
NOTE
The identifier of this application is a fixed string value. Only one instance can be configured in one tenant.
4. In the Basic SAML Configuration section, the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and complete the following step to configure the application in SP initiated
mode:
In the Sign-on URL text box, type a URL: https://sso.dynatrace.com/
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML. Select Download to download the certificate and save it on your computer.
7. In the SAML Signing Certificate section, select the Edit button to open the SAML Signing Certificate
dialog box. Complete the following steps:
a. The Signing Option setting is pre-populated. Please review the settings as per your organization.
b. Click Save.
8. In the Set up Dynatrace section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Dynatrace tile in the Access Panel, you should be automatically signed in to the Dynatrace, for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Dynatrace with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with EAB Navigate IMPL
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate EAB Navigate IMPL with Azure Active Directory (Azure AD ). When
you integrate EAB Navigate IMPL with Azure AD, you can:
Control in Azure AD who has access to EAB Navigate IMPL.
Enable your users to be automatically signed-in to EAB Navigate IMPL with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
EAB Navigate IMPL single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
EAB Navigate IMPL supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
Configure and test Azure AD single sign-on for EAB Navigate IMPL
Configure and test Azure AD SSO with EAB Navigate IMPL using a test user called B.Simon. For SSO to work,
you need to establish a link relationship between an Azure AD user and the related user in EAB Navigate IMPL.
To configure and test Azure AD SSO with EAB Navigate IMPL, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure EAB Navigate IMPL SSO - to configure the single sign-on settings on application side.
Create EAB Navigate IMPL test user - to have a counterpart of B.Simon in EAB Navigate IMPL that is
linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.navigate.impl.eab.com/
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact EAB Navigate IMPL Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EAB Navigate IMPL tile in the Access Panel, you should be automatically signed in to the EAB
Navigate IMPL for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try EAB Navigate IMPL with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with EAB Navigate Strategic Care
8/23/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate EAB Navigate Strategic Care with Azure Active Directory (Azure AD ).
When you integrate EAB Navigate Strategic Care with Azure AD, you can:
Control in Azure AD who has access to EAB Navigate Strategic Care.
Enable your users to be automatically signed-in to EAB Navigate Strategic Care with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
EAB Navigate Strategic Care single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
EAB Navigate Strategic Care supports SP initiated SSO
Configure and test Azure AD single sign-on for EAB Navigate Strategic
Care
Configure and test Azure AD SSO with EAB Navigate Strategic Care using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in EAB Navigate
Strategic Care.
To configure and test Azure AD SSO with EAB Navigate Strategic Care, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure EAB Navigate Strategic Care SSO - to configure the single sign-on settings on application side.
a. Create EAB Navigate Strategic Care test user - to have a counterpart of B.Simon in EAB Navigate
Strategic Care that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern: https://<CUSTOMERURL>.eab.com
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact EAB Navigate Strategic Care Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click the copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EAB Navigate Strategic Care tile in the Access Panel, you should be automatically signed in to
the EAB Navigate Strategic Care for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try EAB Navigate Strategic Care with Azure AD
Tutorial: Azure Active Directory integration with
EasyTerritory
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate EasyTerritory with Azure Active Directory (Azure AD ). Integrating
EasyTerritory with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to EasyTerritory.
You can enable your users to be automatically signed-in to EasyTerritory (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with EasyTerritory, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
EasyTerritory single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
EasyTerritory supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type EasyTerritory, select EasyTerritory from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://apps.easyterritory.com/<tenant id>/dev/
b. In the Reply URL text box, type a URL using the following pattern:
https://apps.easyterritory.com/<tenant id>/dev/authservices/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<company name>.easyterritory.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
EasyTerritory Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up EasyTerritory section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure EasyTerritory Single Sign-On
To configure single sign-on on EasyTerritory side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to EasyTerritory support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create EasyTerritory test user
In this section, you create a user called Britta Simon in EasyTerritory. Work with EasyTerritory support team to add
the users in the EasyTerritory platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EasyTerritory tile in the Access Panel, you should be automatically signed in to the EasyTerritory
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with EBSCO
10/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate EBSCO with Azure Active Directory (Azure AD ). When you integrate
EBSCO with Azure AD, you can:
Control in Azure AD who has access to EBSCO.
Enable your users to be automatically signed-in to EBSCO with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
EBSCO single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
EBSCO supports SP and IDP initiated SSO
EBSCO supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Identifier text box, type a URL: pingsso.ebscohost.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
http://search.ebscohost.com/login.aspx?authtype=sso&custid=<unique EBSCO customer ID>&profile=<profile
ID>
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact EBSCO Client support team
to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
o Unique elements:
o Custid = Enter unique EBSCO customer ID
o Profile = Clients can tailor the link to direct users to a specific profile (depending on what they purchase
from EBSCO ). They can enter a specific profile ID. The main IDs are eds (EBSCO Discovery Service) and
ehost (EBSOCOhost databases). Instructions for the same are given here.
6. EBSCO application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
NOTE
The name attribute is mandatory and it is mapped with Name Identifier value in EBSCO application. This is added
by default so you don't need to add this manually.
7. In addition to above, EBSCO application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
FirstName user.givenname
LastName user.surname
Email user.mail
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
9. On the Set up EBSCO section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to EBSCO.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select EBSCO.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
You can automate EBSCOhost user provisioning/personalization. Contact EBSCO support team about Just-In-Time user
provisioning.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
1. When you click the EBSCO tile in the Access Panel, you should get automatically signed-on to your EBSCO
application. For more information about the Access Panel, see Introduction to the Access Panel.
2. Once you login to the application, click on the sign in button in the top right corner.
3. You will receive a one-time prompt to pair the institutional/SAML login with an Link your existing
MyEBSCOhost account to your institution account now OR Create a new MyEBSCOhost account
and link it to your institution account. The account is used for personalization on the EBSCOhost
application. Select the option Create a new account and you will see that the form for personalization is
pre-completed with the values from the saml response as shown in the screenshot below. Click ‘Continue’
to save this selection.
4. After completing the above setup, clear cookies/cache and login again. You won’t have to manually sign in
again and the personalization settings are remembered.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try EBSCO with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with eCornell
10/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate eCornell with Azure Active Directory (Azure AD ). When you integrate
eCornell with Azure AD, you can:
Control in Azure AD who has access to eCornell.
Enable your users to be automatically signed-in to eCornell with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
eCornell single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
eCornell supports SP initiated SSO
eCornell supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://admin.ecornell.com/sso/clp/<groupCode>
b. In the Identifier box, type a URL using the following pattern: http://pingone.com/<eCornellCustomGUID>
c. In the Reply URL text box, type a URL using the following pattern:
https://sso.connect.pingidentity.com/sso/sp/ACS.saml2?saasid=<CustomGUID>
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
eCornell Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. eCornell application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, eCornell application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
firstName user.givenname
lastName user.surname
email user.mail
SAML_SUBJECT user.userprincipalname
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up eCornell section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the eCornell tile in the Access Panel, you should be automatically signed in to the eCornell for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try eCornell with Azure AD
Tutorial: Azure Active Directory integration with
Edcor
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Edcor with Azure Active Directory (Azure AD ). Integrating Edcor with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Edcor.
You can enable your users to be automatically signed-in to Edcor (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Edcor, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Edcor single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Edcor supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Edcor, select Edcor from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Edcor section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Edcor Single Sign-On
To configure single sign-on on Edcor side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Edcor support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Edcor test user
In this section, you create a user called Britta Simon in Edcor. Work with Edcor support team to add the users in the
Edcor platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Edcor tile in the Access Panel, you should be automatically signed in to the Edcor for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
eDigitalResearch
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate eDigitalResearch with Azure Active Directory (Azure AD ). Integrating
eDigitalResearch with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to eDigitalResearch.
You can enable your users to be automatically signed-in to eDigitalResearch (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with eDigitalResearch, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
eDigitalResearch single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
eDigitalResearch supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type eDigitalResearch, select eDigitalResearch from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<company-name>.edigitalresearch.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<company-name>.edigitalresearch.com/login/consume
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact eDigitalResearch
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up eDigitalResearch section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure eDigitalResearch Single Sign-On
To configure single sign-on on eDigitalResearch side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to eDigitalResearch support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create eDigitalResearch test user
In this section, you create a user called Britta Simon in eDigitalResearch. Work with eDigitalResearch support team
to add the users in the eDigitalResearch platform. Users must be created and activated before you use single sign-
on.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes
active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
EduBrite LMS
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate EduBrite LMS with Azure Active Directory (Azure AD ). Integrating
EduBrite LMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to EduBrite LMS.
You can enable your users to be automatically signed-in to EduBrite LMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with EduBrite LMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
EduBrite LMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
EduBrite LMS supports SP and IDP initiated SSO
EduBrite LMS supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type EduBrite LMS, select EduBrite LMS from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<customer-specific>.edubrite.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<customer-specific>.edubrite.com/oltpublish/site/samlLoginResponse.do
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<customer-specific>.edubrite.com/oltpublish/site/samlLoginResponse.do
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
EduBrite LMS Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up EduBrite LMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure EduBrite LMS Single Sign-On
To configure single sign-on on EduBrite LMS side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to EduBrite LMS support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create EduBrite LMS test user
In this section, a user called Britta Simon is created in EduBrite LMS. EduBrite LMS supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in EduBrite LMS, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EduBrite LMS tile in the Access Panel, you should be automatically signed in to the EduBrite
LMS for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with EFI
Digital StoreFront
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate EFI Digital StoreFront with Azure Active Directory (Azure AD ).
Integrating EFI Digital StoreFront with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to EFI Digital StoreFront.
You can enable your users to be automatically signed-in to EFI Digital StoreFront (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with EFI Digital StoreFront, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
EFI Digital StoreFront single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
EFI Digital StoreFront supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type EFI Digital StoreFront, select EFI Digital StoreFront from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.myprintdesk.net/DSF/asp4/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact EFI Digital
StoreFront Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up EFI Digital StoreFront section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure EFI Digital StoreFront Single Sign-On
To configure single sign-on on EFI Digital StoreFront side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to EFI Digital StoreFront Client support team.
They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create EFI Digital StoreFront test user
In this section, you create a user called Britta Simon in EFI Digital StoreFront. Work with EFI Digital StoreFront
support team to add the users in the EFI Digital StoreFront platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EFI Digital StoreFront tile in the Access Panel, you should be automatically signed in to the EFI
Digital StoreFront for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Egnyte
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Egnyte with Azure Active Directory (Azure AD ). Integrating Egnyte with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Egnyte.
You can enable your users to be automatically signed-in to Egnyte (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Egnyte, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Egnyte single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Egnyte supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Egnyte, select Egnyte from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Egnyte Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Egnyte section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Egnyte Single Sign-On
1. In a different web browser window, log in to your Egnyte company site as an administrator.
2. Click Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Egnyte test user
To enable Azure AD users to log in to Egnyte, they must be provisioned into Egnyte. In the case of Egnyte,
provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Log in to your Egnyte company site as administrator.
2. Go to Settings > Users & Groups.
3. Click Add New User, and then select the type of user you want to add.
4. In the New Power User section, perform the following steps:
NOTE
The Azure Active Directory account holder will receive a notification email.
NOTE
You can use any other Egnyte user account creation tools or APIs provided by Egnyte to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
eKincare
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate eKincare with Azure Active Directory (Azure AD ). Integrating eKincare
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to eKincare.
You can enable your users to be automatically signed-in to eKincare (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with eKincare, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
eKincare single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
eKincare supports IDP initiated SSO
eKincare supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type eKincare, select eKincare from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<instancename>.ekincare.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<instancename>.ekincare.com/hul/saml
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact eKincare Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. eKincare application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
employeeid user.extensionattribute1
organizationid "uniquevalue"
organizationname user.companyname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up eKincare section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure eKincare Single Sign-On
To configure single sign-on on eKincare side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to eKincare support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create eKincare test user
In this section, a user called Britta Simon is created in eKincare. eKincare supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in eKincare, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the eKincare tile in the Access Panel, you should be automatically signed in to the eKincare for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Eli
Onboarding
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Eli Onboarding with Azure Active Directory (Azure AD ). Integrating Eli
Onboarding with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Eli Onboarding.
You can enable your users to be automatically signed-in to Eli Onboarding (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Eli Onboarding, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Eli Onboarding single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Eli Onboarding supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Eli Onboarding, select Eli Onboarding from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://<YOUR DOMAIN URL>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Eli Onboarding
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Eli Onboarding section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Eli Onboarding Single Sign-On
To configure single sign-on on Eli Onboarding side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Eli Onboarding support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Eli Onboarding test user
In this section, you create a user called Britta Simon in Eli Onboarding. Work with Eli Onboarding support team to
add the users in the Eli Onboarding platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Eli Onboarding tile in the Access Panel, you should be automatically signed in to the Eli
Onboarding for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Elium
10/22/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Elium with Azure Active Directory (Azure AD ). When you integrate
Elium with Azure AD, you can:
Control in Azure AD who has access to Elium.
Enable your users to be automatically signed-in to Elium with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Elium single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Elium supports SP and IDP initiated SSO
Elium supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<platform-domain>.elium.com/login/saml2/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<platform-domain>.elium.com/login/saml2/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<platform-domain>.elium.com/login/saml2/login
NOTE
These values are not real. You will get these values from the SP metadata file downloadable at
https://<platform-domain>.elium.com/login/saml2/metadata , which is explained later in this tutorial.
6. Elium application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Elium application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
email user.mail
first_name user.givenname
last_name user.surname
job_title user.jobtitle
company user.companyname
NOTE
These are the default claims. Only email claim is required. For JIT provisioning also only email claim is mandatory.
Other custom claims can vary from one customer platform to another customer platform.
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
9. On the Set up Elium section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Elium.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Elium.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Elium will direct you to the Elium application. From
there, provide the admin credentials to sign into Elium. The browser extension will automatically configure
the application for you and automate steps 3-6.
3. If you want to setup Elium manually, open a new web browser window and sign into your Elium company
site as an administrator and perform the following steps:
4. Click on the User profile from right top corner and then select Administration.
a. Copy the value of Verify that SAML2 authentication works for your account and paste it in the
Sign-on URL textbox on the Basic SAML Configuration section in the Azure portal.
NOTE
After configuring SSO, you can always access the default remote login page at the following URL:
https://<platform_domain>/login/regular/login
f. Search for the AssertionConsumerService in the SP Metadata file, copy the Location value and paste
it in the Reply URL textbox on the Basic SAML Configuration section in the Azure portal.
g. Open the downloaded metadata file from Azure portal into notepad, copy the content and paste it into
the IdP Metadata textbox.
h. Click Save.
Create Elium test user
In this section, a user called B.Simon is created in Elium. Elium supports just-in-time provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Elium, a new one
is created when you attempt to access Elium.
NOTE
If you need to create a user manually, contact Elium support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Elium tile in the Access Panel, you should be automatically signed in to the Elium for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Elium with Azure AD
Tutorial: Azure Active Directory integration with
eLuminate
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate eLuminate with Azure Active Directory (Azure AD ). Integrating
eLuminate with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to eLuminate.
You can enable your users to be automatically signed-in to eLuminate (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with eLuminate, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
eLuminate single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
eLuminate supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type eLuminate, select eLuminate from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: Eluminate/ClientShortName
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact eLuminate Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create eLuminate test user
In this section, you create a user called Britta Simon in eLuminate. Work with eLuminate support team to add the
users in the eLuminate platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the eLuminate tile in the Access Panel, you should be automatically signed in to the eLuminate for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Empactis
6/13/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Empactis with Azure Active Directory (Azure AD ). Integrating Empactis
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Empactis.
You can enable your users to be automatically signed-in to Empactis (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Empactis, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Empactis single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Empactis supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Empactis, select Empactis from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Empactis section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Empactis Single Sign-On
To configure single sign-on on Empactis side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Empactis support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Empactis test user
In this section, you create a user called Britta Simon in Empactis. Work with Empactis support team to add the
users in the Empactis platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Empactis tile in the Access Panel, you should be automatically signed in to the Empactis for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
EmpCenter
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate EmpCenter with Azure Active Directory (Azure AD ). Integrating
EmpCenter with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to EmpCenter.
You can enable your users to be automatically signed-in to EmpCenter (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with EmpCenter, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
EmpCenter single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
EmpCenter supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type EmpCenter, select EmpCenter from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<subdomain>.EmpCenter.com/<instancename>
https://<subdomain>.workforcehosting.com/<instancename>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact EmpCenter Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up EmpCenter section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure EmpCenter Single Sign-On
To configure single sign-on on EmpCenter side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to EmpCenter support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create EmpCenter test user
In order to enable Azure AD users to log in to EmpCenter, they must be provisioned into EmpCenter. In the case of
EmpCenter, the user accounts need to be created by your EmpCenter support team.
NOTE
You can use any other EmpCenter user account creation tools or APIs provided by EmpCenter to provision Azure Active
Directory user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Encompass
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Encompass with Azure Active Directory (Azure AD ). Integrating
Encompass with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Encompass.
You can enable your users to be automatically signed-in to Encompass (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Encompass, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Encompass single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Encompass supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Encompass, select Encompass from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, provide your customer specific value.
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.voxmobile.com/voxportal/ws/saml/consume
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Encompass Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Encompass section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Encompass Single Sign-On
To configure single sign-on on Encompass side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Encompass support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Encompass test user
In this section, you create a user called Britta Simon in Encompass. Work with Encompass support team to add the
users in the Encompass platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Encompass tile in the Access Panel, you should be automatically signed in to the Encompass for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Envi
MMIS
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Envi MMIS with Azure Active Directory (Azure AD ). Integrating Envi
MMIS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Envi MMIS.
You can enable your users to be automatically signed-in to Envi MMIS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Envi MMIS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Envi MMIS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Envi MMIS supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Envi MMIS, select Envi MMIS from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://www.<CUSTOMER DOMAIN>.com/Account
b. In the Reply URL text box, type a URL using the following pattern:
https://www.<CUSTOMER DOMAIN>.com/Account/Acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.<CUSTOMER DOMAIN>.com/Account
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Envi
MMIS Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Envi MMIS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Envi MMIS Single Sign-On
1. In a different web browser window, sign into your Envi MMIS site as an administrator.
2. Click on My Domain tab.
3. Click Edit.
4. Select Use remote authentication checkbox and then select HTTP Redirect from the Authentication
Type dropdown.
5. Select Resources tab and then click Upload Metadata.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Envi MMIS test user
To enable Azure AD users to sign in to Envi MMIS, they must be provisioned into Envi MMIS. In the case of Envi
MMIS, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Envi MMIS company site as an administrator.
2. Click on User List tab.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Envoy
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Envoy with Azure Active Directory (Azure AD ). When you integrate
Envoy with Azure AD, you can:
Control in Azure AD who has access to Envoy.
Enable your users to be automatically signed-in to Envoy with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Envoy single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Envoy supports SP initiated SSO
Envoy supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://app.envoy.com/a/saml/auth/<company-ID-from-Envoy>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Envoy Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint Value and save it on your computer.
7. On the Set up Envoy section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup Envoy will direct you to the Envoy application. From
there, provide the admin credentials to sign into Envoy. The browser extension will automatically configure
the application for you and automate steps 3-7.
3. If you want to setup Envoy manually, open a new web browser window and sign into your Envoy company
site as an administrator and perform the following steps:
4. In the toolbar on the top, click Settings.
5. Click Company.
6. Click SAML.
a. In Fingerprint textbox, paste the Thumbprint value of certificate, which you have copied from Azure
portal.
b. Paste Login URL value, which you have copied form the Azure portal into the IDENTITY PROVIDER
HTTP SAML URL textbox.
c. Click Save changes.
Create Envoy test user
In this section, a user called Britta Simon is created in Envoy. Envoy supports just-in-time user provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Envoy, a new
one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Envoy tile in the Access Panel, you should be automatically signed in to the Envoy for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Envoy with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ePlatform
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ePlatform with Azure Active Directory (Azure AD ). When you integrate
ePlatform with Azure AD, you can:
Control in Azure AD who has access to ePlatform.
Enable your users to be automatically signed-in to ePlatform with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ePlatform single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ePlatform supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. ePlatform application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, ePlatform application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
upn user.userprincipalname
7. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
8. In the SAML Signing Certificate section, copy the Thumbprint Value and save it on your computer.
9. On the Set up ePlatform section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ePlatform tile in the Access Panel, you should be automatically signed in to the ePlatform for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ePlatform with Azure AD
Tutorial: Azure Active Directory integration with
EthicsPoint Incident Management (EPIM)
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate EthicsPoint Incident Management (EPIM ) with Azure Active Directory
(Azure AD ). Integrating EthicsPoint Incident Management (EPIM ) with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to EthicsPoint Incident Management (EPIM ).
You can enable your users to be automatically signed-in to EthicsPoint Incident Management (EPIM ) (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with EthicsPoint Incident Management (EPIM ), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
EthicsPoint Incident Management (EPIM ) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
EthicsPoint Incident Management (EPIM ) supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type EthicsPoint Incident Management (EPIM ), select EthicsPoint Incident
Management (EPIM ) from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<companyname>.navexglobal.com
https://<companyname>.ethicspointvp.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<servername>.navexglobal.com/adfs/ls/
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
EthicsPoint Incident Management (EPIM) Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up EthicsPoint Incident Management (EPIM ) section, copy the appropriate URL (s) as per
your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure EthicsPoint Incident Management (EPIM ) Single Sign-On
To configure single sign-on on EthicsPoint Incident Management (EPIM ) side, you need to send the
downloaded Federation Metadata XML and appropriate copied URLs from Azure portal to EthicsPoint Incident
Management (EPIM ) support team. They set this setting to have the SAML SSO connection set properly on both
sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create EthicsPoint Incident Management (EPIM ) test user
In this section, you create a user called Britta Simon in EthicsPoint Incident Management (EPIM ). Work
with EthicsPoint Incident Management (EPIM ) support team to add the users in the EthicsPoint Incident
Management (EPIM ) platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EthicsPoint Incident Management (EPIM ) tile in the Access Panel, you should be automatically
signed in to the EthicsPoint Incident Management (EPIM ) for which you set up SSO. For more information about
the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
etouches
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate etouches with Azure Active Directory (Azure AD ). Integrating etouches
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to etouches.
You can enable your users to be automatically signed-in to etouches (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with etouches, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
etouches single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
etouches supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type etouches, select etouches from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://www.eiseverywhere.com/<instance name>
NOTE
These values are not real. You update the value with the actual Sign on URL and Identifier, which is explained later in
the tutorial.
5. Your etouches application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click on Edit icon to add the attributes.
6. In addition to above, etouches application expects few more attributes to be passed back in SAML response.
In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
Email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up etouches section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure etouches Single Sign-On
1. To get SSO configured for your application, perform the following steps in the etouches application:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create etouches test user
In this section, you create a user called Britta Simon in etouches. Work with etouches Client support team to add
the users in the etouches platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the etouches tile in the Access Panel, you should be automatically signed in to the etouches for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Euromonitor Passport
11/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Euromonitor Passport with Azure Active Directory (Azure AD ). When
you integrate Euromonitor Passport with Azure AD, you can:
Control in Azure AD who has access to Euromonitor Passport.
Enable your users to be automatically signed-in to Euromonitor Passport with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Euromonitor Passport single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Euromonitor Passport supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. If you wish to configure the application in SP initiated mode, you need to get the Sign-on URL form the
Euromonitor Passport support team. After you get the Sign-on URL from the Euromonitor Passport
support team, click Set additional URLs and perform the following step:
Paste the obtained Sign-on URL value from the Euromonitor Passport support team into the Sign-on URL
textbox.
6. Click Save.
7. Euromonitor Passport application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes.
8. In addition to above, Euromonitor Passport application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirements.
NOTE
Client admins can add/change attributes as per their need.
9. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Euromonitor Passport tile in the Access Panel, you should be automatically signed in to the
Euromonitor Passport for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Euromonitor Passport with Azure AD
Tutorial: Azure Active Directory integration with
Everbridge
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Everbridge with Azure Active Directory (Azure AD ). When you integrate
Everbridge with Azure AD, you can:
Control in Azure AD who has access to Everbridge.
Allow your users to be automatically signed in to Everbridge with their Azure AD accounts. This access control
is called single sign-on (SSO ).
Manage your accounts in one central location by using the Azure portal. For more information about software
as a service (SaaS ) app integration with Azure AD, see What is application access and single sign-on with Azure
Active Directory?. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Everbridge, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
An Everbridge subscription that uses single sign-on.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Everbridge supports IDP -initiated SSO.
4. In the search box, enter Everbridge. Select Everbridge from the result panel, and select Add.
3. On the Set up Single Sign-On with SAML page, select Edit to open the Basic SAML Configuration
dialog box.
NOTE
Configure the application either as the manager portal or as the member portal on both the Azure portal and the
Everbridge portal.
4. To configure the Everbridge application as the Everbridge manager portal, in the Basic SAML
Configuration section, follow these steps:
a. In the Identifier box, enter a URL that follows the pattern https://sso.everbridge.net/<API_Name>
b. In the Reply URL box, enter a URL that follows the pattern
https://manager.everbridge.net/saml/SSO/<API_Name>/alias/defaultAlias
NOTE
These values aren't real. Update these values with the actual Identifier and Reply URL values. To get these values,
contact the Everbridge support team. You also can refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. To configure the Everbridge application as the Everbridge member portal, in the Basic SAML
Configuration section, follow these steps:
If you want to configure the application in IDP -initiated mode, follow these steps:
b. In the Reply URL box, enter a URL that follows the pattern
https://member.everbridge.net/saml/SSO/<API_Name>/<Organization_ID>/alias/defaultAlias
If you want to configure the application in SP -initiated mode, select Set additional URLs and follow this
step:
a. In the Sign on URL box, enter a URL that follows the pattern
https://member.everbridge.net/saml/login/<API_Name>/<Organization_ID>/alias/defaultAlias?disco=true
NOTE
These values aren't real. Update these values with the actual Identifier, Reply URL, and Sign on URL values. To get
these values, contact the Everbridge support team. You also can refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select
Download to download the Federation Metadata XML. Save it on your computer.
7. In the Set up Everbridge section, copy the URLs you need for your requirements:
Login URL
Azure AD Identifier
Logout URL
Configure Everbridge as Everbridge manager portal single sign-on
To configure SSO on Everbridge as an Everbridge manager portal application, follow these steps.
1. In a different web browser window, sign in to Everbridge as an administrator.
2. In the menu on the top, select the Settings tab. Under Security, select Single Sign-On.
a. In the Name box, enter the name of the identifier provider. An example is your company name.
b. In the API Name box, enter the name of the API.
c. Select Choose File to upload the metadata file that you downloaded from the Azure portal.
d. For SAML Identity Location, select Identity is in the NameIdentifier element of the Subject
statement.
e. In the Identity Provider Login URL box, paste the Login URL value that you copied from the Azure
portal.
f. For Service Provider initiated Request Binding, select HTTP Redirect.
g. Select Save.
Configure Everbridge as Everbridge member portal single sign-on
To configure single sign-on on Everbridge as an Everbridge member portal, send the downloaded Federation
Metadata XML to the Everbridge support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
To create the test user Britta Simon in the Azure portal, follow these steps.
1. In the Azure portal, in the left pane, select Azure Active Directory > Users > All users.
4. Select Add user. In the Add Assignment dialog box, select Users and groups.
5. In the Users and groups dialog box, select Britta Simon in the users list. Choose Select at the bottom of
the screen.
6. If you expect any role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Choose Select at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create an Everbridge test user
In this section, you create the test user Britta Simon in Everbridge. To add users in the Everbridge platform, work
with the Everbridge support team. Users must be created and activated in Everbridge before you use single sign-
on.
Test single sign-on
Test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Everbridge tile in the Access Panel, you should be automatically signed in to the Everbridge
account for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of tutorials on how to integrate SaaS apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Evernote
9/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Evernote with Azure Active Directory (Azure AD ). When you integrate
Evernote with Azure AD, you can:
Control in Azure AD who has access to Evernote.
Enable your users to be automatically signed-in to Evernote with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Evernote single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Evernote supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Identifier text box, type a URL: https://www.evernote.com/saml2
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://www.evernote.com/Login.action
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. To modify the Signing options, click the Edit button to open the SAML Signing Certificate dialog.
a. Select the Sign SAML response and assertion option for Signing Option.
b. Click Save
8. On the Set up Evernote section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on setup Evernote will direct you to the Evernote application.
From there, provide the admin credentials to sign into Evernote. The browser extension will automatically
configure the application for you and automate steps 3-6.
3. If you want to setup Evernote manually, open a new web browser window and sign into your Evernote
company site as an administrator and perform the following steps:
4. Go to 'Admin Console'
a. Enable SSO: SSO is enabled by default (Click Disable Single Sign-on to remove the SSO
requirement)
b. Paste Login URL value, which you have copied from the Azure portal into the SAML HTTP Request
URL textbox.
c. Open the downloaded certificate from Azure AD in a notepad and copy the content including "BEGIN
CERTIFICATE" and "END CERTIFICATE" and paste it into the X.509 Certificate textbox.
d.Click Save Changes
Create Evernote test user
In order to enable Azure AD users to sign into Evernote, they must be provisioned into Evernote.
In the case of Evernote, provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Sign in to your Evernote company site as an administrator.
2. Click the 'Admin Console'.
4. Add team members in the Email textbox, type the email address of user account and click Invite.
5. After invitation is sent, the Azure Active Directory account holder will receive an email to accept the
invitation.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Evernote tile in the Access Panel, you should be automatically signed in to the Evernote for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Evernote with Azure AD
Tutorial: Azure Active Directory integration with
Evidence.com
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Evidence.com with Azure Active Directory (Azure AD ). Integrating
Evidence.com with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Evidence.com.
You can enable your users to be automatically signed-in to Evidence.com (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Evidence.com, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Evidence.com single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Evidence.com supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Evidence.com, select Evidence.com from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<yourtenant>.evidence.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Evidence.com Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Evidence.com section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Evidence.com Single Sign-On
1. In a separate web browser window, login to your Evidence.com tenant as an administrator and navigate to
Admin Tab
2. Click on Agency Single Sign On
3. Select SAML Based Single Sign On
4. Copy the Azure AD Identifier, Login URL and Logout URL values shown in the Azure portal and to the
corresponding fields in Evidence.com.
5. Open your downloaded Certificate(Base64) file in notepad, copy the content of it into your clipboard, and
then paste it to the Security Certificate box.
6. Save the configuration in Evidence.com.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Evidence.com test user
For Azure AD users to be able to sign in, they must be provisioned for access inside the Evidence.com application.
This section describes how to create Azure AD user accounts inside Evidence.com
To provision a user account in Evidence.com:
1. In a web browser window, log into your Evidence.com company site as an administrator.
2. Navigate to Admin tab.
3. Click on Add User.
4. Click the Add button.
5. The Email Address of the added user must match the username of the users in Azure AD who you wish to
give access. If the username and email address are not the same value in your organization, you can use the
Evidence.com > Attributes > Single Sign-On section of the Azure portal to change the nameidenitifer
sent to Evidence.com to be the email address.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Evidence.com tile in the Access Panel, you should be automatically signed in to the
Evidence.com for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ExcelityGlobal
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ExcelityGlobal with Azure Active Directory (Azure AD ). Integrating
ExcelityGlobal with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ExcelityGlobal.
You can enable your users to be automatically signed-in to ExcelityGlobal (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ExcelityGlobal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ExcelityGlobal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ExcelityGlobal supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ExcelityGlobal, select ExcelityGlobal from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
For Production Environment : https://ess.excelityglobal.com
b. In the Reply URL text box, type a URL using the following pattern:
For Production Environment : https://ess.excelityglobal.com/ACS
5. Your ExcelityGlobal application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
ExcelityGlobal application expects nameidentifier to be mapped with user.mail, so you need to edit the
attribute mapping by clicking on Edit icon and change the attribute mapping.
6. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
7. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
8. On the Set up ExcelityGlobal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure ExcelityGlobal Single Sign-On
To configure single sign-on on ExcelityGlobal side, you need to send the Thumbprint value and appropriate
copied URLs from Azure portal to ExcelityGlobal support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ExcelityGlobal test user
In this section, you create a user called Britta Simon in ExcelityGlobal. Work with ExcelityGlobal support team to
add the users in the ExcelityGlobal platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ExcelityGlobal tile in the Access Panel, you should be automatically signed in to the
ExcelityGlobal for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate ExpenseIn with Azure Active
Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ExpenseIn with Azure Active Directory (Azure AD ). When you integrate
ExpenseIn with Azure AD, you can:
Control in Azure AD who has access to ExpenseIn.
Enable your users to be automatically signed-in to ExpenseIn with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ExpenseIn single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. ExpenseIn supports SP and IDP
initiated SSO.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type any one of the URL:
https://app.expensein.com/samlcallback
https://mobileapi.expensein.com/identity/samlcallback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.expensein.com/saml
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and click Download to download the Certificate
(Base64) and save it on your computer.
7. On the Set up ExpenseIn section, copy the appropriate URL (s) based on your requirement.
Configure ExpenseIn
1. To automate the configuration within ExpenseIn, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup ExpenseIn will direct you to the ExpenseIn
application. From there, provide the admin credentials to sign into ExpenseIn. The browser extension will
automatically configure the application for you and automate steps 3-5.
3. If you want to setup ExpenseIn manually, open a new web browser window and sign into your ExpenseIn
company site as an administrator and perform the following steps:
4. Click on Admin on the top of the page then navigate to Single Sign-On and click Add provider.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create ExpenseIn test user
To enable Azure AD users to sign in to ExpenseIn, they must be provisioned into ExpenseIn. In ExpenseIn,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to ExpenseIn as an Administrator.
2. Click on Admin on the top of the page then navigate to Users and click New User.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Expensify with Azure Active
Directory
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Expensify with Azure Active Directory (Azure AD ). When you integrate
Expensify with Azure AD, you can:
Control in Azure AD who has access to Expensify.
Enable your users to be automatically signed-in to Expensify with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Expensify single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Expensify supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL: https://www.expensify.com/authentication/saml/login
c. b. In the Reply URL text box, type a URL using the following pattern:
https://www.expensify.com/authentication/saml/loginCallback?domain=<yourdomain>
NOTE
The Reply URL value is not real. Update this value with the actual Reply URL. Contact Expensify Client support team
to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
6. On the Set up Expensify section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Expensify.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Expensify.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Expensify tile in the Access Panel, you should be automatically signed in to the Expensify for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Explanation-Based Auditing System
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Explanation-Based Auditing System with Azure Active Directory (Azure
AD ). Integrating Explanation-Based Auditing System with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Explanation-Based Auditing System.
You can enable your users to be automatically signed-in to Explanation-Based Auditing System (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Explanation-Based Auditing System, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Explanation-Based Auditing System single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Explanation-Based Auditing System supports SP initiated SSO
Explanation-Based Auditing System supports just-in-time user Provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Explanation-Based Auditing System, select Explanation-Based Auditing
System from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Explanation-Based Auditing System test user
In this section, a user called Britta Simon is created in Explanation-Based Auditing System. Explanation-Based
Auditing System supports just-in-time user provisioning, which is enabled by default. There is no action item for
you in this section. If a user doesn't already exist in Explanation-Based Auditing System, a new one is created after
authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Explanation-Based Auditing System tile in the Access Panel, you should be automatically signed
in to the Explanation-Based Auditing System for which you set up SSO. For more information about the Access
Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Expiration Reminder
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Expiration Reminder with Azure Active Directory (Azure AD ). Integrating
Expiration Reminder with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Expiration Reminder.
You can enable your users to be automatically signed-in to Expiration Reminder (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Expiration Reminder, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Expiration Reminder single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Expiration Reminder supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Expiration Reminder, select Expiration Reminder from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up Expiration Reminder section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Expiration Reminder Single Sign-On
To configure single sign-on on Expiration Reminder side, you need to send the downloaded Certificate (Raw)
and appropriate copied URLs from Azure portal to Expiration Reminder support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Expiration Reminder test user
In this section, you create a user called Britta Simon in Expiration Reminder. Work with Expiration Reminder
support team to add the users in the Expiration Reminder platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Expiration Reminder tile in the Access Panel, you should be automatically signed in to the
Expiration Reminder for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with EZOfficeInventory
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate EZOfficeInventory with Azure Active Directory (Azure AD ). When you
integrate EZOfficeInventory with Azure AD, you can:
Control in Azure AD who has access to EZOfficeInventory.
Enable your users to be automatically signed-in to EZOfficeInventory with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
EZOfficeInventory single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
EZOfficeInventory supports SP initiated SSO
EZOfficeInventory supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.ezofficeinventory.com/users/sign_in
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact EZOfficeInventory Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. EZOfficeInventory application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes.
6. In addition to above, EZOfficeInventory application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirement.
First_name user.givenname
Last_name user.surname
Email user.mail
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up EZOfficeInventory section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Scroll down up to the SAML Integration section, perform the following steps:
a. Check the Enabled option.
b. In the Identity Provider URL text box, Paste the Login URL value, which you have copied from the
Azure portal.
c. Open the Base64 encoded certificate in notepad, copy its content and paste it into the Identity Provider
Certificate text box.
d. In Login Button Text text box, enter the text of login button.
e. In First Name text box, enter first_name.
f. In Last Name text box, enter last_name.
g. In Email text box, enter email.
h. Select your role as per your requirement from the EZOfficeInventory Role By default option.
i. Click Update.
Create EZOfficeInventory test user
In this section, a user called Britta Simon is created in EZOfficeInventory. EZOfficeInventory supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in EZOfficeInventory, a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the EZOfficeInventory tile in the Access Panel, you should be automatically signed in to the
EZOfficeInventory for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try EZOfficeInventory with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ExponentHR
10/10/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ExponentHR with Azure Active Directory (Azure AD ). When you
integrate ExponentHR with Azure AD, you can:
Control in Azure AD who has access to ExponentHR.
Enable your users to be automatically signed-in to ExponentHR with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ExponentHR single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ExponentHR supports SP initiated SSO
ExponentHR supports WS -Fed protocol
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.exponenthr.com/service/saml/login.aspx
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ExponentHR tile in the Access Panel, you should be automatically signed in to the ExponentHR
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ExponentHR with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with F5
11/19/2019 • 14 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate F5 with Azure Active Directory (Azure AD ). When you integrate F5
with Azure AD, you can:
Control in Azure AD who has access to F5.
Enable your users to be automatically signed-in to F5 with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
F5 single sign-on (SSO ) enabled subscription.
Deploying the joint solution requires the following license:
F5 BIG -IP® Best bundle (or)
F5 BIG -IP Access Policy Manager™ (APM ) standalone license
F5 BIG -IP Access Policy Manager™ (APM ) add-on license on an existing BIG -IP F5 BIG -IP® Local
Traffic Manager™ (LTM ).
In addition to the above license, the F5 system may also be licensed with:
A URL Filtering subscription to use the URL category database
An F5 IP Intelligence subscription to detect and block known attackers and malicious traffic
A network hardware security module (HSM ) to safeguard and manage digital keys for strong
authentication
F5 BIG -IP system is provisioned with APM modules (LTM is optional)
Although optional, it is highly recommended to Deploy the F5 systems in a sync/failover device group (S/F
DG ), which includes the active standby pair, with a floating IP address for high availability (HA). Further
interface redundancy can be achieved using the Link Aggregation Control Protocol (LACP ). LACP manages
the connected physical interfaces as a single virtual interface (aggregate group) and detects any interface
failures within the group.
For Kerberos applications, an on-premises AD service account for constrained delegation. Refer to F5
Documentation for creating a AD delegation account.
NOTE
The screenshots below are for the latest released version (BIG-IP 15.0 with AGC version 5.0). The configuration steps
below are valid for this use case across from 13.1.0.8 to the latest BIG-IP version.
1. On the F5 BIG -IP Web UI, click on Access >> Guide Configuration.
2. On the Guided Configuration page, click on Upgrade Guided Configuration on the top left-hand
corner.
3. On the Upgrade Guide Configuration pop screen, select Choose File to upload the downloaded use case
pack and click on Upload and Install button.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
b. In the Reply URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<YourCustomFQDN>.f5.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact F5
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and Certificate (Base64) and select Download to download the certificate
and save it on your computer.
7. On the Set up F5 section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
8. Click on Conditional Access .
9. Click on New Policy.
10. You can now see your F5 App as a resource for CA Policy and apply any conditional access including
Multifactor Auth, Device based access control or Identity Protection Policy.
Configure F5 SSO
Configure F5 single sign-on for Kerberos application
Configure F5 single sign-on for Advanced Kerberos application
Configure F5 single sign-on for Header Based application
Guided Configuration
1. Open a new web browser window and sign into your F5 (Header Based) company site as an administrator
and perform the following steps:
2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate
List. Select Import from the right-hand corner. Specify a Certificate Name (will be referenced Later in the
config). In the Certificate Source, select Upload File specify the certificate downloaded from Azure while
configuring SAML Single Sign on. Click Import.
3. Additionally, you will require SSL Certificate for the Application Hostname. Navigate to System >
Certificate Management > Traffic Certificate Management > SSL Certificate List. Select Import
from the right-hand corner. Import Type will be PKCS 12(IIS ). Specify a Key Name (will be referenced
Later in the config) and the specify the PFX file. Specify the Password for the PFX. Click Import.
NOTE
In the example our app name is Headerapp.superdemo.live , we are using a Wild Card Certificate our keyname is
WildCard-SuperDemo.live .
4. We will use the Guided Experience to setup the Azure AD Federation and Application Access. Go to – F5
BIG -IP Main and select Access > Guided Configuration > Federation > SAML Service Provider. Click
Next then click Next to begin configuration.
5. Provide a Configuration Name. Specify the Entity ID (same as what you configured on the Azure AD
Application Configuration). Specify the Host name. Add a Description for reference. Accept the remaining
default entries and select and then click Save & Next.
6. In this example we are creating a new Virtual Server as 192.168.30.20 with port 443. Specify the Virtual
Server IP address in the Destination Address. Select the Client SSL Profile, select Create new. Specify
previously uploaded application certificate, (the wild card certificate in this example) and the associated key,
and then click Save & Next.
NOTE
in this example our Internal webserver is running on port 888 and we want to publish it with 443.
7. Under Select method to configure your IdP connector, specify Metadata, click on Choose File and
upload the Metadata XML file downloaded earlier from Azure AD. Specify a unique Name for SAML IDP
connector. Choose the Metadata Signing Certificate which was upload earlier. Click Save & Next.
8. Under Select a Pool, specify Create New (alternatively select a pool it already exists). Let other value be
default. Under Pool Servers, type the IP Address under IP Address/Node Name. Specify the Port. Click
Save & Next.
9. On the Single Sign-On Settings screen, select Enable Single Sign-On. Under Selected Single Sign-On
Type choose HTTP header-based. Replace session.saml.last.Identity with
session.saml.last.attr.name.Identity under Username Source ( this variable it set using claims mapping in
the Azure AD ). Under SSO Headers.
HeaderName : MyAuthorization
Header Value : %{session.saml.last.attr.name.Identity}
Click Save & Next
Refer Appendix for complete list of variables and values. You can add more headers as required.
NOTE
Account Name Is the F5 Delegation Account Created (Check F5 Documentation).
10. For purposes of this guidance, we will skip endpoint checks. Refer to F5 documentation for details. Select
Save & Next.
11. Accept the defaults and click Save & Next. Refer F5 documentation for details regarding SAML session
management settings.
12. Review the summary screen and select Deploy to configure the BIG -IP. click on Finish.
Advanced Configuration
This section is intended to be used if you cannot use the Guided configuration or would like to add/modify
additional Parameters. You will require SSL Certificate for the Application Hostname.
1. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate
List. Select Import from the right-hand corner. Import Type will be PKCS 12(IIS ). Specify a Key Name
(will be referenced Later in the config) and the specify the PFX file. Specify the Password for the PFX. Click
Import.
NOTE
In the example our app name is Headerapp.superdemo.live , we are using a Wild Card Certificate our keyname is
WildCard-SuperDemo.live .
4. Click Finished.
5. Ensure the App Properties can be modified. Click Main > IApps > Application Services: Applications
>> HeaderApp2. Uncheck Strict Updates (we will modify some setting outside of the GUI). Click Update
button.
a. Browse to metadata.xml file downloaded from Azure AD and specify an Identity Provider Name.
b. Click ok.
c. The connector is created, and certificate is ready automatically from the metadata xml file.
g. Click on the Visual Policy editor, edit Access Policy for Profile link.
h. Click on the + Sign in the Visual Policy editor and choose SAML Auth.
i. Click Add Item.
j. Under Properties specify Name and under AAA Server select the previously configured SP, click SAVE.
k. The basic Policy is ready you can customize the policy to incorporate additional sources/attribute stores.
l. Ensure you click on the Apply Access Policy link on the top.
Apply Access Profile to the Virtual Server
1. Assign the access profile to the Virtual Server in order for F5 BIG -IP APM to apply the profile settings to
incoming traffic and run the previously defined access policy.
a. Click Main > Local Traffic > Virtual Servers.
b. Click on the virtual server, scroll to Access Policy section, in the Access Profile drop down and select the
SAML Policy created (in the example HeaderAppAzureSAMLPolicy)
c. Click update
d. create an F5 BIG -IP iRule® to extract the custom SAML attributes from the incoming assertion and pass
them as HTTP headers to the backend test application. Click Main > Local Traffic > iRules > iRule List >
click create
e. Paste the F5 BIG -IP iRule text below into the Definition window.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the F5 tile in the Access Panel, you should be automatically signed in to the F5 for which you set up
SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try F5 with Azure AD
Configure F5 single sign-on for Kerberos application
Configure F5 single sign-on for Advanced Kerberos application
Tutorial: Azure Active Directory integration with
FactSet
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate FactSet with Azure Active Directory (Azure AD ). Integrating FactSet with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FactSet.
You can enable your users to be automatically signed-in to FactSet (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FactSet, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
FactSet single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FactSet supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FactSet, select FactSet from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://login.factset.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact your FactSet
account representative to get these values. If you don't know who your FactSet representative is, you can find help on
the FactSet support numbers page. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up FactSet section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure FactSet Single Sign-On
To configure single sign-on on FactSet side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to FactSet Support individuals you are in contact with. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FactSet test user
In this section, you create a user called Britta Simon in FactSet. Work with your FactSet account support
representatives to add the users in the FactSet platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FactSet tile in the Access Panel, you should be automatically signed in to the FactSet for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Fidelity NetBenefits
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fidelity NetBenefits with Azure Active Directory (Azure AD ). Integrating
Fidelity NetBenefits with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fidelity NetBenefits.
You can enable your users to be automatically signed-in to Fidelity NetBenefits (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fidelity NetBenefits, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Fidelity NetBenefits single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fidelity NetBenefits supports IDP initiated SSO
Fidelity NetBenefits supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fidelity NetBenefits, select Fidelity NetBenefits from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
For Testing Environment: urn:sp:fidelity:geninbndnbparts20:uat:xq1
b. In the Reply URL text box, type a URL that to be provided by Fidelity at time of implementation or
contact your assigned Fidelity Client Service Manager.
5. Fidelity NetBenefits application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. Fidelity
NetBenefits application expects nameidentifier to be mapped with employeeid or any other claim which
is applicable to your Organization as nameidentifier, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
NOTE
Fidelity NetBenefits support Static and Dynamic Federation. Static means it will not use SAML based just in time user
provisioning and Dynamic means it supports just in time user provisioning. For using JIT based provisioning
customers have to add some more claims in Azure AD like user's birthdate etc. These details are provided by the your
assigned Fidelity Client Service Manager and they have to enable this dynamic federation for your instance.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Fidelity NetBenefits section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Fidelity NetBenefits Single Sign-On
To configure single sign-on on Fidelity NetBenefits side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Fidelity NetBenefits support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Fidelity NetBenefits test user
In this section, you create a user called Britta Simon in Fidelity NetBenefits. If you are creating Static federation,
please work with your assigned Fidelity Client Service Manager to create users in Fidelity NetBenefits platform.
These users must be created and activated before you use single sign-on.
For Dynamic Federation, users are created using Just In Time user provisioning. For using JIT based provisioning
customers have to add some more claims in Azure AD like user's birthdate etc. These details are provided by the
your assigned Fidelity Client Service Manager and they have to enable this dynamic federation for your
instance.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Fidelity NetBenefits tile in the Access Panel, you should be automatically signed in to the
Fidelity NetBenefits for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Fieldglass
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fieldglass with Azure Active Directory (Azure AD ). Integrating Fieldglass
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fieldglass.
You can enable your users to be automatically signed-in to Fieldglass (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fieldglass, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Fieldglass single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fieldglass supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fieldglass, select Fieldglass from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL as https://www.fieldglass.com or follow the pattern:
https://<company name>.fgvms.com
b. In the Reply URL text box, type a URL using the following pattern:
https://www.fieldglass.net/<company name>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Fieldglass Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Fieldglass section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Fieldglass Single Sign-On
To configure single sign-on on Fieldglass side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Fieldglass support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Fieldglass test user
In this section, you create a user called Britta Simon in Fieldglass. Work with Fieldglass support team to add the
users in the Fieldglass platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Fieldglass tile in the Access Panel, you should be automatically signed in to the Fieldglass for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Figma
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Figma with Azure Active Directory (Azure AD ). When you integrate
Figma with Azure AD, you can:
Control in Azure AD who has access to Figma.
Enable your users to be automatically signed-in to Figma with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Figma single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Figma supports SP and IDP initiated SSO
Figma supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://www.figma.com/saml/<TENANT ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://www.figma.com/saml/<TENANT ID>/consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.figma.com/saml/<TENANT ID>/start
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. You will get the
TENANT ID from step#11 of Figma`s article Configure Azure Active Directory SAML SSO process.
6. Figma application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Figma application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
externalId user.mailnickname
displayName user.displayname
title user.jobtitle
emailaddress user.mail
familyName user.surname
givenName givenName
userName user.userprincipalname
8. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Figma tile in the Access Panel, you should be automatically signed in to the Figma for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Figma with Azure AD
Tutorial: Azure Active Directory integration with
FileCloud
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate FileCloud with Azure Active Directory (Azure AD ). Integrating FileCloud
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FileCloud.
You can enable your users to be automatically signed-in to FileCloud (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FileCloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
FileCloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FileCloud supports SP initiated SSO
FileCloud supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FileCloud, select FileCloud from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.filecloudonline.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact FileCloud Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up FileCloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure FileCloud Single Sign-On
1. In a different web browser window, sign-on to your FileCloud tenant as an administrator.
2. On the left navigation pane, click Settings.
4. Select SAML as Default SSO Type on Single Sign On (SSO ) Settings panel.
5. In the IdP End Point URL textbox, paste the value of Azure Ad Identifier which you have copied from
Azure portal.
6. Open your downloaded metadata file in notepad, copy the content of it into your clipboard, and then paste it
to the IdP Meta Data textbox on SAML Settings panel.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FileCloud test user
In this section, a user called Britta Simon is created in FileCloud. FileCloud supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
FileCloud, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the FileCloud Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FileCloud tile in the Access Panel, you should be automatically signed in to the FileCloud for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
FilesAnywhere
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate FilesAnywhere with Azure Active Directory (Azure AD ). Integrating
FilesAnywhere with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FilesAnywhere.
You can enable your users to be automatically signed-in to FilesAnywhere (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FilesAnywhere, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
FilesAnywhere single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FilesAnywhere supports SP and IDP initiated SSO
FilesAnywhere supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FilesAnywhere, select FilesAnywhere from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://<company name>.filesanywhere.com/saml20.aspx?c=<Client Id>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<sub domain>.filesanywhere.com/
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact FilesAnywhere
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. FilesAnywhere application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click on Edit icon to add the attributes.
When the users signs up with FilesAnywhere they get the value of clientid attribute from FilesAnywhere
team. You have to add the "Client Id" attribute with the unique value provided by FilesAnywhere.
7. In addition to above, FilesAnywhere application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
clientid "uniquevalue"
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up FilesAnywhere section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure FilesAnywhere Single Sign-On
To configure single sign-on on FilesAnywhere side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to FilesAnywhere support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FilesAnywhere test user
In this section, a user called Britta Simon is created in FilesAnywhere. FilesAnywhere supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in FilesAnywhere, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FilesAnywhere tile in the Access Panel, you should be automatically signed in to the
FilesAnywhere for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
FirmPlay - Employee Advocacy for Recruiting
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate FirmPlay - Employee Advocacy for Recruiting with Azure Active
Directory (Azure AD ). Integrating FirmPlay - Employee Advocacy for Recruiting with Azure AD provides you with
the following benefits:
You can control in Azure AD who has access to FirmPlay - Employee Advocacy for Recruiting.
You can enable your users to be automatically signed-in to FirmPlay - Employee Advocacy for Recruiting
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FirmPlay - Employee Advocacy for Recruiting, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
FirmPlay - Employee Advocacy for Recruiting single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FirmPlay - Employee Advocacy for Recruiting supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FirmPlay - Employee Advocacy for Recruiting, select FirmPlay - Employee
Advocacy for Recruiting from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact FirmPlay - Employee Advocacy for
Recruiting Client support team to get the value. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up FirmPlay - Employee Advocacy for Recruiting section, copy the appropriate URL (s) as
per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure FirmPlay - Employee Advocacy for Recruiting Single Sign-On
To configure single sign-on on FirmPlay - Employee Advocacy for Recruiting side, you need to send the
downloaded Certificate (Base64) and appropriate copied URLs from Azure portal to FirmPlay - Employee
Advocacy for Recruiting support team. They set this setting to have the SAML SSO connection set properly on
both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FirmPlay - Employee Advocacy for Recruiting test user
In this section, you create a user called Britta Simon in FirmPlay - Employee Advocacy for Recruiting. Work
with FirmPlay - Employee Advocacy for Recruiting support team to add the users in the FirmPlay - Employee
Advocacy for Recruiting platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FirmPlay - Employee Advocacy for Recruiting tile in the Access Panel, you should be
automatically signed in to the FirmPlay - Employee Advocacy for Recruiting for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Firstbird
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Firstbird with Azure Active Directory (Azure AD ). Integrating Firstbird
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Firstbird.
You can enable your users to be automatically signed-in to Firstbird (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Firstbird, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Firstbird single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Firstbird supports SP and IDP initiated SSO
Firstbird supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Firstbird, select Firstbird from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Reply URL text box, type a URL using the following pattern:
https://<company-domain>.auth.1brd.com/saml/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<company-domain>.1brd.com/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Firstbird
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. Firstbird application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
NAME SOURCE ATTRIBUTE
first_name user.givenname
last_name user.surname
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click
Download to download Federation Metadata XML and save it on your computer.
Configure Firstbird Single Sign-On
Once you have completed these steps, please send Firstbird the Federation Metadata XML in a support request via
e-email to support@firstbird.com with the subject: "SSO configuration".
Firstbird will then store the configuration in the system accordingly and activate SSO for your account. After that, a
member of the support staff will contact you to verify the configuration.
NOTE
You need to have the SSO option included in your contract.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Firstbird test user
In this section, a user called Britta Simon is created in Firstbird. Firstbird supports just-in-time provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Firstbird, a new
one is created when you attempt to access Firstbird.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Firstbird tile in the Access Panel, you should be automatically signed in to the Firstbird for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with FiscalNote
10/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate FiscalNote with Azure Active Directory (Azure AD ). When you
integrate FiscalNote with Azure AD, you can:
Control in Azure AD who has access to FiscalNote.
Enable your users to be automatically signed-in to FiscalNote with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
FiscalNote single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
FiscalNote supports SP initiated SSO
FiscalNote supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<InstanceName>.fiscalnote.com/login?client=
<ClientID>&redirect_uri=https://app.fiscalnote.com/saml-
login.html&audience=https://api.fiscalnote.com/&connection=
<CONNECTION_NAME>&response_type=id_token%20token
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
urn:auth0:fiscalnote:<CONNECTIONNAME>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact FiscalNote Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. FiscalNote application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, FiscalNote application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirement.
familyName user.surname
email user.mail
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
8. On the Set up FiscalNote section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create a user manually, contact FiscalNote support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FiscalNote tile in the Access Panel, you should be automatically signed in to the FiscalNote for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try FiscalNote with Azure AD
Tutorial: Azure Active Directory integration with Five9
Plus Adapter (CTI, Contact Center Agents)
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Five9 Plus Adapter (CTI, Contact Center Agents) with Azure Active
Directory (Azure AD ). Integrating Five9 Plus Adapter (CTI, Contact Center Agents) with Azure AD provides you
with the following benefits:
You can control in Azure AD who has access to Five9 Plus Adapter (CTI, Contact Center Agents).
You can enable your users to be automatically signed-in to Five9 Plus Adapter (CTI, Contact Center Agents)
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Five9 Plus Adapter (CTI, Contact Center Agents), you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
Five9 Plus Adapter (CTI, Contact Center Agents) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Five9 Plus Adapter (CTI, Contact Center Agents) supports IDP initiated SSO
Adding Five9 Plus Adapter (CTI, Contact Center Agents) from the
gallery
To configure the integration of Five9 Plus Adapter (CTI, Contact Center Agents) into Azure AD, you need to add
Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery to your list of managed SaaS apps.
To add Five9 Plus Adapter (CTI, Contact Center Agents) from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Five9 Plus Adapter (CTI, Contact Center Agents), select Five9 Plus Adapter
(CTI, Contact Center Agents) from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
ENVIRONMENT URL
b. In the Reply URL text box, type a URL using the following pattern:
ENVIRONMENT URL
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Five9 Plus Adapter (CTI, Contact Center Agents) section, copy the appropriate URL (s) as
per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Five9 Plus Adapter (CTI, Contact Center Agents) Single Sign-On
1. To configure single sign-on on Five9 Plus Adapter (CTI, Contact Center Agents) side, you need to send
the downloaded Certificate(Base64) and appropriate copied URL (s) to Five9 Plus Adapter (CTI, Contact
Center Agents) support team. Also additionally, for configuring SSO further please follow the below steps
according to the adapter:
a. “Five9 Plus Adapter for Agent Desktop Toolkit” Admin Guide:
https://webapps.five9.com/assets/files/for_customers/documentation/integrations/agent-desktop-
toolkit/plus-agent-desktop-toolkit-administrators-guide.pdf
b. “Five9 Plus Adapter for Microsoft Dynamics CRM” Admin Guide:
https://webapps.five9.com/assets/files/for_customers/documentation/integrations/microsoft/microsoft-
administrators-guide.pdf
c. “Five9 Plus Adapter for Zendesk” Admin Guide:
https://webapps.five9.com/assets/files/for_customers/documentation/integrations/zendesk/zendesk-plus-
administrators-guide.pdf
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. In the applications list, select Five9 Plus Adapter (CTI, Contact Center Agents).
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Five9 Plus Adapter (CTI, Contact Center Agents) test user
In this section, you create a user called Britta Simon in Five9 Plus Adapter (CTI, Contact Center Agents). Work with
Five9 Plus Adapter (CTI, Contact Center Agents) support team to add the users in the Five9 Plus Adapter (CTI,
Contact Center Agents) platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Five9 Plus Adapter (CTI, Contact Center Agents tile in the Access Panel, you should be
automatically signed in to the Five9 Plus Adapter (CTI, Contact Center Agents) for which you set up SSO. For
more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Flatter Files
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Flatter Files with Azure Active Directory (Azure AD ). Integrating Flatter
Files with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Flatter Files.
You can enable your users to be automatically signed-in to Flatter Files (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Flatter Files, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Flatter Files single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Flatter Files supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Flatter Files, select Flatter Files from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Flatter Files section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Flatter Files Single Sign-On
1. Sign-on to your Flatter Files application as an administrator.
2. Click DASHBOARD.
3. Click Settings, and then perform the following steps on the Company tab:
a. Select Use SAML 2.0 for Authentication.
b. Click Configure SAML.
4. On the SAML Configuration dialog, perform the following steps:
NOTE
If you don't have a registered domain yet, contact your Flatter Files support team via support@flatterfiles.com.
b. In Identity Provider URL textbox, paste the value of Login URL which you have copied form Azure
portal.
c. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then
paste it to the Identity Provider Certificate textbox.
d. Click Update.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Flatter Files test user
The objective of this section is to create a user called Britta Simon in Flatter Files.
To create a user called Britta Simon in Flatter Files, perform the following steps:
1. Sign on to your Flatter Files company site as administrator.
2. In the navigation pane on the left, click Settings, and then click the Users tab.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Flock
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Flock with Azure Active Directory (Azure AD ). Integrating Flock with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Flock.
You can enable your users to be automatically signed-in to Flock (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Flock, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Flock single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Flock supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Flock, select Flock from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.flock.com/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Flock Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Flock section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Flock Single Sign-On
1. In a different web browser window, log in to your Flock company site as an administrator.
2. Select Authentication tab from the left navigation panel and then select SAML Authentication.
a. In the SAML 2.0 Endpoint(HTTP ) textbox, paste Login URL value which you have copied from the
Azure portal.
b. In the Identity Provider Issuer textbox, paste Azure Ad Identifier value which you have copied from
the Azure portal.
c. Open the downloaded Certificate(Base64) from Azure portal in notepad, paste the content into the
Public Certificate textbox.
d. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Flock test user
To enable Azure AD users to log in to Flock, they must be provisioned into Flock. In the case of Flock, provisioning
is a manual task.
To provision a user account, perform the following steps:
1. Log in to your Flock company site as an administrator.
2. Click Manage Team from the left navigation panel.
4. Enter the email address of the user like Brittasimon@contoso.com and then select Add Users.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Flock tile in the Access Panel, you should be automatically signed in to the Flock for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with FloQast
10/22/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate FloQast with Azure Active Directory (Azure AD ). When you integrate
FloQast with Azure AD, you can:
Control in Azure AD who has access to FloQast.
Enable your users to be automatically signed-in to FloQast with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
FloQast single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
FloQast supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Identifier text box, type a URL: https://go.floqast.com/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://go.floqast.com/login/sso
6. FloQast application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, FloQast application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
FirstName user.givenname
NAME SOURCE ATTRIBUTE
LastName user.surname
Email user.mail
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
9. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog and
perform the following step.
a. Select Sign SAML response and assertion from the Signing Option.
b. Click Save
10. On the Set up FloQast section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FloQast.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select FloQast.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FloQast tile in the Access Panel, you should be automatically signed in to the FloQast for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try FloQast with Azure AD
Tutorial: Azure Active Directory integration with Fluxx
Labs
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fluxx Labs with Azure Active Directory (Azure AD ). Integrating Fluxx
Labs with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fluxx Labs.
You can enable your users to be automatically signed-in to Fluxx Labs (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fluxx Labs, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Fluxx Labs single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fluxx Labs supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fluxx Labs, select Fluxx Labs from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
Production https://<subdomain>.fluxx.io
b. In the Reply URL text box, type a URL using the following pattern:
Production https://<subdomain>.fluxx.io/auth/saml/callback
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Fluxx Labs Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Fluxx Labs section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Fluxx Labs Single Sign-On
1. In a different web browser window, sign in to your Fluxx Labs company site as administrator.
2. Select Admin below the Settings section.
3. In the Admin Panel, Select Plug-ins > Integrations and then select SAML SSO -(Disabled)
4. In the attribute section, perform the following steps:
NOTE
Once the content saved, the field will appear blank for security, but the value has been saved in the configuration.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Fluxx Labs test user
To enable Azure AD users to sign in to Fluxx Labs, they must be provisioned into Fluxx Labs. In the case of Fluxx
Labs, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Fluxx Labs company site as an administrator.
2. Click on the below displayed icon.
3. On the dashboard, click on the below displayed icon to open the New PEOPLE card.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
FM:Systems
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate FM:Systems with Azure Active Directory (Azure AD ). Integrating
FM:Systems with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FM:Systems.
You can enable your users to be automatically signed-in to FM:Systems (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FM:Systems, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
FM:Systems single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FM:Systems supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FM:Systems, select FM:Systems from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.fmshosted.com/fminteract/ConsumerService2.aspx
NOTE
This value is not real. Update this value with the actual Reply URL. Contact FM:Systems Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up FM:Systems section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure FM:Systems Single Sign-On
To configure single sign-on on FM:Systems side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to FM:Systems support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FM:Systems test user
1. In a web browser window, sign into your FM:Systems company site as an administrator.
2. Go to System Administration > Manage Security > Users > User list.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Foko Retail
11/26/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Foko Retail with Azure Active Directory (Azure AD ). When you
integrate Foko Retail with Azure AD, you can:
Control in Azure AD who has access to Foko Retail.
Enable your users to be automatically signed-in to Foko Retail with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Foko Retail single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Foko Retail supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://api.foko.io/sso/{$CUSTOM_ID}/login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://api.foko.io/sso/{$CUSTOM_ID}/metadata.xml
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Foko Retail Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Foko Retail section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Foko Retail.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Foko Retail.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Foko Retail tile in the Access Panel, you should be automatically signed in to the Foko Retail for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Foko Retail with Azure AD
Tutorial: Azure Active Directory integration with
Folloze
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Folloze with Azure Active Directory (Azure AD ). Integrating Folloze with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Folloze.
You can enable your users to be automatically signed-in to Folloze (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Folloze, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Folloze single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Folloze supports IDP initiated SSO
Folloze supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Folloze, select Folloze from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Folloze application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application
integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User
Attributes dialog.
6. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
Email user.othermail
Nameasemail user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up Folloze section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Folloze Single Sign-On
To configure single sign-on on Folloze side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Folloze support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Folloze test user
In this section, a user called Britta Simon is created in Folloze. Folloze supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Folloze,
a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Folloze tile in the Access Panel, you should be automatically signed in to the Folloze for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Foodee
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Foodee with Azure Active Directory (Azure AD ). When you integrate
Foodee with Azure AD, you can:
Control in Azure AD who has access to Foodee.
Enable your users to be automatically signed-in to Foodee with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Foodee single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Foodee supports SP and IDP initiated SSO
Foodee supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://concierge.food.ee/sso/saml/<INSTANCENAME>/consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://concierge.food.ee/sso/saml/<INSTANCENAME>
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Foodee Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Foodee section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Configure Foodee SSO
1. To automate the configuration within Foodee, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Set up Foodee will direct you to the Foodee application.
From there, provide the admin credentials to sign into Foodee. The browser extension will automatically
configure the application for you and automate steps 3-4.
3. If you want to setup Foodee manually, open a new web browser window and sign into your Foodee
company site as an administrator and perform the following steps:
4. Click on profile logo on the top right corner of the page then navigate to Single Sign On and perform the
following steps:
a. In the IDP NAME text box, type the name like ex:Azure.
b. Open the Federation Metadata XML in Notepad, copy its content and paste it in the IDP METADATA
XML text box.
c. Click Save.
Create Foodee test user
In this section, a user called B.Simon is created in Foodee. Foodee supports just-in-time provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Foodee, a new
one is created when you attempt to access Foodee.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Foodee tile in the Access Panel, you should be automatically signed in to the Foodee for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Foodee with Azure AD
Tutorial: Azure Active Directory integration with
ForeSee CX Suite
7/3/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate ForeSee CX Suite with Azure Active Directory (Azure AD ). Integrating
ForeSee CX Suite with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ForeSee CX Suite.
You can enable your users to be automatically signed-in to ForeSee CX Suite (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ForeSee CX Suite, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
ForeSee CX Suite single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ForeSee CX Suite supports SP initiated SSO
ForeSee CX Suite supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ForeSee CX Suite, select ForeSee CX Suite from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier value gets auto populated in Basic SAML
Configuration section.
b. In the Identifier textbox, type a URL using the following pattern: https://www.okta.com/saml2/service-
provider/<UniqueID>
NOTE
If the Identifier value do not get auto polulated, then please fill in the value manually according to above pattern.
The Identifier value is not real. Update this value with the actual Identifier. Contact ForeSee CX Suite Client support
team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up ForeSee CX Suite section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure ForeSee CX Suite Single Sign-On
To configure single sign-on on ForeSee CX Suite side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to ForeSee CX Suite support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ForeSee CX Suite test user
In this section, you create a user called Britta Simon in ForeSee CX Suite. Work with ForeSee CX Suite support
team to add the users or the domain that must be added to an allow list for the ForeSee CX Suite platform. If the
domain is added by the team, users will get automatically provisioned to the ForeSee CX Suite platform. Users
must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ForeSee CX Suite tile in the Access Panel, you should be automatically signed in to the ForeSee
CX Suite for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Form.com
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Form.com with Azure Active Directory (Azure AD ). Integrating
Form.com with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Form.com.
You can enable your users to be automatically signed-in to Form.com (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Form.com, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Form.com single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Form.com supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Form.com, select Form.com from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<subdomain>.form.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.wa-form.com/Member/UserAccount/SAML2.action
https://<subdomain>.form.com/Member/UserAccount/SAML2.action
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Form.com Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) and click the copy icon to copy App Federation
Metadata Url from the given options as per your requirement and save it on your computer.
6. On the Set up Form.com section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Form.com Single Sign-On
To configure single sign-on on Form.com side, you need to send the downloaded Certificate (Base64), App
Federation Metadata Url and appropriate copied URLs from Azure portal to Form.com support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Form.com test user
In this section, you create a user called Britta Simon in Form.com. Work with Form.com support team to add the
users in the Form.com platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Form.com tile in the Access Panel, you should be automatically signed in to the Form.com for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Freedcamp with Azure Active
Directory
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Freedcamp with Azure Active Directory (Azure AD ). When you
integrate Freedcamp with Azure AD, you can:
Control in Azure AD who has access to Freedcamp.
Enable your users to be automatically signed-in to Freedcamp with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Freedcamp single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Freedcamp supports SP and IDP
initiated SSO.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.freedcamp.com/sso/<UNIQUEID>
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.freedcamp.com/sso/acs/<UNIQUEID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.freedcamp.com/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Users can also
enter the url values with respect to their own customer domain and they may not be necessarily of the pattern
freedcamp.com , they can enter any customer domain specific value, specific to their application instance. Also you
can contact Freedcamp Client support team for further information on url patterns.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Freedcamp section, copy the appropriate URL (s) based on your requirement.
Configure Freedcamp
1. To automate the configuration within Freedcamp, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup Freedcamp will direct you to the Freedcamp
application. From there, provide the admin credentials to sign into Freedcamp. The browser extension will
automatically configure the application for you and automate steps 3-5.
3. If you want to setup Freedcamp manually, open a new web browser window and sign into your Freedcamp
company site as an administrator and perform the following steps:
4. On the top-right corner of the page, click on profile and then navigate to My Account.
5. From the left side of the menu bar, click on SSO and on the Your SSO connections page perform the
following steps:
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Freedcamp test user
To enable Azure AD users, sign in to Freedcamp, they must be provisioned into Freedcamp. In Freedcamp,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. In a different web browser window, sign in to Freedcamp as a Security Administrator.
2. On the top-toright corner of the page, click on profile and then navigate to Manage System.
3. On the right side of the Manage System page, perform the following steps:
a. Click on Add or invite Users.
b. In the Email text box, enter the email of user like Brittasimon@contoso.com .
c. Click Add User.
Test SSO
When you select the Freedcamp tile in the Access Panel, you should be automatically signed in to the Freedcamp
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
FreshDesk
11/19/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate FreshDesk with Azure Active Directory (Azure AD ). Integrating
FreshDesk with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FreshDesk.
You can enable your users to be automatically signed-in to FreshDesk (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FreshDesk, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
FreshDesk single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FreshDesk supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FreshDesk, select FreshDesk from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant-name>.freshdesk.com or any other value Freshdesk has suggested.
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact FreshDesk Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. FreshDesk application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows an
example for this. The default value of Unique User Identifier is user.userprincipalname but FreshDesk
expects this to be mapped with the user's email address. For that you can use user.mail attribute from the
list or use the appropriate attribute value based on your organization configuration.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
b. Copy the Cert Hash(sha256) value and paste it into the Notepad.
9. On the Set up FreshDesk section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure FreshDesk Single Sign-On
1. In a different web browser window, log into your Freshdesk company site as an administrator.
2. Select the Settings icon and in the Security section, perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FreshDesk test user
In order to enable Azure AD users to log into FreshDesk, they must be provisioned into FreshDesk.
In the case of FreshDesk, provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Log in to your Freshdesk tenant.
2. In the menu on the top, click Admin.
a. In the Email textbox, type the Azure AD email address of the Azure AD account you want to provision.
b. In the Full Name textbox, type the name of the Azure AD account you want to provision.
c. In the Title textbox, type the title of the Azure AD account you want to provision.
d. Click Save.
NOTE
The Azure AD account holder will get an email that includes a link to confirm the account before it is activated.
NOTE
You can use any other Freshdesk user account creation tools or APIs provided by Freshdesk to provision Azure AD
user accounts to FreshDesk.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
FreshGrade
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate FreshGrade with Azure Active Directory (Azure AD ). Integrating
FreshGrade with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to FreshGrade.
You can enable your users to be automatically signed-in to FreshGrade (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with FreshGrade, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
FreshGrade single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
FreshGrade supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type FreshGrade, select FreshGrade from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following patterns:
https://<subdomain>.freshgrade.com/login
https://<subdomain>.onboarding.freshgrade.com/login
b. In the Identifier (Entity ID ) textbox, type a URL using the following patterns:
https://login.onboarding.freshgrade.com:443/saml/metadata/alias/<instancename>
https://login.freshgrade.com:443/saml/metadata/alias/<instancename>
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. Contact FreshGrade Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create FreshGrade test user
In this section, you create a user called Britta Simon in FreshGrade. Work with FreshGrade support team to add the
users in the FreshGrade platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the FreshGrade tile in the Access Panel, you should be automatically signed in to the FreshGrade
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Freshservice
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Freshservice with Azure Active Directory (Azure AD ). When you
integrate Freshservice with Azure AD, you can:
Control in Azure AD who has access to Freshservice.
Enable your users to be automatically signed-in to Freshservice with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Freshservice single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Freshservice supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<democompany>.freshservice.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<democompany>.freshservice.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Freshservice Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. Freshservice requires SHA-256 fingerprint to get SSO working. To get SHA-256 fingerprint, perform the
following steps :
a. Open the link in different web browser.
b. Open downloaded certificate (Base64) file in the Notepad and paste content in the X.509 cert
textbox.
c. For the Algorithm, select sha256 from the dropdown.
d. Click CALCULATE FINGERPRINT.
e. Click on the copy icon to copy the generated FingerPrint and save it on your computer.
7. On the Set up Freshservice section on the Azure portal, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup Freshservice will direct you to the Freshservice
application. From there, provide the admin credentials to sign into Freshservice. The browser extension will
automatically configure the application for you and automate steps 3-6.
3. If you want to setup Freshservice manually, open a new web browser window and sign into your
Freshservice company site as an administrator and perform the following steps:
4. In the menu on the top, click Admin.
a. Enter the First Name and Email attributes of a valid Azure Active Directory account you want to
provision into the related textboxes.
b. Click Save.
NOTE
The Azure Active Directory account holder gets an email including a link to confirm the account before it becomes
active
NOTE
You can use any other FreshService user account creation tools or APIs provided by FreshService to provision Azure AD user
accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Freshservice tile in the Access Panel, you should be automatically signed in to the Freshservice
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Freshservice with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Freshworks
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Freshworks with Azure Active Directory (Azure AD ). When you
integrate Freshworks with Azure AD, you can:
Control in Azure AD who has access to Freshworks.
Enable your users to be automatically signed-in to Freshworks with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Freshworks single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Freshworks supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.freshworks.com/login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.freshworks.com/sp/SAML/<MODULE_ID>/metadata
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Freshworks Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. To modify the Signing options as per your requirement, click Edit button to open SAML Signing
Certificate dialog.
a. Select Sign SAML response as Signing Option.
b. Click Save.
7. On the Set up Freshworks section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Freshworks tile in the Access Panel, you should be automatically signed in to the Freshworks
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Freshworks with Azure AD
Tutorial: Azure Active Directory integration with Front
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Front with Azure Active Directory (Azure AD ). Integrating Front with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Front.
You can enable your users to be automatically signed-in to Front (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Front, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Front single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Front supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Front, select Front from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<companyname>.frontapp.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.frontapp.com/sso/saml/callback
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Front Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Front section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Front Single Sign-On
1. Sign-on to your Front tenant as an administrator.
2. Go to Settings (cog icon at the bottom of the left sidebar) > Preferences.
5. In the Entry Point textbox put the value of Login URL from Azure AD application configuration wizard.
6. Open your downloaded Certificate(Base64) file in notepad, copy the content of it into your clipboard, and
then paste it to the Signing certificate textbox.
7. On the Service provider settings section, perform the following steps:
a. Copy the value of Entity ID and paste it into the Identifier textbox in Front Domain and URLs section
in Azure portal.
b. Copy the value of ACS URL and paste it into the Reply URL textbox in Front Domain and URLs section
in Azure portal.
8. Click Save button.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Front test user
In this section, you create a user called Britta Simon in Front. Work with Front Client support team to add the users
in the Front platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Front tile in the Access Panel, you should be automatically signed in to the Front for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Frontline Education with Azure
Active Directory
8/13/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Frontline Education with Azure Active Directory (Azure AD ). When you
integrate Frontline Education with Azure AD, you can:
Control in Azure AD who has access to Frontline Education.
Enable your users to be automatically signed-in to Frontline Education with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Frontline Education single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Frontline Education supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign on URL text box, type a URL using the following pattern:
https://login.frontlineeducation.com/sso/<CLIENTID>
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact Frontline Education Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Fulcrum
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fulcrum with Azure Active Directory (Azure AD ). Integrating Fulcrum
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fulcrum.
You can enable your users to be automatically signed-in to Fulcrum (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fulcrum, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Fulcrum single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fulcrum supports SP and IDP initiated SSO
Fulcrum supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fulcrum, select Fulcrum from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://web.fulcrumapp.com/saml/consume?organization=<DOMAIN>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Fulcrum Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. Fulcrum application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Fulcrum application expects few more attributes to be passed back in SAML response.
In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
first_name user.givenname
last_name user.surname
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Fulcrum section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Fulcrum Single Sign-On
To configure single sign-on on Fulcrum side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Fulcrum support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Fulcrum test user
In this section, a user called Britta Simon is created in Fulcrum. Fulcrum supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Fulcrum,
a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Fulcrum tile in the Access Panel, you should be automatically signed in to the Fulcrum for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Fuse
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fuse with Azure Active Directory (Azure AD ). Integrating Fuse with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fuse.
You can enable your users to be automatically signed-in to Fuse (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fuse, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Fuse single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fuse supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fuse, select Fuse from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Fuse Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Fuse section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Fuse Single Sign-On
To configure single sign-on on Fuse side, you need to send the downloaded Certificate (Base64) and appropriate
copied URLs from Azure portal to Fuse support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Fuse test user
In this section, you create a user called Britta Simon in Fuse. Work with Fuse support team to add the users in the
Fuse platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Fuse tile in the Access Panel, you should be automatically signed in to the Fuse for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Fuze
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Fuze with Azure Active Directory (Azure AD ). Integrating Fuze with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Fuze.
You can enable your users to be automatically signed-in to Fuze (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Fuze, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Fuze single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Fuze supports SP initiated SSO
Fuze supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Fuze, select Fuze from result panel then click Add button to add the application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Fuze section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Fuze Single Sign-On
To configure single sign-on on Fuze side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Fuze support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Fuze test user
Fuze application supports just in time user provision, so users will get created automatically when they sign in. For
any other clarification, contact Fuze support.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Fuze tile in the Access Panel, you should be automatically signed in to the Fuze for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with G Suite
11/8/2019 • 10 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate G Suite with Azure Active Directory (Azure AD ). When you integrate G
Suite with Azure AD, you can:
Control in Azure AD who has access to G Suite.
Enable your users to be automatically signed-in to G Suite with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription.
G Suite single sign-on (SSO ) enabled subscription.
A Google Apps subscription or Google Cloud Platform subscription.
NOTE
To test the steps in this tutorial, we do not recommend using a production environment. This document was created using
the new user Single-Sign-on experience. If you are still using the old one, the setup will look different. You can enable the
new experience in the Single Sign-on settings of G-Suite application. Go to Azure AD, Enterprise applications, select G
Suite, select Single Sign-on and then click on Try out our new experience.
To test the steps in this tutorial, you should follow these recommendations:
Do not use your production environment, unless it is necessary.
If you don't have a subscription, you can get a free account.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
G Suite supports SP initiated SSO
G Suite supports Automated user provisioning
4. On the Basic SAML Configuration section, if you want to configure for the Gmail perform the following
steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
https://www.google.com/a/<yourdomain.com>/ServiceLogin?continue=https://mail.google.com
google.com/a/<yourdomain.com>
google.com
https://google.com
https://google.com/a/<yourdomain.com>
5. On the Basic SAML Configuration section, if you want to configure for the Google Cloud Platform
perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
https://www.google.com/a/<yourdomain.com>/ServiceLogin?continue=https://console.cloud.google.com
google.com/a/<yourdomain.com>
google.com
https://google.com
https://google.com/a/<yourdomain.com>
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. G Suite doesn't provide
Entity ID/Identifier value on Single Sign On configuration so when you uncheck the domain specific issuer option
the Identifier value will be google.com . If you check the domain specific issuer option it will be
google.com/a/<yourdomainname.com> . To check/uncheck the domain specific issuer option you need to go to the
Configure G Suite SSO section which is explained later in the tutorial. For more information contact G Suite Client
support team.
6. Your G Suite application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
an example for this. The default value of Unique User Identifier is user.userprincipalname but G Suite
expects this to be mapped with the user's email address. For that you can use user.mail attribute from the
list or use the appropriate attribute value based on your organization configuration.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up G Suite section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
Make sure that your user already exists in G Suite if provisioning in Azure AD has not been turned on before testing Single
Sign-on.
NOTE
If you need to create a user manually, contact the Google support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the G Suite tile in the Access Panel, you should be automatically signed in to the G Suite for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Configure User Provisioning
Try G Suite with Azure AD
Tutorial: Azure Active Directory integration with
GaggleAMP
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GaggleAMP with Azure Active Directory (Azure AD ). Integrating
GaggleAMP with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GaggleAMP.
You can enable your users to be automatically signed-in to GaggleAMP (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GaggleAMP, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
GaggleAMP single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GaggleAMP supports SP and IDP initiated SSO
GaggleAMP supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GaggleAMP, select GaggleAMP from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://accounts.gaggleamp.com/auth/saml/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://gaggleamp.com/i/<customerid>
NOTE
The value is not real. Update the value with the actual Sign-on URL. Contact GaggleAMP Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up GaggleAMP section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure GaggleAMP Single Sign-On
1. In another browser instance, navigate to the SAML SSO page created for you by the Gaggle support team
(for example: https://accounts.gaggleamp.com/saml_configurations/oXH8sQcP79dOzgFPqrMTyw/edit).
2. On your SAML SSO page, perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GaggleAMP test user
In this section, a user called Britta Simon is created in GaggleAMP. GaggleAMP supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in GaggleAMP, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GaggleAMP tile in the Access Panel, you should be automatically signed in to the GaggleAMP
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Getabstract
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Getabstract with Azure Active Directory (Azure AD ). Integrating
Getabstract with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Getabstract.
You can enable your users to be automatically signed-in to Getabstract (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Getabstract, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Getabstract single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Getabstract supports SP and IDP initiated SSO
Getabstract supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Getabstract, select Getabstract from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL:
For Stage/pre_production: https://int.getabstract.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL textbox, type a URL using the following pattern:
For Stage/pre_production: https://int.getabstract.com/portal/<org_username>
NOTE
This value is not real. Update this value with the actual Sign-On URL. Contact Getabstract Client support team to get
this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Getabstract section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Getabstract Single Sign-On
To configure single sign-on on Getabstract side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Getabstract support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Getabstract test user
In this section, a user called Britta Simon is created in Getabstract. Getabstract supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Getabstract, a new one is created after authentication.
NOTE
If you need to create a user manually, Contact Getabstract support team
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Getabstract tile in the Access Panel, you should be automatically signed in to the Getabstract
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with GetThere
8/29/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate GetThere with Azure Active Directory (Azure AD ). When you integrate
GetThere with Azure AD, you can:
Control in Azure AD who has access to GetThere.
Enable your users to be automatically signed-in to GetThere with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
GetThere single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
GetThere supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL:
getthere.com
http://idp.getthere.com
b. In the Reply URL text box, type any one of the below URLs:
https://wx1.getthere.net/login/saml/post.act
https://gtx2-gcte2.getthere.net/login/saml/post.act
https://gtx2-gcte2.getthere.net/login/saml/ssoaasvalidate.act
https://wx1.getthere.net/login/saml/ssoaavalidate.act
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up GetThere section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GetThere tile in the Access Panel, you should be automatically signed in to the GetThere for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try GetThere with Azure AD
Tutorial: Azure Active Directory integration with
Gigya
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Gigya with Azure Active Directory (Azure AD ). Integrating Gigya with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Gigya.
You can enable your users to be automatically signed-in to Gigya (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Gigya, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Gigya single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Gigya supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Gigya, select Gigya from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://fidm.gigya.com/saml/v2.0/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Gigya Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Gigya section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Gigya Single Sign-On
1. In a different web browser window, log into your Gigya company site as an administrator.
2. Go to Settings > SAML Login, and then click the Add button.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Gigya test user
In order to enable Azure AD users to log into Gigya, they must be provisioned into Gigya. In the case of Gigya,
provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Log in to your Gigya company site as an administrator.
2. Go to Admin > Manage Users, and then click Invite Users.
3. On the Invite Users dialog, perform the following steps:
a. In the Email textbox, type the email alias of a valid Azure Active Directory account you want to provision.
b. Click Invite User.
NOTE
The Azure Active Directory account holder will receive an email that includes a link to confirm the account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
GitHub
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate GitHub with Azure Active Directory (Azure AD ). Integrating GitHub with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GitHub.
You can enable your users to be automatically signed-in to GitHub (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GitHub, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
A GitHub organization created in GitHub Enterprise Cloud, which requires the GitHub Enterprise billing plan
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GitHub supports SP initiated SSO
GitHub supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GitHub, select GitHub.com from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://github.com/orgs/<entity-id>
NOTE
Please note that these are not the real values. You have to update these values with the actual Sign on URL and
Identifier. Here we suggest you to use the unique value of string in the Identifier. Go to GitHub Admin section to
retrieve these values.
5. Your GitHub application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. GitHub application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up GitHub section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure GitHub Single Sign-On
1. In a different web browser window, log into your GitHub organization site as an administrator.
2. Navigate to Settings and click Security
3. Check the Enable SAML authentication box, revealing the Single Sign-on configuration fields. Then, use
the single sign-on URL value to update the Single sign-on URL on Azure AD configuration.
5. Click on Test SAML configuration to confirm that no validation failures or errors during SSO.
6. Click Save
NOTE
Single sign-on in GitHub authenticates to a specific organization in GitHub and does not replace the authentication of GitHub
itself. Therefore, if the user's github.com session has expired, you may be asked to authenticate with GitHub's ID/password
during the single sign-on process.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GitHub test user
The objective of this section is to create a user called Britta Simon in GitHub. GitHub supports automatic user
provisioning, which is by default enabled. You can find more details here on how to configure automatic user
provisioning.
If you need to create user manually, perform following steps:
1. Log in to your GitHub company site as an administrator.
2. Click People.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
GlassFrog
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GlassFrog with Azure Active Directory (Azure AD ). Integrating
GlassFrog with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GlassFrog.
You can enable your users to be automatically signed-in to GlassFrog (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GlassFrog, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
GlassFrog single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GlassFrog supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GlassFrog, select GlassFrog from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact GlassFrog Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up GlassFrog section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure GlassFrog Single Sign-On
To configure single sign-on on GlassFrog side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to GlassFrog support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GlassFrog test user
In this section, you create a user called Britta Simon in GlassFrog. Work with GlassFrog support team to add the
users in the GlassFrog platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GlassFrog tile in the Access Panel, you should be automatically signed in to the GlassFrog for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate GlobalOne with Azure Active
Directory
8/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate GlobalOne with Azure Active Directory (Azure AD ). When you
integrate GlobalOne with Azure AD, you can:
Control in Azure AD who has access to GlobalOne.
Enable your users to be automatically signed-in to GlobalOne with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
GlobalOne single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. GlobalOne supports SP and IDP
initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. GlobalOne application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, GlobalOne application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
FirstName user.givenname
LastName user.surname
Email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
8. On the Set up GlobalOne section, copy the appropriate URL (s) based on your requirement.
Configure GlobalOne
To configure single sign-on on GlobalOne side, you need to send the downloaded Certificate (Raw) and
appropriate copied URLs from Azure portal to GlobalOne support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B. Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B. Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B. Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B. Simon to use Azure single sign-on by granting access to GlobalOne.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select GlobalOne.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create GlobalOne test user
In this section, a user called Britta Simon is created in GlobalOne. GlobalOne supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in GlobalOne, a new one is created after authentication.
Test SSO
When you select the GlobalOne tile in the Access Panel, you should be automatically signed in to the GlobalOne
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
GoodPractice Toolkit
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GoodPractice Toolkit with Azure Active Directory (Azure AD ). Integrating
GoodPractice Toolkit with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GoodPractice Toolkit.
You can enable your users to be automatically signed-in to GoodPractice Toolkit (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GoodPractice Toolkit, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
GoodPractice Toolkit single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GoodPractice Toolkit supports SP initiated SSO
GoodPractice Toolkit supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GoodPractice Toolkit, select GoodPractice Toolkit from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact GoodPractice Toolkit Client
support team to get the value.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up GoodPractice Toolkit section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure GoodPractice Toolkit Single Sign-On
To configure single sign-on on GoodPractice Toolkit side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to GoodPractice Toolkit support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GoodPractice Toolkit test user
In this section, a user called Britta Simon is created in GoodPractice Toolkit. GoodPractice Toolkit supports just-in-
time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in GoodPractice Toolkit, a new one is created when you attempt to access GoodPractice Toolkit.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GoodPractice Toolkit tile in the Access Panel, you should be automatically signed in to the
GoodPractice Toolkit for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
GoToMeeting
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GoToMeeting with Azure Active Directory (Azure AD ). Integrating
GoToMeeting with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GoToMeeting.
You can enable your users to be automatically signed-in to GoToMeeting (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GoToMeeting, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
GoToMeeting single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GoToMeeting supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GoToMeeting, select GoToMeeting from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, click Edit button to open Basic SAML Configuration
dialog.
a. In the Identifier text box, type a URL using the following pattern:
https://authentication.logmeininc.com/saml/sp
b. In the Reply URL text box, type a URL using the following pattern:
https://authentication.logmeininc.com/saml/acs
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact GoToMeeting
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up GoToMeeting section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure GoToMeeting Single Sign-On
1. In a different browser window, log in to your GoToMeeting Organization Center. You will be prompted to
confirm that the IdP has been updated.
2. Enable the "My Identity Provider has been updated with the new domain" checkbox. Click Done when
finished.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GoToMeeting test user
In this section, a user called Britta Simon is created in GoToMeeting. GoToMeeting supports just-in-time
provisioning, which is enabled by default.
There is no action item for you in this section. If a user doesn't already exist in GoToMeeting, a new one is created
when you attempt to access GoToMeeting.
NOTE
If you need to create a user manually, Contact GoToMeeting support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Gra-
Pe
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Gra-Pe with Azure Active Directory (Azure AD ). Integrating Gra-Pe with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Gra-Pe.
You can enable your users to be automatically signed-in to Gra-Pe (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Gra-Pe, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Gra-Pe single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Gra-Pe supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Gra-Pe, select Gra-Pe from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Gra-Pe section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Gra-Pe Single Sign-On
To configure single sign-on on Gra-Pe side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Gra-Pe support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Gra-Pe test user
In this section, you create a user called Britta Simon in Gra-Pe. Work with Gra-Pe support team to add the users in
the Gra-Pe platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Gra-Pe tile in the Access Panel, you should be automatically signed in to the Gra-Pe for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Greenhouse
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Greenhouse with Azure Active Directory (Azure AD ). Integrating
Greenhouse with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Greenhouse.
You can enable your users to be automatically signed-in to Greenhouse (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Greenhouse, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Greenhouse single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Greenhouse supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Greenhouse, select Greenhouse from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.greenhouse.io
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Greenhouse Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Greenhouse section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Greenhouse Single Sign-On
To configure single sign-on on Greenhouse side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Greenhouse support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Greenhouse test user
In order to enable Azure AD users to log into Greenhouse, they must be provisioned into Greenhouse. In the case
of Greenhouse, provisioning is a manual task.
NOTE
You can use any other Greenhouse user account creation tools or APIs provided by Greenhouse to provision Azure AD user
accounts.
NOTE
The Azure Active Directory account holders will receive an email including a link to confirm the account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
GreenOrbit
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GreenOrbit with Azure Active Directory (Azure AD ). Integrating
GreenOrbit with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GreenOrbit.
You can enable your users to be automatically signed-in to GreenOrbit (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GreenOrbit, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
GreenOrbit single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GreenOrbit supports SP initiated SSO
GreenOrbit supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GreenOrbit, select GreenOrbit from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.yourcompanydomain.extension
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact GreenOrbit Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up GreenOrbit section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure GreenOrbit Single Sign-On
To configure single sign-on on GreenOrbit side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to GreenOrbit support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GreenOrbit test user
In this section, a user called Britta Simon is created in GreenOrbit. GreenOrbit supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in GreenOrbit, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GreenOrbit tile in the Access Panel, you should be automatically signed in to the GreenOrbit
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Grovo
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Grovo with Azure Active Directory (Azure AD ). When you integrate
Grovo with Azure AD, you can:
Control in Azure AD who has access to Grovo.
Enable your users to be automatically signed-in to Grovo with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Grovo single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Grovo supports SP and IDP initiated SSO
Grovo supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.grovo.com/sso/saml2/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.grovo.com/sso/saml2/saml-assertion
5. Click Set additional URLs and perform the following steps if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.grovo.com/sso/saml2/saml-assertion
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State.
Contact Grovo Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Grovo section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. In the Entity ID textbox, paste the value of Azure AD Identifier, which you have copied from Azure
portal.
b. In the Single sign-on service endpoint textbox, paste the value of Login URL, which you have copied
from Azure portal.
c. Select Single sign-on service endpoint binding as
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect .
d. Open the downloaded Base64 encoded certificate from Azure portal in notepad, paste it into the
Public key textbox.
e. Click Next.
Create Grovo test user
In this section, a user called B.Simon is created in Grovo. Grovo supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Grovo, a new one
is created after authentication.
NOTE
If you need to create a user manually, Contact Grovo support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Grovo tile in the Access Panel, you should be automatically signed in to the Grovo for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Grovo with Azure AD
Tutorial: Azure Active Directory integration with
GTNexus SSO System
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate GTNexus SSO System with Azure Active Directory (Azure AD ).
Integrating GTNexus SSO System with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to GTNexus SSO System.
You can enable your users to be automatically signed-in to GTNexus SSO System (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with GTNexus SSO System, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
GTNexus SSO System single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
GTNexus SSO System supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type GTNexus SSO System, select GTNexus SSO System from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. Once the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in GTNexus SSO System section textbox:
NOTE
If the Identifier and Reply URL values are not getting auto polulated, then fill in the values manually according to
your requirement.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create GTNexus SSO System test user
In this section, you create a user called Britta Simon in GTNexus SSO System. Work with GTNexus SSO System
support team to add the users in the GTNexus SSO System platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the GTNexus SSO System tile in the Access Panel, you should be automatically signed in to the
GTNexus SSO System for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HackerOne
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate HackerOne with Azure Active Directory (Azure AD ). Integrating
HackerOne with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HackerOne.
You can enable your users to be automatically signed-in to HackerOne (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HackerOne, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HackerOne single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HackerOne supports SP initiated SSO
HackerOne supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HackerOne, select HackerOne from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This Sign on URL value is not real. Update this value with the actual Sign-On URL. Contact HackerOne Client support
team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up HackerOne section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure HackerOne Single Sign-On
1. Sign On to your HackerOne tenant as an administrator.
2. In the menu on the top, click the Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HackerOne test user
In this section, a user called Britta Simon is created in HackerOne. HackerOne supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in HackerOne, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HackerOne tile in the Access Panel, you should be automatically signed in to the HackerOne for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Halogen Software
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Halogen Software with Azure Active Directory (Azure AD ). Integrating
Halogen Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Halogen Software.
You can enable your users to be automatically signed-in to Halogen Software (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Halogen Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Halogen Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Halogen Software supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Halogen Software, select Halogen Software from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://global.halogensoftware.com/<companyname>
https://global.hgncloud.com/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Halogen Software
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Halogen Software section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Halogen Software Single Sign-On
1. In a different browser window, sign-on to your Halogen Software application as an administrator.
2. Click the Options tab.
NOTE
You need to wait for the message "The SAML test is complete. Please close this window". Then, close the opened
browser window. The Enable SAML checkbox is only enabled if the test has been completed.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Halogen Software test user
The objective of this section is to create a user called Britta Simon in Halogen Software.
To create a user called Britta Simon in Halogen Software, perform the following steps:
1. Sign on to your Halogen Software application as an administrator.
2. Click the User Center tab, and then click Create User.
3. On the New User dialog page, perform the following steps:
a. In the First Name textbox, type first name of the user like Britta.
b. In the Last Name textbox, type last name of the user like Simon.
c. In the Username textbox, type Britta Simon, the user name as in the Azure portal.
d. In the Password textbox, type a password for Britta.
e. Click Save.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Halogen Software tile in the Access Panel, you should be automatically signed in to the
Halogen Software for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Halosys
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Halosys with Azure Active Directory (Azure AD ). Integrating Halosys
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Halosys.
You can enable your users to be automatically signed-in to Halosys (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Halosys, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Halosys single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Halosys supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Halosys, select Halosys from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<company-name>.halosys.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<company-name>.halosys.com/<instance name>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Halosys Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Halosys section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Halosys Single Sign-On
To configure single sign-on on Halosys side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Halosys support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Halosys test user
In this section, you create a user called Britta Simon in Halosys. Work with Halosys support team to add the users
in the Halosys platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Halosys tile in the Access Panel, you should be automatically signed in to the Halosys for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HappyFox
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate HappyFox with Azure Active Directory (Azure AD ). Integrating
HappyFox with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HappyFox.
You can enable your users to be automatically signed-in to HappyFox (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HappyFox, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HappyFox single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HappyFox supports SP initiated SSO
HappyFox supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HappyFox, select HappyFox from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.happyfox.com/saml/metadata/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact HappyFox Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up HappyFox section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure HappyFox Single Sign-On
1. In a different web browser window, sign-on to your HappyFox tenant as an administrator.
2. Navigate to Manage, click on Integrations tab.
3. In the Integrations tab, click Configure under SAML Integration to open the Single Sign On Settings.
4. Inside SAML configuration section, paste the Login URL value, which you have copied from Azure portal
into SSO Target URL textbox.
5. Open the certificate downloaded from Azure portal in notepad and paste its content in IdP Signature
section.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HappyFox test user
In this section, a user called Britta Simon is created in HappyFox. HappyFox supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in HappyFox, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
1. When you click the HappyFox tile in the Access Panel, you should get login page of HappyFox application.
You should see the ‘SAML’ button on the sign-in page.
2. Click the SAML button to log in to HappyFox using your Azure AD account.
For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Harness
10/7/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Harness with Azure Active Directory (Azure AD ). When you integrate
Harness with Azure AD, you can:
Control in Azure AD who has access to Harness.
Enable your users to be automatically signed-in to Harness with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Harness single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Harness supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://app.harness.io/gateway/api/users/saml-login?accountId=<harness_account_id>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.harness.io/
NOTE
The Reply URL value is not real. You will get the actual Reply URL from the Configure Harness SSO section, which is
explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Harness section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup Harness will direct you to the Harness application.
From there, provide the admin credentials to sign into Harness. The browser extension will automatically
configure the application for you and automate steps 3-6.
3. If you want to setup Harness manually, open a new web browser window and sign into your Harness
company site as an administrator and perform the following steps:
4. On the top-right of the page, click on Continuous Security > Access Management > Authentication
Settings.
5. On the SSO Providers section, click on + Add SSO Providers > SAML.
a. Copy the In your SSO Provider, please enable SAML -based login, then enter the following URL
instance and paste it in Reply URL textbox in Basic SAML Configuration section on Azure portal.
b. In the Display Name text box, type your display name.
c. Click Choose file to upload the Federation Metadata XML file, which you have downloaded from Azure
AD.
d. Click SUBMIT.
Create Harness test user
To enable Azure AD users to sign in to Harness, they must be provisioned into Harness. In Harness, provisioning is
a manual task.
To provision a user account, perform the following steps:
1. Sign in to Harness as an Administrator.
2. On the top-right of the page, click on Continuous Security > Access Management > Users.
a. In Email Address(es) text box, enter the email of user like B.simon@contoso.com .
b. Select your User Groups.
c. Click Submit.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Harness tile in the Access Panel, you should be automatically signed in to the Harness for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Harness with Azure AD
Tutorial: Integrate Helper Helper with Azure Active
Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Helper Helper with Azure Active Directory (Azure AD ). When you
integrate Helper Helper with Azure AD, you can:
Control in Azure AD who has access to Helper Helper.
Enable your users to be automatically signed-in to Helper Helper with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Helper Helper single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Helper Helper supports SP and IDP
initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file and wish to
configure in IDP initiated mode perform the following steps:
NOTE
Go to the url https://sso.helperhelper.com/saml/<customer_id> to get the Service Provider metadata file.
Contact Helper Helper Client support team for <customer_id> .
NOTE
If the Identifier and Reply URL values do not get auto polulated, then fill in the values manually according to your
requirement.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://sso.helperhelper.com/saml/<customer_id>/login
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact Helper Helper Client
support team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.l.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your Notepad.
7. On the Set up Helper Helper section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Helper Helper test user
In this section, a user called Britta Simon is created in Helper Helper. Helper Helper supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Helper Helper, a new one is created after authentication.
Test SSO
When you select the Helper Helper tile in the Access Panel, you should be automatically signed in to the Helper
Helper for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Help
Scout
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Help Scout with Azure Active Directory (Azure AD ). Integrating Help
Scout with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Help Scout.
You can enable your users to be automatically signed-in to Help Scout (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Help Scout, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Help Scout single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Help Scout supports SP and IDP initiated SSO
Help Scout supports Just In Time user provisioning
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. Identifier is the Audience URI (Service Provider Entity ID ) from Help Scout, starts with urn:
b. Reply URL is the Post-back URL (Assertion Consumer Service URL ) from Help Scout, starts with
https://
NOTE
The values in these URLs are for demonstration only. You need to update these values from actual Reply URL and
Identifier. You get these values from the Single Sign-On tab under Authentication section, which is explained later in
the tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
7. On the Set up Help Scout section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called B.Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select B.Simon in the Users list, then click the Select button at the bottom
of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
3. If you want to setup Help Scout manually, open a new web browser window and sign into your Help Scout
company site as an administrator and perform the following steps:
4. Click on Manage from the top menu and then select Company from the dropdown menu.
a. Copy the Post-back URL (Assertion Consumer Service URL ) value and paste the value in the Reply
URL text box in the Basic SAML Configuration section in the Azure portal.
b. Copy the Audience URI (Service Provider Entity ID ) value and paste the value in the Identifier text
box in the Basic SAML Configuration section in the Azure portal.
7. Toggle Enable SAML on and perform the following steps:
a. In Single Sign-On URL textbox, paste the value of Login URL, which you have copied from Azure
portal.
b. Click Upload Certificate to upload the Certificate(Base64) downloaded from Azure portal.
c. Enter your organization's email domain(s) e.x.- contoso.com in the Email Domains textbox. You can
separate multiple domains with a comma. Anytime a Help Scout User or Administrator who enters that
specific domain on the Help Scout log-in page will be routed to Identity Provider to authenticate with their
credentials.
d. Lastly, you can toggle Force SAML Sign-on if you want Users to only log in to Help Scout via through
this method. If you'd still like to leave the option for them to sign in with their Help Scout credentials, you
can leave it toggled off. Even if this is enabled, an Account Owner will always be able to log in to Help Scout
with their account password.
e. Click Save.
Create Help Scout test user
In this section, a user called B.Simon is created in Help Scout. Help Scout supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Help
Scout, a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Help Scout tile in the Access Panel, you should be automatically signed in to the Help Scout for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Try Help Scout with Azure AD
Tutorial: Azure Active Directory integration with
Heroku
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Heroku with Azure Active Directory (Azure AD ). Integrating Heroku with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Heroku.
You can enable your users to be automatically signed-in to Heroku (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Heroku, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Heroku single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Heroku supports SP initiated SSO
Heroku supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Heroku, select Heroku from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://sso.heroku.com/saml/<company-name>
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. You get these values from
Heroku team, which is described in later sections of this article.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Heroku section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Heroku Single Sign-On
1. In a different web browser window, sign-on to your Heroku tenant as an administrator.
2. Click the Settings tab.
3. On the Single Sign On Page, click Upload Metadata.
4. Upload the metadata file, which you have downloaded from the Azure portal.
5. When the setup is successful, administrators see a confirmation dialog and the URL of the SSO Login for
end users is displayed.
6. Copy the Heroku Login URL and Heroku Entity ID values and go back to Basic SAML Configuration
section in Azure portal and paste these values into the Sign-On Url and Identifier (Entity ID ) textboxes
respectively.
7. Click Next.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Heroku test user
In this section, you create a user called Britta Simon in Heroku. Heroku supports just-in-time provisioning, which is
enabled by default.
There is no action item for you in this section. A new user is created when accessing Heroku if the user doesn't exist
yet. After the account is provisioned, the end user receives a verification email and needs to click the
acknowledgement link.
NOTE
If you need to create a user manually, you need to contact the Heroku Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HeyBuddy
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate HeyBuddy with Azure Active Directory (Azure AD ). Integrating
HeyBuddy with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HeyBuddy.
You can enable your users to be automatically signed-in to HeyBuddy (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HeyBuddy, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HeyBuddy single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HeyBuddy supports SP initiated SSO
HeyBuddy supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HeyBuddy, select HeyBuddy from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
YourCompanyInstanceofHeyBuddy
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier (Entity ID). The Entity ID
in the Sign on url is auto generated for each organization. Contact HeyBuddy Client support team to get these
values.
5. Your HeyBuddy application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
NOTE
Please refer to this link on how to configure and setup the roles for the application.
6. In addition to above, HeyBuddy application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
Roles user.assignedroles
NAME SOURCE ATTRIBUTE
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HeyBuddy test user
In this section, a user called Britta Simon is created in HeyBuddy. HeyBuddy supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in HeyBuddy, a new one is created after authentication.
NOTE
If you need to create a user manually, contact HeyBuddy support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HighGear
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you can learn how to integrate HighGear with Azure Active Directory (Azure AD ). Integrating
HighGear with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HighGear.
You can enable your users to be automatically signed-in to HighGear (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HighGear, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a one-month trial here
A HighGear system with an Enterprise or Unlimited license
Scenario description
In this tutorial, you can learn how to configure and test Azure AD single sign-on in a test environment.
HighGear supports SP and IdP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button on the top of the dialog.
4. In the search box, type HighGear, select HighGear from result panel, and then click the Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click the Edit icon to open the Basic SAML
Configuration dialog.
NOTE
You will need to log in to your HighGear system to access the Single Sign-On Settings page. Once you're logged in,
move your mouse over the Administration tab in HighGear and click the Single Sign-On Settings menu item.
b. In the Reply URL text box, paste the value of the Assertion Consumer Service (ACS ) URL from the
Single Sign-On Settings page in your HighGear system.
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, paste the value of the Service Provider Entity ID field that is on the Single
Sign-On Settings page in your HighGear system. (This Entity ID is also the base URL of the HighGear
system that is to be used for SP -initiated sign-on.)
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL from the Single
Sign-On Settings page in your HighGear system. If you need help, please contact the HighGear Support Team.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) and save it on your computer. You'll need it in a later step
of the Single Sign-On configuration.
6. On the Set up HighGear section, note the location of the following URLs.
a. Login URL. You will need this value in Step #2 under Configure HighGear Single Sign-On below.
b. Azure AD Identifier. You will need this value in Step #3 under Configure HighGear Single Sign-On
below.
c. Logout URL. You will need this value in Step #4 under Configure HighGear Single Sign-On below.
Configure HighGear Single Sign-On
To configure HighGear for Single Sign-On, please log in to your HighGear system. Once you're logged in, move
your mouse over the Administration tab in HighGear and click the Single Sign-On Settings menu item.
1. In the Identity Provider Name, type a short description that will appear in HighGear's Single Sign-On
button on the Login page. For example: Azure AD
2. In the Single Sign-On (SSO ) URL field in HighGear, paste the value from the Login URL field that is in
the Set up HighGear section in Azure.
3. In the Identity Provider Entity ID field in HighGear, paste the value from the Azure AD Identifier field
that is in the Set up HighGear section in Azure.
4. In the Single Logout (SLO ) URL field in HighGear, paste the value from the Logout URL field that is in
the Set up HighGear section in Azure.
5. Use Notepad to open the certificate that you downloaded from the SAML Signing Certificate section in
Azure. You should have downloaded the Certificate (Base64) format. Copy the contents of the certificate
from Notepad and paste it into the Identity Provider Certificate field in HighGear.
6. Email the HighGear Support Team to request your HighGear Certificate. Follow the instructions you receive
from them to fill out the HighGear Certificate and HighGear Certificate Password fields.
7. Click the Save button to save your HighGear Single Sign-On configuration.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HighGear test user
To create a HighGear test user to test your Single Sign-On configuration, please log in to your HighGear system.
1. Click the Create New Contact button.
A menu will appear allowing you to choose the kind of contact you want to create.
2. Click the Individual menu item to create a HighGear user.
A pane will slide out on the right so that you can type in the information for the new user.
3. In the Name field, type a name for the contact. For example: Britta Simon
4. Click the More Options menu and select the Account Info menu item.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Hightail
10/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Hightail with Azure Active Directory (Azure AD ). When you integrate
Hightail with Azure AD, you can:
Control in Azure AD who has access to Hightail.
Enable your users to be automatically signed-in to Hightail with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Hightail single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Hightail supports SP and IDP initiated SSO
Hightail supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL:
https://www.hightail.com/samlLogin?phi_action=app/samlLogin&subAction=handleSamlResponse
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://www.hightail.com/loginSSO
6. Hightail application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Hightail application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
FirstName user.givenname
LastName user.surname
Email user.mail
UserIdentity user.mail
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Hightail section, copy the appropriate URL (s) based on your requirement.
NOTE
Before configuring the Single Sign On at Hightail app, please white list your email domain with Hightail team so that all the
users who are using this domain can use Single Sign On functionality.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Hightail will direct you to the Hightail application.
From there, provide the admin credentials to sign into Hightail. The browser extension will automatically
configure the application for you and automate steps 3-6.
3. If you want to setup Hightail manually, in another browser window, open the Hightail admin portal.
4. Click on User icon from the top right corner of the page.
6. In the menu on the top, click the SAML tab and perform the following steps:
a. In the Login URL textbox, paste the value of Login URL copied from Azure portal.
b. Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of it
into your clipboard, and then paste it to the SAML Certificate textbox.
c. Click COPY to copy the SAML consumer URL for your instance and paste it in Reply URL textbox in
Basic SAML Configuration section on Azure portal.
d. Click Save Configurations.
Create Hightail test user
In this section, a user called Britta Simon is created in Hightail. Hightail supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hightail,
a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Hightail support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hightail tile in the Access Panel, you should be automatically signed in to the Hightail for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Hightail with Azure AD
Tutorial: Azure Active Directory integration with
HireVue
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate HireVue with Azure Active Directory (Azure AD ). Integrating HireVue
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HireVue.
You can enable your users to be automatically signed-in to HireVue (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HireVue, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HireVue single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HireVue supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HireVue, select HireVue from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
ENVIRONMENT URL
Production https://<companyname>.hirevue.com
Staging https://<companyname>.stghv.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
ENVIRONMENT URN
Production urn:federation:hirevue.com:saml:sp:prod
Staging urn:federation:hirevue.com:saml:sp:staging
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact HireVue Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up HireVue section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure HireVue Single Sign-On
To configure single sign-on on HireVue side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to HireVue support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HireVue test user
In this section, you create a user called Britta Simon in HireVue. Work with HireVue support team to add the users
in the HireVue platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HireVue tile in the Access Panel, you should be automatically signed in to the HireVue for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Hootsuite
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Hootsuite with Azure Active Directory (Azure AD ). When you integrate
Hootsuite with Azure AD, you can:
Control in Azure AD who has access to Hootsuite.
Enable your users to be automatically signed-in to Hootsuite with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Hootsuite single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Hootsuite supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type any one of the URL using the following pattern:
https://hootsuite.com/member/sso-complete
https://hootsuite.com/sso/<ORG_ID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://hootsuite.com/login
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Hootsuite Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Hootsuite section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hootsuite tile in the Access Panel, you should be automatically signed in to the Hootsuite for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Hootsuite with Azure AD
Tutorial: Azure Active Directory integration with
Hornbill
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Hornbill with Azure Active Directory (Azure AD ). Integrating Hornbill
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Hornbill.
You can enable your users to be automatically signed-in to Hornbill (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Hornbill, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Hornbill single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Hornbill supports SP initiated SSO
Hornbill supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Hornbill, select Hornbill from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/lib/saml/auth/simplesaml/module.php/saml/sp/metadata.php/saml
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Hornbill Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
7. On the Pop-up page in the URL text box, paste the App Federation Metadata Url, which you have copied
from Azure portal and click Process.
8. After clicking process the values get auto populated automatically under Profile Details section.
9. Click Save Changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Hornbill test user
In this section, a user called Britta Simon is created in Hornbill. Hornbill supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hornbill,
a new one is created after authentication.
NOTE
If you need to create a user manually, contact Hornbill Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hornbill tile in the Access Panel, you should be automatically signed in to the Hornbill for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Hosted Graphite
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Hosted Graphite with Azure Active Directory (Azure AD ). Integrating
Hosted Graphite with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Hosted Graphite.
You can enable your users to be automatically signed-in to Hosted Graphite (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Hosted Graphite, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Hosted Graphite single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Hosted Graphite supports SP and IDP initiated SSO
Hosted Graphite supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Hosted Graphite, select Hosted Graphite from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://www.hostedgraphite.com/metadata/<user id>
b. In the Reply URL text box, type a URL using the following pattern:
https://www.hostedgraphite.com/complete/saml/<user id>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.hostedgraphite.com/login/saml/<user id>/
NOTE
Please note that these are not the real values. You have to update these values with the actual Identifier, Reply URL
and Sign On URL. To get these values, you can go to Access->SAML setup on your Application side or Contact
Hosted Graphite support team.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Hosted Graphite section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Hosted Graphite Single Sign-On
1. Sign-on to your Hosted Graphite tenant as an administrator.
2. Go to the SAML Setup page in the sidebar (Access -> SAML Setup).
3. Confirm these URls match your configuration done on the Basic SAML Configuration section of the
Azure portal.
4. In Entity or Issuer ID and SSO Login URL textboxes, paste the value of Azure Ad Identifier and Login
URL which you have copied from Azure portal.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Hosted Graphite test user
In this section, a user called Britta Simon is created in Hosted Graphite. Hosted Graphite supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Hosted Graphite, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Hosted Graphite support team via
mailto:help@hostedgraphite.com.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hosted Graphite tile in the Access Panel, you should be automatically signed in to the Hosted
Graphite for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Hosted Heritage Online SSO
9/20/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Hosted Heritage Online SSO with Azure Active Directory (Azure AD ).
When you integrate Hosted Heritage Online SSO with Azure AD, you can:
Control in Azure AD who has access to Hosted Heritage Online SSO.
Enable your users to be automatically signed-in to Hosted Heritage Online SSO with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Hosted Heritage Online SSO single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Hosted Heritage Online SSO supports SP initiated SSO
Configure and test Azure AD single sign-on for Hosted Heritage Online
SSO
Configure and test Azure AD SSO with Hosted Heritage Online SSO using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in Hosted Heritage
Online SSO.
To configure and test Azure AD SSO with Hosted Heritage Online SSO, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Hosted Heritage Online SSO SSO - to configure the single sign-on settings on application side.
a. Create Hosted Heritage Online SSO test user - to have a counterpart of B.Simon in Hosted Heritage
Online SSO that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.cirqahosting.com/Shibboleth.sso/Login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.cirqahosting.com/shibboleth
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Hosted Heritage
Online SSO Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hosted Heritage Online SSO tile in the Access Panel, you should be automatically signed in to
the Hosted Heritage Online SSO for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Hosted Heritage Online SSO with Azure AD
Tutorial: Azure Active Directory integration with HPE
SaaS
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate HPE SaaS with Azure Active Directory (Azure AD ). Integrating HPE
SaaS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HPE SaaS.
You can enable your users to be automatically signed-in to HPE SaaS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HPE SaaS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HPE SaaS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HPE SaaS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HPE SaaS, select HPE SaaS from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.saas.hpe.com
NOTE
The Identifier value is not real. Update this value with the actual Identifier. Contact HPE SaaS Client support team to
get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up HPE SaaS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure HPE SaaS Single Sign-On
To configure single sign-on on HPE SaaS side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to HPE SaaS support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HPE SaaS test user
In this section, you create a user called Britta Simon in HPE SaaS. Work with HPE SaaS support team to add the
users in the HPE SaaS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HPE SaaS tile in the Access Panel, you should be automatically signed in to the HPE SaaS for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HR2day by Merces
6/26/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate HR2day by Merces with Azure Active Directory (Azure AD ). Integrating
HR2day by Merces with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HR2day by Merces.
You can enable your users to be automatically signed-in to HR2day by Merces (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HR2day by Merces, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
HR2day by Merces single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HR2day by Merces supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HR2day by Merces, select HR2day by Merces from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://hr2day.force.com/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact HR2day by Merces
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Your HR2day by Merces application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes. Click Edit icon to open User Attributes dialog.
NOTE
Before you can configure the SAML assertion, you must contact the HR2day by Merces Client support team and
request the value of the unique identifier attribute for your tenant. You need this value to complete the steps in the
next section.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
ATTR_LOGINCLAIM join([mail],"102938475Z","@"
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up HR2day by Merces section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure HR2day by Merces Single Sign-On
To configure single sign-on on HR2day by Merces side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to HR2day by Merces support team. They set this setting to have
the SAML SSO connection set properly on both sides.
NOTE
Mention to the Merces team that this integration needs the Entity ID to be set with the pattern
https://hr2day.force.com/INSTANCENAME.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create HR2day by Merces test user
In this section, you create a user called Britta Simon in HR2day by Merces. Work with HR2day by Merces support
team to add the users in the HR2day by Merces platform. Users must be created and activated before you use
single sign-on.
NOTE
If you need to create a user manually, contact the HR2day by Merces client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HR2day by Merces tile in the Access Panel, you should be automatically signed in to the
HR2day by Merces for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HRworks Single Sign-On
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate HRworks Single Sign-On with Azure Active Directory (Azure AD ).
Integrating HRworks Single Sign-On with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to HRworks Single Sign-On.
You can enable your users to be automatically signed-in to HRworks Single Sign-On (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with HRworks Single Sign-On, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
HRworks Single Sign-On single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
HRworks Single Sign-On supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type HRworks Single Sign-On, select HRworks Single Sign-On from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact HRworks Single Sign-On Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up HRworks Single Sign-On section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure HRworks Single Sign-On Single Sign-On
1. In a different web browser window, sign in to HRworks Single Sign-On as an Administrator.
2. Click on Administrator > Basics > Security > Single Sign-on from the left side of menu bar and
perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create HRworks Single Sign-On test user
To enable Azure AD users, sign in to HRworks Single Sign-On, they must be provisioned into HRworks Single
Sign-On. In HRworks Single Sign-On, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to HRworks Single Sign-On as an Administrator.
2. Click on Administrator > Persons > Persons > New person from the left side of menu bar.
3. On the Pop-up, click Next.
4. On the Create new person with country for legal terms pop-up, fill the respective details like First
name, Last name and click Create.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HRworks Single Sign-On tile in the Access Panel, you should be automatically signed in to the
HRworks Single Sign-On for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
HubSpot
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate HubSpot with Azure Active Directory (Azure AD ).
Integrating HubSpot with Azure AD gives you the following benefits:
You can use Azure AD to control who has access to HubSpot.
Users can be automatically signed in to HubSpot with their Azure AD accounts (single sign-on).
You can manage your accounts in one central location, the Azure portal.
For more information about software as a service (SaaS ) app integration with Azure AD, see Single sign-on to
applications in Azure Active Directory.
Prerequisites
To configure Azure AD integration with HubSpot, you need the following items:
An Azure AD subscription. If you don't have an Azure AD subscription, create a free account before you begin.
A HubSpot subscription with single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment and integrate HubSpot with
Azure AD.
HubSpot supports the following features:
SP -initiated single sign-on
IDP -initiated single sign-on
5. In the search box, enter HubSpot. In the search results, select HubSpot, and then select Add.
TASK DESCRIPTION
Configure Azure AD single sign-on Enables your users to use this feature.
Configure HubSpot single sign-on Configures the single sign-on settings in the application.
Create an Azure AD test user Tests Azure AD single sign-on for a user named Britta Simon.
Assign the Azure AD test user Enables Britta Simon to use Azure AD single sign-on.
Create a HubSpot test user Creates a counterpart of Britta Simon in HubSpot that is
linked to the Azure AD representation of the user.
2. In the Select a single sign-on method pane, select SAML or SAML/WS -Fed mode to enable single sign-
on.
3. In the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML
Configuration pane.
4. In the Basic SAML Configuration pane, to configure IDP -initiated mode, complete the following steps:
a. In the Identifier box, enter a URL that has the following pattern: https://api.hubspot.com/login-
api/v1/saml/login?portalId=<CUSTOMER ID>.
b. In the Reply URL box, enter a URL that has the following pattern: https://api.hubspot.com/login-
api/v1/saml/acs?portalId=<CUSTOMER ID>.
NOTE
To format the URLs, you can also refer to the patterns shown in the Basic SAML Configuration pane in the Azure
portal.
6. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select
Download next to Certificate (Base64). Select a download option based on your requirements. Save the
certificate on your computer.
7. In the Set up HubSpot section, copy the following URLs based on your requirements:
Login URL
Azure AD Identifier
Logout URL
Configure HubSpot single sign-on
1. Open a new tab in your browser and sign in to your HubSpot administrator account.
2. Select the Settings icon in the upper-right corner of the page.
4. Scroll down to the Security section, and then select Set up.
4. Select Add user. Then, in the Add assignment pane, select Users and groups.
5. In the Users and groups pane, select Britta Simon in the list of users. Choose Select.
6. If you are expecting a role value in the SAML assertion, in the Select role pane, select the relevant role for
the user from the list. Choose Select.
7. In the Add Assignment pane, select Assign.
Create a HubSpot test user
To enable Azure AD a user to sign in to HubSpot, the user must be provisioned in HubSpot. In HubSpot,
provisioning is a manual task.
To provision a user account in HubSpot:
1. Sign in to your HubSpot company site as administrator.
2. Select the Settings icon in the upper-right corner of the page.
5. In the Add email addess(es) box, enter the email address of the user in the format
brittasimon@contoso.com, and then select Next.
6. In the Create users section, select each tab. On each tab, set the relevant options and permissions for the
user. Then, select Next.
7. To send the invitation to the user, select Send.
NOTE
The user is activated after the user accepts the invitation.
Next steps
To learn more, review these articles:
List of tutorials for integrating SaaS apps with Azure Active Directory
Single sign-on to applications in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Huddle
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Huddle with Azure Active Directory (Azure AD ). Integrating Huddle with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Huddle.
You can enable your users to be automatically signed-in to Huddle (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Huddle, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Huddle single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Huddle supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Huddle, select Huddle from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
NOTE
Your huddle instance will be automatically detected from the domain you enter below.
a. In the Identifier text box,type a URL:
https://login.huddle.net
https://login.huddle.com
https://login.huddle.net/saml/browser-sso
https://login.huddle.com/saml/browser-sso
https://login.huddle.com/saml/idp-initiated-sso
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<customsubdomain>.huddle.com
https://us.huddle.com
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact Huddle Client support
team to get this value.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Huddle section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Huddle Single Sign-On
To configure single sign-on on Huddle side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Huddle support team. They set this setting to have the SAML SSO
connection set properly on both sides.
NOTE
Single sign-on needs to be enabled by the Huddle support team. You get a notification when the configuration has been
completed.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Huddle test user
To enable Azure AD users to log in to Huddle, they must be provisioned into Huddle. In the case of Huddle,
provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Log in to your Huddle company site as administrator.
2. Click Workspace.
3. Click People > Invite People.
NOTE
The Azure AD account holder will receive an email including a link to confirm the account before it becomes active.
NOTE
You can use any other Huddle user account creation tools or APIs provided by Huddle to provision Azure AD user accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Huddle tile in the Access Panel, you should be automatically signed in to the Huddle for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Humanity
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Humanity with Azure Active Directory (Azure AD ). Integrating Humanity
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Humanity.
You can enable your users to be automatically signed-in to Humanity (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Humanity, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Humanity single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Humanity supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Humanity, select Humanity from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://company.humanity.com/app/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Humanity Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Humanity section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Humanity Single Sign-On
1. In a different web browser window, log in to your Humanity company site as an administrator.
2. In the menu on the top, click Admin.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Humanity test user
In order to enable Azure AD users to log in to Humanity, they must be provisioned into Humanity. In the case of
Humanity, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your Humanity company site as an administrator.
2. Click Admin.
3. Click Staff.
NOTE
You can use any other Humanity user account creation tools or APIs provided by Humanity to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Hype with Azure Active Directory
7/10/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Hype with Azure Active Directory (Azure AD ). When you integrate
Hype with Azure AD, you can:
Control in Azure AD who has access to Hype.
Enable your users to be automatically signed-in to Hype with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Hype single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Hype supports SP initiated SSO
Hype supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.hypeinnovation.com/Shibboleth.sso/Login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.hypeinnovation.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Hype Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
6. On the Set up Hype section, copy the appropriate URL (s) based on your requirement.
Configure Hype SSO
To configure single sign-on on Hype side, you need to send the downloaded Metadata XML and appropriate
copied URLs from Azure portal to Hype support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Hype.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Hype.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Hype test user
In this section, a user called Britta Simon is created in Hype. Hype supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hype, a new one
is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Hype tile in the Access Panel, you should be automatically signed in to the Hype for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Integrate HyperAnna with Azure Active
Directory
7/16/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate HyperAnna with Azure Active Directory (Azure AD ). When you
integrate HyperAnna with Azure AD, you can:
Control in Azure AD who has access to HyperAnna.
Enable your users to be automatically signed-in to HyperAnna with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
HyperAnna single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
HyperAnna supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using any one of the following pattern:
https://microsoft.hyperanna.com/userservice/auth/saml
https://anna.hyperanna.com/userservice/auth/saml
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using any one of the following pattern:
https://microsoft.hyperanna.com/
https://anna.hyperanna.com/
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up HyperAnna section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create HyperAnna test user
In this section, you create a user called Britta Simon in HyperAnna. Work with HyperAnna support team to add the
users in the HyperAnna platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the HyperAnna tile in the Access Panel, you should be automatically signed in to the HyperAnna
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with IBM
Kenexa Survey Enterprise
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate IBM Kenexa Survey Enterprise with Azure Active Directory (Azure AD ).
Integrating IBM Kenexa Survey Enterprise with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IBM Kenexa Survey Enterprise.
You can enable your users to be automatically signed-in to IBM Kenexa Survey Enterprise (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IBM Kenexa Survey Enterprise, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IBM Kenexa Survey Enterprise single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IBM Kenexa Survey Enterprise supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IBM Kenexa Survey Enterprise, select IBM Kenexa Survey Enterprise from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://surveys.kenexa.com/<companycode>
b. In the Reply URL text box, type a URL using the following pattern:
https://surveys.kenexa.com/<companycode>/tools/sso.asp
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact IBM Kenexa Survey
Enterprise Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. The IBM Kenexa Survey Enterprise application expects to receive the Security Assertions Markup Language
(SAML ) assertions in a specific format, which requires you to add custom attribute mappings to the
configuration of your SAML token attributes. The value of the user-identifier claim in the response must
match the SSO ID that's configured in the Kenexa system. To map the appropriate user identifier in your
organization as SSO Internet Datagram Protocol (IDP ), work with the IBM Kenexa Survey Enterprise
support team.
By default, Azure AD sets the user identifier as the user principal name (UPN ) value. You can change this
value on the User Attributes tab, as shown in the following screenshot. The integration works only after
you've completed the mapping correctly.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up IBM Kenexa Survey Enterprise section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure IBM Kenexa Survey Enterprise Single Sign-On
To configure single sign-on on IBM Kenexa Survey Enterprise side, you need to send the downloaded
Certificate (Base64) and appropriate copied URLs from Azure portal to IBM Kenexa Survey Enterprise support
team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IBM Kenexa Survey Enterprise test user
In this section, you create a user called Britta Simon in IBM Kenexa Survey Enterprise.
To create users in the IBM Kenexa Survey Enterprise system and map the SSO ID for them, you can work with the
IBM Kenexa Survey Enterprise support team. This SSO ID value should also be mapped to the user identifier value
from Azure AD. You can change this default setting on the Attribute tab.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IBM Kenexa Survey Enterprise tile in the Access Panel, you should be automatically signed in to
the IBM Kenexa Survey Enterprise for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with IBM
OpenPages
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate IBM OpenPages with Azure Active Directory (Azure AD ). Integrating
IBM OpenPages with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IBM OpenPages.
You can enable your users to be automatically signed-in to IBM OpenPages (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IBM OpenPages, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IBM OpenPages single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IBM OpenPages supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IBM OpenPages, select IBM OpenPages from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
http://<subdomain>.ibm.com:<ID>/openpages
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.ibm.com:<ID>/samlsps/op
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact IBM OpenPages
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up IBM OpenPages section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure IBM OpenPages Single Sign-On
To configure single sign-on on IBM OpenPages side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to IBM OpenPages support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IBM OpenPages test user
In this section, you create a user called Britta Simon in IBM OpenPages. Work with IBM OpenPages support team
to add the users in the IBM OpenPages platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IBM OpenPages tile in the Access Panel, you should be automatically signed in to the IBM
OpenPages for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Icertis Contract Management Platform
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Icertis Contract Management Platform with Azure Active Directory
(Azure AD ). Integrating Icertis Contract Management Platform with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to Icertis Contract Management Platform.
You can enable your users to be automatically signed-in to Icertis Contract Management Platform (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Icertis Contract Management Platform, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Icertis Contract Management Platform single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Icertis Contract Management Platform supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Icertis Contract Management Platform, select Icertis Contract Management
Platform from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company name>.icertis.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Icertis Contract
Management Platform Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Icertis Contract Management Platform section, copy the appropriate URL (s) as per your
requirement. For Login URL, use the value with the following pattern:
https://login.microsoftonline.com/_my_directory_id_/wsfed
NOTE
my_directory_id is the tenant id of Azure AD subscription.
a. Azure AD Identifier
b. Logout URL
Configure Icertis Contract Management Platform Single Sign-On
To configure single sign-on on Icertis Contract Management Platform side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to Icertis Contract Management
Platform support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Icertis Contract Management Platform test user
In this section, you create a user called Britta Simon in Icertis Contract Management Platform. Work with Icertis
Contract Management Platform support team to add the users in the Icertis Contract Management Platform
platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Icertis Contract Management Platform tile in the Access Panel, you should be automatically
signed in to the Icertis Contract Management Platform for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ICIMS
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ICIMS with Azure Active Directory (Azure AD ). Integrating ICIMS with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ICIMS.
You can enable your users to be automatically signed-in to ICIMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ICIMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ICIMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ICIMS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ICIMS, select ICIMS from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant name>.icims.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact ICIMS Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up ICIMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure ICIMS Single Sign-On
To configure single sign-on on ICIMS side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to ICIMS support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ICIMS test user
In this section, you create a user called Britta Simon in ICIMS. Work with ICIMS support team to add the users in
the ICIMS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ICIMS tile in the Access Panel, you should be automatically signed in to the ICIMS for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with IDC
9/25/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate IDC with Azure Active Directory (Azure AD ). When you integrate IDC
with Azure AD, you can:
Control in Azure AD who has access to IDC.
Enable your users to be automatically signed-in to IDC with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
IDC single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
IDC supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
urn:idc:authentication:saml2:entity:cas:prod-2016:<ClientCode>
b. In the Reply URL text box, type a URL using the following pattern:
https://cas.idc.com:443/login?client_name=<ClientName>
5. Click Set additional URLs and perform the following steps if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://www.idc.com/saml-welcome/<SamlWelcomeCode>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact IDC Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up IDC section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IDC tile in the Access Panel, you should be automatically signed in to the IDC for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try IDC with Azure AD
Tutorial: Azure Active Directory integration with
IdeaScale
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate IdeaScale with Azure Active Directory (Azure AD ). Integrating IdeaScale
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IdeaScale.
You can enable your users to be automatically signed-in to IdeaScale (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IdeaScale, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IdeaScale single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IdeaScale supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IdeaScale, select IdeaScale from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
http://<companyname>.ideascale.com
https://<companyname>.ideascale.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact IdeaScale Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up IdeaScale section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure IdeaScale Single Sign-On
1. In a different web browser window, log in to your IdeaScale company site as an administrator.
2. Go to Community Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IdeaScale test user
To enable Azure AD users to log into IdeaScale, they must be provisioned in to IdeaScale. In the case of IdeaScale,
provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Log in to your IdeaScale company site as administrator.
2. Go to Community Settings.
a. In the Email Addresses textbox, type the email address of a valid Azure AD account you want to
provision.
b. Click Save Changes.
NOTE
The Azure Active Directory account holder gets an email with a link to confirm the account before it becomes active.
NOTE
You can use any other IdeaScale user account creation tools or APIs provided by IdeaScale to provision Azure AD user
accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IdeaScale tile in the Access Panel, you should be automatically signed in to the IdeaScale for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with iDiD
Manager
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate iDiD Manager with Azure Active Directory (Azure AD ). Integrating iDiD
Manager with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to iDiD Manager.
You can enable your users to be automatically signed-in to iDiD Manager (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with iDiD Manager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
iDiD Manager single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
iDiD Manager supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type iDiD Manager, select iDiD Manager from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://idid2.fi/saml/login/<domain>
NOTE
The value is not real. Update the value with the actual Sign-on URL. Contact iDiD Manager Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create iDiD Manager test user
In this section, you create a user called Britta Simon in iDiD Manager. Work with iDiD Manager support team to
add the users in the iDiD Manager platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iDiD Manager tile in the Access Panel, you should be automatically signed in to the iDiD
Manager for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
IDrive
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate IDrive with Azure Active Directory (Azure AD ). Integrating IDrive with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IDrive.
You can enable your users to be automatically signed-in to IDrive (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IDrive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IDrive single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IDrive supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IDrive, select IDrive from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
7. On the Set up IDrive section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure IDrive Single Sign-On
To configure single sign-on on IDrive side, you need to send the downloaded Certificate (Raw) and appropriate
copied URLs from Azure portal to IDrive support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IDrive test user
In this section, you create a user called Britta Simon in IDrive. Work with IDrive support team to add the users in
the IDrive platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IDrive tile in the Access Panel, you should be automatically signed in to the IDrive for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Igloo
Software
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Igloo Software with Azure Active Directory (Azure AD ). Integrating Igloo
Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Igloo Software.
You can enable your users to be automatically signed-in to Igloo Software (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Igloo Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Igloo Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Igloo Software supports SP initiated SSO
Igloo Software supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Igloo Software, select Igloo Software from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
c. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.igloocommmunities.com/saml.digest
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Igloo
Software Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Igloo Software section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Igloo Software Single Sign-On
1. In a different web browser window, log in to your Igloo Software company site as an administrator.
2. Go to the Control Panel.
a. As User creation on Sign in, select Create a new user in your site when they sign in.
b. As Sign in Settings, select Use SAML button on “Sign in” screen.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Igloo Software test user
There is no action item for you to configure user provisioning to Igloo Software.
When an assigned user tries to log in to Igloo Software using the access panel, Igloo Software checks whether the
user exists. If there is no user account available yet, it is automatically created by Igloo Software.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Igloo Software tile in the Access Panel, you should be automatically signed in to the Igloo
Software for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate iLMS with Azure Active Directory
8/9/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate iLMS with Azure Active Directory (Azure AD ). When you integrate
iLMS with Azure AD, you can:
Control in Azure AD who has access to iLMS.
Enable your users to be automatically signed-in to iLMS with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
iLMS single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. iLMS supports SP and IDP initiated
SSO
4. On the Basic SAML Configuration page, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, paste the Identifier value you copy from Service Provider section of SAML
settings in iLMS admin portal.
b. In the Reply URL text box, paste the Endpoint (URL ) value you copy from Service Provider section of
SAML settings in iLMS admin portal having the following pattern
https://www.inspiredlms.com/Login/<instanceName>/consumer.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, paste the Endpoint (URL ) value you copy from Service Provider section of
SAML settings in iLMS admin portal as https://www.inspiredlms.com/Login/<instanceName>/consumer.aspx
6. To enable JIT provisioning, your iLMS application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes. Click Edit icon to open User Attributes dialog.
NOTE
You have to enable Create Un-recognized User Account in iLMS to map these attributes. Follow the instructions
here to get an idea on the attributes configuration.
7. In addition to above, iLMS application expects few more attributes to be passed back in SAML response. In
the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
division user.department
region user.state
NAME SOURCE ATTRIBUTE
department user.jobtitle
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up iLMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure iLMS SSO
1. In a different web browser window, sign in to your iLMS admin portal as an administrator.
2. Click SSO:SAML under Settings tab to open SAML settings and perform the following steps:
3. Expand the Service Provider section and copy the Identifier and Endpoint (URL ) value.
6. If you want to enable JIT provisioning to create iLMS accounts for un-recognize users, follow below steps:
a. Check Create Un-recognized User Account.
b. Map the attributes in Azure AD with the attributes in iLMS. In the attribute column, specify the attributes
name or the default value.
c. Go to Business Rules tab and perform the following steps:
d. Check Create Un-recognized Regions, Divisions and Departments to create Regions, Divisions, and
Departments that do not already exist at the time of Single Sign-on.
e. Check Update User Profile During Sign-in to specify whether the user’s profile is updated with each
Single Sign-on.
f. If the Update Blank Values for Non Mandatory Fields in User Profile option is checked, optional
profile fields that are blank upon sign in will also cause the user’s iLMS profile to contain blank values for
those fields.
g. Check Send Error Notification Email and enter the email of the user where you want to receive the
error notification email.
7. Click Save button to save the settings.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create iLMS test user
Application supports Just in time user provisioning and after authentication users are created in the application
automatically. JIT will work, if you have clicked the Create Un-recognized User Account checkbox during SAML
configuration setting at iLMS admin portal.
If you need to create an user manually, then follow below steps:
1. Sign in to your iLMS company site as an administrator.
2. Click Register User under Users tab to open Register User page.
3. On the Register User page, perform the following steps.
a. In the First Name textbox, type the first name like Britta.
b. In the Last Name textbox, type the last name like Simon.
c. In the Email ID textbox, type the email address of the user like BrittaSimon@contoso.com.
d. In the Region dropdown, select the value for region.
e. In the Division dropdown, select the value for division.
f. In the Department dropdown, select the value for department.
g. Click Save.
NOTE
You can send registration mail to user by selecting Send Registration Mail checkbox.
Test SSO
When you select the iLMS tile in the Access Panel, you should be automatically signed in to the iLMS for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Image Relay
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Image Relay with Azure Active Directory (Azure AD ). Integrating Image
Relay with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Image Relay.
You can enable your users to be automatically signed-in to Image Relay (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Image Relay, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Image Relay single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Image Relay supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Image Relay, select Image Relay from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.imagerelay.com/sso/metadata
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Image Relay Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Image Relay section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Image Relay Single Sign-On
1. In another browser window, sign in to your Image Relay company site as an administrator.
2. In the toolbar on the top, click the Users & Permissions workload.
4. In the Single Sign On Settings workload, select the This Group can only sign-in via Single Sign On
check box, and then click Save.
5. Go to Account Settings.
6. Go to the Single Sign On Settings workload.
a. In Login URL textbox, paste the value of Login URL which you have copied from Azure portal.
b. In Logout URL textbox, paste the value of Logout URL which you have copied from Azure portal.
c. As Name Id Format, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
d. As Binding Options for Requests from the Service Provider (Image Relay), select POST Binding.
e. Under x.509 Certificate, click Update Certificate.
f. Open the downloaded certificate in notepad, copy the content, and then paste it into the x.509 Certificate
textbox.
g. In Just-In-Time User Provisioning section, select the Enable Just-In-Time User Provisioning.
h. Select the permission group (for example, SSO Basic) which is allowed to sign in only through single
sign-on.
i. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Image Relay test user
The objective of this section is to create a user called Britta Simon in Image Relay.
To create a user called Britta Simon in Image Relay, perform the following steps:
1. Sign-on to your Image Relay company site as an administrator.
2. Go to Users & Permissions and select Create SSO User.
3. Enter the Email, First Name, Last Name, and Company of the user you want to provision and select the
permission group (for example, SSO Basic) which is the group that can sign in only through single sign-on.
4. Click Create.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Image Relay tile in the Access Panel, you should be automatically signed in to the Image Relay
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
IMAGE WORKS
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate IMAGE WORKS with Azure Active Directory (Azure AD ). Integrating
IMAGE WORKS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IMAGE WORKS.
You can enable your users to be automatically signed-in to IMAGE WORKS (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IMAGE WORKS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IMAGE WORKS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IMAGE WORKS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IMAGE WORKS, select IMAGE WORKS from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://sp.i-imageworks.jp/iw/<tenantName>/postResponse
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact IMAGE WORKS
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up IMAGE WORKS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure IMAGE WORKS Single Sign-On
To configure single sign-on on IMAGE WORKS side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to IMAGE WORKS support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IMAGE WORKS test user
In this section, you create a user called Britta Simon in IMAGE WORKS. Work with IMAGE WORKS support team
to add the users in the IMAGE WORKS platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IMAGE WORKS tile in the Access Panel, you should be automatically signed in to the IMAGE
WORKS for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Imagineer WebVision
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Imagineer WebVision with Azure Active Directory (Azure AD ).
Integrating Imagineer WebVision with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Imagineer WebVision.
You can enable your users to be automatically signed-in to Imagineer WebVision (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Imagineer WebVision, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Imagineer WebVision single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Imagineer WebVision supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Imagineer WebVision, select Imagineer WebVision from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<YOUR SERVER URL>/<yourapplicationloginpage>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Imagineer
WebVision Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Imagineer WebVision test user
In this section, you create a user called Britta Simon in Imagineer WebVision. Work with Imagineer WebVision
support team to add the users in the Imagineer WebVision platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Imagineer WebVision tile in the Access Panel, you should be automatically signed in to the
Imagineer WebVision for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with IMPAC Risk
Manager
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate IMPAC Risk Manager with Azure Active Directory (Azure AD ). Integrating IMPAC Risk
Manager with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IMPAC Risk Manager.
You can enable your users to be automatically signed-in to IMPAC Risk Manager (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on
with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with IMPAC Risk Manager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IMPAC Risk Manager single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IMPAC Risk Manager supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IMPAC Risk Manager, select IMPAC Risk Manager from result panel then click Add button to
add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, perform the
following steps:
For QA https://QA.riskmanager.co.nz/DotNet/SSOv2/AssertionConsumerService.aspx?
client=<ClientSuffix>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
For QA https://QA.riskmanager.co.nz/SSOv2/<ClientSuffix>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact IMPAC Risk Manager
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to
download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
7. On the Set up IMPAC Risk Manager section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure IMPAC Risk Manager Single Sign-On
To configure single sign-on on IMPAC Risk Manager side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to IMPAC Risk Manager support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the
screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the
user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IMPAC Risk Manager test user
In this section, you create a user called Britta Simon in IMPAC Risk Manager. Work with IMPAC Risk Manager support team to
add the users in the IMPAC Risk Manager platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IMPAC Risk Manager tile in the Access Panel, you should be automatically signed in to the IMPAC Risk
Manager for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with In Case of Crisis - Mobile
10/10/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate In Case of Crisis - Mobile with Azure Active Directory (Azure AD ).
When you integrate In Case of Crisis - Mobile with Azure AD, you can:
Control in Azure AD who has access to In Case of Crisis - Mobile.
Enable your users to be automatically signed-in to In Case of Crisis - Mobile with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
In Case of Crisis - Mobile single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
In Case of Crisis - Mobile supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
6. Navigate to the Manage section on left side of page, click on Properties tab then copy the User access
URL and save it on your computer.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to In Case of Crisis - Mobile.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select In Case of Crisis - Mobile.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the In Case of Crisis - Mobile tile in the Access Panel, you should be automatically signed in to the
In Case of Crisis - Mobile for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try In Case of Crisis - Mobile with Azure AD
Tutorial: Azure Active Directory integration with
Infinite Campus
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Infinite Campus with Azure Active Directory (Azure AD ). Integrating
Infinite Campus with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Infinite Campus.
You can enable your users to be automatically signed-in to Infinite Campus (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Infinite Campus, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Infinite Campus single sign-on enabled subscription
At minimum, you need to be an Azure Active Directory administrator, and have a Campus Product Security Role
of "Student Information System (SIS )" to complete the configuration.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Infinite Campus supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Infinite Campus, select Infinite Campus from the result panel then click the Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, perform the following steps (note that the domain will vary with
Hosting Model, but the FULLY -QUALIFIED -DOMAIN value must match your Infinite Campus
installation):
a. In the Sign-on URL textbox, type a URL using the following pattern:
https://<DOMAIN>.infinitecampus.com/campus/SSO/<DISTRICTNAME>/SIS
c. In the Reply URL textbox, type a URL using the following pattern:
https://<DOMAIN>.infinitecampus.com/campus/SSO/<DISTRICTNAME>
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
3. Navigate to User Security > SAML Management > SSO Service Provider Configuration.
4. On the SSO Service Provider Configuration page, perform the following steps:
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Infinite Campus.
1. In the Azure portal, select Enterprise Applications, select All applications, then select Infinite Campus.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Infinite Campus test user
Infinite Campus has a demographics centered architecture. Please contact Infinite Campus support team to add the
users in the Infinite Campus platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Infinite Campus tile in the Access Panel, you should be automatically signed in to the Infinite
Campus for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Infogix Data3Sixty Govern
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Infogix Data3Sixty Govern with Azure Active Directory (Azure AD ).
Integrating Infogix Data3Sixty Govern with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Infogix Data3Sixty Govern.
You can enable your users to be automatically signed-in to Infogix Data3Sixty Govern (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Infogix Data3Sixty Govern, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Infogix Data3Sixty Govern single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Infogix Data3Sixty Govern supports SP and IDP initiated SSO
Infogix Data3Sixty Govern supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Infogix Data3Sixty Govern, select Infogix Data3Sixty Govern from result panel
then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: https://data3sixty.com/ui
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.data3sixty.com/sso/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<subdomain>.data3sixty.com
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Infogix
Data3Sixty Govern Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. Infogix Data3Sixty Govern application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
firstname user.givenname
lastname user.surname
username user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
9. On the Set up Infogix Data3Sixty Govern section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Infogix Data3Sixty Govern Single Sign-On
To configure single sign-on on Infogix Data3Sixty Govern side, you need to send the downloaded Certificate
(Raw) and appropriate copied URLs from Azure portal to Infogix Data3Sixty Govern support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Infogix Data3Sixty Govern test user
In this section, a user called Britta Simon is created in Infogix Data3Sixty Govern. Infogix Data3Sixty Govern
supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section.
If a user doesn't already exist in Infogix Data3Sixty Govern, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Infogix Data3Sixty Govern support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Infogix Data3Sixty Govern tile in the Access Panel, you should be automatically signed in to the
Infogix Data3Sixty Govern for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Infor
CloudSuite
7/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Infor CloudSuite with Azure Active Directory (Azure AD ). Integrating
Infor CloudSuite with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Infor CloudSuite.
You can enable your users to be automatically signed-in to Infor CloudSuite (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Infor CloudSuite, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Infor CloudSuite single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Infor CloudSuite supports SP and IDP initiated SSO
Infor CloudSuite supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Infor CloudSuite, select Infor CloudSuite from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
http://mingle-sso.inforcloudsuite.com
http://mingle-sso.se1.inforcloudsuite.com
http://mingle-sso.eu1.inforcloudsuite.com
http://mingle-sso.se2.inforcloudsuite.com
b. In the Reply URL text box, type a URL using the following pattern:
https://mingle-
sso.inforcloudsuite.com:443/sp/ACS.saml2
https://mingle-
sso.se1.inforcloudsuite.com:443/sp/ACS.saml2
https://mingle-
sso.se2.inforcloudsuite.com:443/sp/ACS.saml2
https://mingle-
sso.eu1.inforcloudsuite.com:443/sp/ACS.saml2
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://mingle-portal.inforcloudsuite.com/Tenant-
Name/
https://mingle-
portal.eu1.inforcloudsuite.com/Tenant-Name/
https://mingle-
portal.se1.inforcloudsuite.com/Tenant-Name/
https://mingle-
portal.se2.inforcloudsuite.com/Tenant-Name/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Infor
CloudSuite Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Infor CloudSuite section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Infor CloudSuite Single Sign-On
To configure single sign-on on Infor CloudSuite side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Infor CloudSuite support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Infor CloudSuite test user
In this section, a user called Britta Simon is created in Infor CloudSuite. Infor CloudSuite supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Infor CloudSuite, a new one is created after authentication. If you need to create a user manually,
contact Infor CloudSuite support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Infor CloudSuite tile in the Access Panel, you should be automatically signed in to the Infor
CloudSuite for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Infor
Retail – Information Management
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Infor Retail – Information Management with Azure Active Directory
(Azure AD ). Integrating Infor Retail – Information Management with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to Infor Retail – Information Management.
You can enable your users to be automatically signed-in to Infor Retail – Information Management (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Infor Retail – Information Management, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Infor Retail – Information Management single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Infor Retail – Information Management supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Infor Retail – Information Management, select Infor Retail – Information
Management from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<company name>.mingle.infor.com
http://<company name>.mingledev.infor.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.mingle.infor.com/sp/ACS.saml2
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<company name>.mingle.infor.com/<company code>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Infor
Retail – Information Management Client support team to get these values. You can also refer to the patterns shown
in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Infor Retail – Information Management section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Infor Retail – Information Management Single Sign-On
To configure single sign-on on Infor Retail – Information Management side, you need to send the downloaded
Metadata XML and appropriate copied URLs from Azure portal to Infor Retail – Information Management
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Infor Retail – Information Management test user
In this section, you create a user called Britta Simon in Infor Retail – Information Management. Work with Infor
Retail – Information Management support team to add the users in the Infor Retail – Information Management
platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Infor Retail – Information Management tile in the Access Panel, you should be automatically
signed in to the Infor Retail – Information Management for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Inkling
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Inkling with Azure Active Directory (Azure AD ). Integrating Inkling with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Inkling.
You can enable your users to be automatically signed-in to Inkling (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Inkling, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Inkling single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Inkling supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Inkling, select Inkling from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://api.inkling.com/saml/v2/metadata/<user-id>
b. In the Reply URL text box, type a URL using the following pattern:
https://api.inkling.com/saml/v2/acs/<user-id>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Inkling Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Inkling section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Inkling Single Sign-On
To configure single sign-on on Inkling side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Inkling support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Inkling test user
In this section, you create a user called Britta Simon in Inkling. Work with Inkling support team to add the users in
the Inkling platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Inkling tile in the Access Panel, you should be automatically signed in to the Inkling for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Innotas
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Innotas with Azure Active Directory (Azure AD ). Integrating Innotas with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Innotas.
You can enable your users to be automatically signed-in to Innotas (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Innotas, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Innotas single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Innotas supports SP initiated SSO
Innotas supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Innotas, select Innotas from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Innotas Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Innotas section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Innotas Single Sign-On
To configure single sign-on on Innotas side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Innotas support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Innotas test user
There is no action item for you to configure user provisioning to Innotas. When an assigned user tries to sign in to
Innotas using the access panel, Innotas checks whether the user exists. If there is no user account available yet, it is
automatically created by Innotas.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Innotas tile in the Access Panel, you should be automatically signed in to the Innotas for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Innoverse
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Innoverse with Azure Active Directory (Azure AD ). Integrating Innoverse with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Innoverse.
You can enable your users to be automatically signed-in to Innoverse (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-
on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Innoverse, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Innoverse single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Innoverse supports SP and IDP initiated SSO
Innoverse supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Innoverse, select Innoverse from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
a. In the Identifier text box, type a URL using the following pattern: https://<domainname>.innover.se
b. In the Reply URL text box, type a URL using the following pattern:
https://<domainname>.innover.se/auth/saml2/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated
mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<domainname>.innover.se/auth/saml2/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Innoverse Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
6. Innoverse application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application integration
page. On the Set up Single Sign-On with SAML page, click Edit button to open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the image
above and perform the following steps:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Enter the Namespace.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy icon to copy
App Federation Metadata url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the
screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for
the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Innoverse test user
In this section, a user called Britta Simon is created in Innoverse. Innoverse supports just-in-time provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Innoverse, a new one is
created when you attempt to access Innoverse.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Innoverse tile in the Access Panel, you should be automatically signed in to the Innoverse for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Insider Track
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Insider Track with Azure Active Directory (Azure AD ). Integrating Insider
Track with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Insider Track.
You can enable your users to be automatically signed-in to Insider Track (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Insider Track, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Insider Track single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Insider Track supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Insider Track, select Insider Track from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Insider Track Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Insider Track section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Insider Track Single Sign-On
To configure single sign-on on Insider Track side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Insider Track support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Insider Track test user
In this section, you create a user called Britta Simon in Insider Track. Work with Insider Track support team to add
the users in the Insider Track platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Insider Track tile in the Access Panel, you should be automatically signed in to the Insider Track
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
InsideView
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate InsideView with Azure Active Directory (Azure AD ). This integration
provides these benefits:
You can use Azure AD to control who has access to InsideView.
You can enable your users to be automatically signed in to InsideView (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with InsideView, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
An InsideView subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
InsideView supports IdP -initiated SSO.
4. In the search box, enter InsideView. Select InsideView in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, take the following steps.
In the Reply URL box, enter a URL in this pattern:
https://my.insideview.com/iv/<STS Name>/login.iv
NOTE
This value is a placeholder. You need to use the actual reply URL. Contact the InsideView support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration dialog box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Raw), per your requirements, and save the certificate on your
computer:
6. In the Set up InsideView section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure InsideView single sign-on
1. In a new web browser window, sign in to your InsideView company site as an admin.
2. At the top of the window, select Admin, SingleSignOn Settings, and then Add SAML.
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the window.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the window.
7. In the Add Assignment dialog box, select Assign.
Create an InsideView test user
To enable Azure AD users to sign in to InsideView, you need to add them to InsideView. You need to add them
manually.
To create users or contacts in InsideView, contact the InsideView support team.
NOTE
You can use any user account creation tool or API provided by InsideView to provision Azure AD user accounts.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Insight4GRC
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Insight4GRC with Azure Active Directory (Azure AD ). Integrating
Insight4GRC with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Insight4GRC.
You can enable your users to be automatically signed-in to Insight4GRC (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Insight4GRC, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Insight4GRC single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Insight4GRC supports SP and IDP initiated SSO
Insight4GRC supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Insight4GRC, select Insight4GRC from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.Insight4GRC.com/SAML
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.Insight4GRC.com/Public/SAML/ACS.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.Insight4GRC.com/Public/Login.aspx
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Insight4GRC Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Insight4GRC test user
In this section, a user called Britta Simon is created in Insight4GRC. Insight4GRC supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Insight4GRC, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Insight4GRC Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Insignia SAML SSO
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Insignia SAML SSO with Azure Active Directory (Azure AD ). Integrating
Insignia SAML SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Insignia SAML SSO.
You can enable your users to be automatically signed-in to Insignia SAML SSO (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Insignia SAML SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Insignia SAML SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Insignia SAML SSO supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Insignia SAML SSO, select Insignia SAML SSO from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<customername>.insigniails.com/ils
https://<customername>.insigniails.com/
https://<customername>.insigniailsusa.com/
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<customername>.insigniailsusa.com/<uniqueid>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Insignia SAML SSO
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Insignia SAML SSO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Insignia SAML SSO Single Sign-On
To configure single sign-on on Insignia SAML SSO side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to Insignia SAML SSO support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Insignia SAML SSO test user
In this section, you create a user called Britta Simon in Insignia SAML SSO. Work with Insignia SAML SSO
support team to add the users in the Insignia SAML SSO platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Insignia SAML SSO tile in the Access Panel, you should be automatically signed in to the
Insignia SAML SSO for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Insperity ExpensAble
7/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Insperity ExpensAble with Azure Active Directory (Azure AD ).
Integrating Insperity ExpensAble with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Insperity ExpensAble.
You can enable your users to be automatically signed-in to Insperity ExpensAble (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Insperity ExpensAble, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Insperity ExpensAble single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Insperity ExpensAble supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button on the top of the dialog.
4. In the search box, type Insperity ExpensAble, select Insperity ExpensAble from the result panel then
click the Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Insperity ExpensAble Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Insperity ExpensAble section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Insperity ExpensAble Single Sign-On
To configure single sign-on on Insperity ExpensAble side, you need to send the downloaded Certificate
(Base64) and appropriate copied URLs from Azure portal to Insperity ExpensAble support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Insperity ExpensAble test user
In this section, you create a user called Britta Simon in Insperity ExpensAble. Work with Insperity ExpensAble
support team to add the users in the Insperity ExpensAble platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Insperity ExpensAble tile in the Access Panel, you should be automatically signed in to the
Insperity ExpensAble for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
InstaVR Viewer
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate InstaVR Viewer with Azure Active Directory (Azure AD ). Integrating
InstaVR Viewer with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to InstaVR Viewer.
You can enable your users to be automatically signed-in to InstaVR Viewer (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with InstaVR Viewer, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
InstaVR Viewer single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
InstaVR Viewer supports SP initiated SSO
InstaVR Viewer supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type InstaVR Viewer, select InstaVR Viewer from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
There is no fixed pattern for Sign on URL. It is generated when the InstaVR Viewer customer does web packaging. It is
unique for every customer and package. For getting the exact Sign on URL you need to login to your InstaVR Viewer
instance and do web packaging.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://console.instavr.co/auth/saml/sp/<WEBPackagedURL>
NOTE
The Identifier value is not real. Update this value with the actual Identifier value which is explained later in this tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) and Federation Metadata File from the given options
as per your requirement and save it on your computer.
6. On the Set up InstaVR Viewer section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure InstaVR Viewer Single Sign-On
1. Open a new web browser window and log into your InstaVR Viewer company site as an administrator.
2. Click on User Icon and select Account.
3. Scroll down to the SAML Auth and perform the following steps:
a. In the SSO URL textbox, paste the Login URL value, which you have copied from the Azure portal.
b. In the Logout URL textbox, paste the Logout URL value, which you have copied from the Azure portal.
c. In the Entity ID textbox, paste the Azure Ad Identifier value, which you have copied from the Azure
portal.
d. To upload your downloaded Certificate file, click Update.
e. To upload your downloaded Federation Metadata file, click Update.
f. Copy the Entity ID value and paste into the Identifier (Entity ID ) text box on the Basic SAML
Configuration section in the Azure portal.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create InstaVR Viewer test user
In this section, a user called Britta Simon is created in InstaVR Viewer. InstaVR Viewer supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in InstaVR Viewer, a new one is created after authentication. If you face any problems, please contact to
InstaVR Viewer support team.
Test single sign-on
1. Open a new web browser window and log into your InstaVR Viewer company site as an administrator.
2. Select Package from the left navigation panel and select Make package for Web.
3. Select Download.
4. Select Open Hosted Page after that it will be redirected to Azure AD for login.
5. Enter your Azure AD credentials to successfully login to the Azure AD via SSO.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Sage Intacct with Azure Active
Directory
8/12/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Sage Intacct with Azure Active Directory (Azure AD ). When you
integrate Sage Intacct with Azure AD, you can:
Control in Azure AD who has access to Sage Intacct.
Enable your users to be automatically signed-in to Sage Intacct with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Sage Intacct single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Sage Intacct supports IDP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Reply URL text box, type a URL: https://www.intacct.com/ia/acct/sso_response.phtml
5. Sage Intacct application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog..
6. In addition to above, Sage Intacct application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
name Value should be same as the Sage Intacct User ID, which
you enter in the Create Sage Intacct test user section,
which is explained later in the tutorial
8. On the Set up Sage Intacct section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. Enter the User ID, the Last name, First name, the Email address, the Title, and the Phone of an Azure
AD account that you want to provision into the User Information section.
NOTE
Make sure that the User ID in above screenshot and the Source Attribute value which is mapped with the name
attribute in the User Attributes section in the Azure portal should be same.
b. Select the Admin privileges of an Azure AD account that you want to provision.
c. Click Save.
d. The Azure AD account holder receives an email and follows a link to confirm their account before it
becomes active.
5. Click Single sign-on tab and make sure that the Federated SSO user ID in below screenshot and the
Source Attribute value which is mapped with the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier in the User Attributes section in the
Azure portal should be same.
NOTE
To provision Azure AD user accounts, you can use other Sage Intacct user account creation tools or APIs that are provided by
Sage Intacct.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sage Intacct tile in the Access Panel, you should be automatically signed in to the Sage Intacct
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
InTime
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate InTime with Azure Active Directory (Azure AD ). Integrating InTime with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to InTime.
You can enable your users to be automatically signed-in to InTime (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with InTime, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
InTime single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
InTime supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type InTime, select InTime from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. Your InTime application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. InTime application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up InTime section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure InTime Single Sign-On
To configure single sign-on on InTime side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to InTime support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create InTime test user
In this section, you create a user called Britta Simon in InTime. Work with InTime support team to add the users in
the InTime platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the InTime tile in the Access Panel, you should be automatically signed in to the InTime for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Intralinks
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Intralinks with Azure Active Directory (Azure AD ). Integrating Intralinks
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Intralinks.
You can enable your users to be automatically signed-in to Intralinks (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Intralinks, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Intralinks single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Intralinks supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Intralinks, select Intralinks from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Intralinks Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Intralinks section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Intralinks Single Sign-On
To configure single sign-on on Intralinks side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Intralinks support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Intralinks test user
In this section, you create a user called Britta Simon in Intralinks. Work with Intralinks support team to add the
users in the Intralinks platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Intralinks tile in the Access Panel, you should be automatically signed in to the Intralinks for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with iPass SmartConnect
10/22/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate iPass SmartConnect with Azure Active Directory (Azure AD ). When
you integrate iPass SmartConnect with Azure AD, you can:
Control in Azure AD who has access to iPass SmartConnect.
Enable your users to be automatically signed-in to iPass SmartConnect with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
iPass SmartConnect single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
iPass SmartConnect supports SP and IDP initiated SSO
iPass SmartConnect supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
the user does not have to perform any step as the app is already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://om-activation.ipass.com/ClientActivation/ssolanding.go
6. Click Save.
7. iPass SmartConnect application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes.
8. In addition to above, iPass SmartConnect application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirements.
NAME SOURCE ATTRIBUTE
firstName user.givenname
lastName user.surname
email user.userprincipalname
username user.userprincipalname
9. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
10. On the Set up iPass SmartConnect section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iPass SmartConnect tile in the Access Panel, you should be automatically signed in to the iPass
SmartConnect for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try iPass SmartConnect with Azure AD
Tutorial: Azure Active Directory integration with iProva
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate iProva with Azure Active Directory (Azure AD ). Integrating iProva with Azure AD
provides you with the following benefits:
You can control in Azure AD who has access to iProva.
You can enable your users to be automatically signed-in to iProva (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-
on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with iProva, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
iProva single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
iProva supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type iProva, select iProva from result panel then click Add button to add the application.
https://SUBDOMAIN.iprova.nl/saml2info
https://SUBDOMAIN.iprova.be/saml2info
2. Leave the browser tab open while you proceed with the next steps in another browser tab.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with iProva, perform the following steps:
1. In the Azure portal, on the iProva application integration page, select Single sign-on.
2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the claims by
using Add new claim to configure SAML token attribute as shown in the image above and perform the following
steps:
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type the namespace value shown for that row.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy button to
copy App Federation Metadata Url and save it on your computer.
11. Paste the metadata URL you saved in the last step of the "Configure Azure AD single sign-on" section.
12. Select the arrow-shaped button to download the metadata from Azure AD.
13. When the download is complete, the confirmation message Valid Federation Data file downloaded appears.
14. Select Next.
15. Skip the Test login option for now, and select Next.
16. In the Claim to use drop-down box, select windowsaccountname.
17. Select Finish.
18. You now return to the Edit general settings screen. Scroll down to the bottom of the page, and select OK to save
your configuration.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the
screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for
the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create iProva test user
1. Sign in to iProva by using the Administrator account.
2. Open the Go to menu.
3. Select Application management.
4. Select Users in the Users and user groups panel.
5. Select Add.
6. In the Username box, enter the username of user like BrittaSimon@contoso.com .
7. In the Full name box, enter a full name of user like BrittaSimon.
8. Select the No password (use single sign-on) option.
9. In the E-mail address box, enter the email address of user like BrittaSimon@contoso.com .
10. Scroll down to the end of the page, and select Finish.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iProva tile in the Access Panel, you should be automatically signed in to the iProva for which you set up
SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
IQNavigator VMS
8/28/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate IQNavigator VMS with Azure Active Directory (Azure AD ). Integrating
IQNavigator VMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IQNavigator VMS.
You can enable your users to be automatically signed-in to IQNavigator VMS (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IQNavigator VMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
IQNavigator VMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IQNavigator VMS supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IQNavigator VMS, select IQNavigator VMS from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.iqnavigator.com/security/login?client_name=https://sts.window.net/<instance name>
NOTE
These values are not real. Update these values with the actual Reply URL and Relay State. Contact IQNavigator VMS
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. IQNavigator application expect the unique user identifier value in the Name Identifier claim. Customer can
map the correct value for the Name Identifier claim. In this case we have mapped the
user.UserPrincipalName for the demo purpose. But according to your organization settings you should map
the correct value for it.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure IQNavigator VMS Single Sign-On
To configure single sign-on on IQNavigator VMS side, you need to send the App Federation Metadata Url to
IQNavigator VMS support team. They set this setting to have the SAML SSO connection set properly on both
sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IQNavigator VMS test user
In this section, you create a user called Britta Simon in IQNavigator VMS. Work with IQNavigator VMS support
team to add the users in the IQNavigator VMS platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IQNavigator VMS tile in the Access Panel, you should be automatically signed in to the
IQNavigator VMS for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
iQualify LMS
8/9/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate iQualify LMS with Azure Active Directory (Azure AD ). Integrating
iQualify LMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to iQualify LMS.
You can enable your users to be automatically signed-in to iQualify LMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with iQualify LMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
iQualify LMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
iQualify LMS supports SP and IDP initiated SSO
iQualify LMS supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type iQualify LMS, select iQualify LMS from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: | | |--|--| | Production Environment:
https://<yourorg>.iqualify.com/ | | Test Environment: https://<yourorg>.iqualify.io |
b. In the Reply URL text box, type a URL using the following pattern: | | |--|--| | Production Environment:
https://<yourorg>.iqualify.com/auth/saml2/callback | | Test Environment:
https://<yourorg>.iqualify.io/auth/saml2/callback |
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: | | |--|--| | Production Environment:
https://<yourorg>.iqualify.com/login | | Test Environment: https://<yourorg>.iqualify.io/login |
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact iQualify
LMS Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Your iQualify LMS application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
email user.userprincipalname
first_name user.givenname
last_name user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
NOTE
The person_id attribute is Optional
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up iQualify LMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure iQualify LMS Single Sign-On
1. Open a new browser window, and then sign in to your iQualify environment as an administrator.
2. Once you are logged in, click on your avatar at the top right, then click on Account settings
3. In the account settings area, click on the ribbon menu on the left and click on INTEGRATIONS
4. Under INTEGRATIONS, click on the SAML icon.
5. In the SAML Authentication Settings dialog box, perform the following steps:
a. In the SAML SINGLE SIGN -ON SERVICE URL box, paste the Login URL value copied from the Azure
AD application configuration window.
b. In the SAML LOGOUT URL box, paste the Logout URL value copied from the Azure AD application
configuration window.
c. Open the downloaded certificate file in notepad, copy the content, and then paste it in the PUBLIC
CERTIFICATE box.
d. In LOGIN BUTTON LABEL enter the name for the button to be displayed on login page.
e. Click SAVE.
f. Click UPDATE.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create iQualify LMS test user
In this section, a user called Britta Simon is created in iQualify LMS. iQualify LMS supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in iQualify LMS, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iQualify LMS tile in the Access Panel, you should get login page of your iQualify LMS
application.
Click Sign in with Azure AD button and you should get automatically signed-on to your iQualify LMS
application.
For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Iris
Intranet
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Iris Intranet with Azure Active Directory (Azure AD ). Integrating Iris
Intranet with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Iris Intranet.
You can enable your users to be automatically signed-in to Iris Intranet (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Iris Intranet, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Iris Intranet single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Iris Intranet supports SP initiated SSO
Iris Intranet supports just-in-time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Iris Intranet, select Iris Intranet from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.irisintranet.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Iris Intranet Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Iris Intranet test user
In this section, a user called Britta Simon is created in Iris Intranet. Iris Intranet supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Iris Intranet, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Iris Intranet tile in the Access Panel, you should be automatically signed in to the Iris Intranet
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
IriusRisk
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate IriusRisk with Azure Active Directory (Azure AD ). Integrating IriusRisk
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to IriusRisk.
You can enable your users to be automatically signed-in to IriusRisk (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with IriusRisk, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
IriusRisk single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
IriusRisk supports SP initiated SSO
IriusRisk supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type IriusRisk, select IriusRisk from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact IriusRisk Client support
team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up IriusRisk section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure IriusRisk Single Sign-On
To configure single sign-on on IriusRisk side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to IriusRisk support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create IriusRisk test user
In this section, a user called Britta Simon is created in IriusRisk. IriusRisk supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
IriusRisk, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the IriusRisk tile in the Access Panel, you should be automatically signed in to the IriusRisk for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with iServer Portal
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate iServer Portal with Azure Active Directory (Azure AD ). When you
integrate iServer Portal with Azure AD, you can:
Control in Azure AD who has access to iServer Portal.
Enable your users to be automatically signed-in to iServer Portal with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
iServer Portal single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
iServer Portal supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: iserver-portal-<myiserverportal>
b. In the Reply URL text box, type a URL using the following pattern:
https://<myiserverportal.com>/SAML/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<myiserverportal.com>/SAML/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact iServer
Portal Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
7. In the SAML Signing Certificate section, copy the Thumbprint Value and save it on your computer.
8. On the Set up iServer Portal section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iServer Portal tile in the Access Panel, you should be automatically signed in to the iServer
Portal for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try iServer Portal with Azure AD
Tutorial: Azure Active Directory integration with ITRP
7/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ITRP with Azure Active Directory (Azure AD ). This integration provides
these benefits:
You can use Azure AD to control who has access to ITRP.
You can enable your users to be automatically signed in to ITRP (single sign-on) with their Azure AD accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with ITRP, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
An ITRP subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
ITRP supports SP -initiated SSO.
4. In the search box, enter ITRP. Select ITRP in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, take the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<tenant-name>.itrp.com
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. Contact the ITRP support team
to get the values. You can also refer to the patterns shown in the Basic SAML Configuration dialog box in the Azure
portal.
5. In the SAML Signing Certificate section, select the Edit icon to open the SAML Signing Certificate
dialog box:
6. In the SAML Signing Certificate dialog box, copy the Thumbprint value and save it:
7. In the Set up ITRP section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure ITRP single sign-on
1. In a new web browser window, sign in to your ITRP company site as an admin.
2. At the top of the window, select the Settings icon:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the window.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the window.
7. In the Add Assignment dialog box, select Assign.
Create an ITRP test user
To enable Azure AD users to sign in to ITRP, you need to add them to ITRP. You need to add them manually.
To create a user account, take these steps:
1. Sign in to your ITRP tenant.
2. At the top of the window, select the Records icon:
3. In the menu, select People:
5. In the Add New Person dialog box, take the following steps.
a. Enter the name and email address of a valid Azure AD account that you want to add.
b. Select Save.
NOTE
You can use any user account creation tool or API provided by ITRP to provision Azure AD user accounts.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
itslearning
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate itslearning with Azure Active Directory (Azure AD ). Integrating
itslearning with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to itslearning.
You can enable your users to be automatically signed-in to itslearning (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with itslearning, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
itslearning single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
itslearning supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type itslearning, select itslearning from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://www.itslearning.com/index.aspx
https://us1.itslearning.com/index.aspx
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up itslearning section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure itslearning Single Sign-On
To configure single sign-on on itslearning side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to itslearning support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create itslearning test user
In this section, you create a user called Britta Simon in itslearning. Work with itslearning support team to add the
users in the itslearning platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the itslearning tile in the Access Panel, you should be automatically signed in to the itslearning for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Ivanti
Service Manager (ISM)
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Ivanti Service Manager (ISM ) with Azure Active Directory (Azure AD ).
Integrating Ivanti Service Manager (ISM ) with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Ivanti Service Manager (ISM ).
You can enable your users to be automatically signed-in to Ivanti Service Manager (ISM ) (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Ivanti Service Manager (ISM ), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Ivanti Service Manager (ISM ) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Ivanti Service Manager (ISM ) supports SP and IDP initiated SSO
Ivanti Service Manager (ISM ) supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Ivanti Service Manager (ISM ), select Ivanti Service Manager (ISM ) from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<customer>.saasit.com/
https://<customer>.saasiteu.com/
https://<customer>.saasitau.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<customer>/handlers/sso/SamlAssertionConsumerHandler.ashx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<customer>.saasit.com/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Ivanti
Service Manager (ISM) Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
7. On the Set up Ivanti Service Manager (ISM ) section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Ivanti Service Manager (ISM ) Single Sign-On
To configure single sign-on on Ivanti Service Manager (ISM ) side, you need to send the downloaded
Certificate (Raw) and appropriate copied URLs from Azure portal to Ivanti Service Manager (ISM ) support team.
They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Ivanti Service Manager (ISM ) test user
In this section, a user called Britta Simon is created in Ivanti Service Manager (ISM ). Ivanti Service Manager (ISM )
supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section.
If a user doesn't already exist in Ivanti Service Manager (ISM ), a new one is created after authentication.
NOTE
If you need to create a user manually, contact Ivanti Service Manager (ISM) support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Ivanti Service Manager (ISM ) tile in the Access Panel, you should be automatically signed in to
the Ivanti Service Manager (ISM ) for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate iWellnessNow with Azure Active
Directory
8/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate iWellnessNow with Azure Active Directory (Azure AD ). When you
integrate iWellnessNow with Azure AD, you can:
Control in Azure AD who has access to iWellnessNow.
Enable your users to be automatically signed-in to iWellnessNow with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
iWellnessNow single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
iWellnessNow supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you have Service Provider metadata file and wish to
configure in IDP initiated mode, perform the following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in Basic SAML Configuration section.
NOTE
If the Identifier and Reply URL values do not get auto polulated, then fill in the values manually according to your
requirement.
5. If you don't have Service Provider metadata file and wish to configure the application in IDP initiated
mode, perform the following steps:
a. In the Identifier textbox, type a URL using the following pattern: http://<CustomerName>.iwellnessnow.com
b. In the Reply URL textbox, type a URL using the following pattern:
https://<CustomerName>.iwellnessnow.com/ssologin
6. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<CustomerName>.iwellnessnow.com/
NOTE
These values are not real. Update these values with the actual Sign-on URL, Identifier and Reply URL. Contact
iWellnessNow Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
8. On the Set up iWellnessNow section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create iWellnessNow test user
In this section, you create a user called Britta Simon in iWellnessNow. Work with iWellnessNow support team to
add the users in the iWellnessNow platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the iWellnessNow tile in the Access Panel, you should be automatically signed in to the
iWellnessNow for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory SSO integration with
Jamf Pro
9/23/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Jamf Pro with Azure Active Directory (Azure AD ). When you integrate
Jamf Pro with Azure AD, you can:
Use Azure AD to control who has access to Jamf Pro.
Automatically sign in your users to Jamf Pro with their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on with Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A Jamf Pro subscription that's single sign-on (SSO ) enabled.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Jamf Pro supports SP -initiated and
IdP -initiated SSO.
4. On the Basic SAML Configuration section, if you want to configure the application in IdP -initiated
mode, enter the values for the following fields:
a. In the Identifier text box, enter a URL that uses the following formula:
https://<subdomain>.jamfcloud.com/saml/metadata
b. In the Reply URL text box, enter a URL that uses the following formula:
https://<subdomain>.jamfcloud.com/saml/SSO
5. Select Set additional URLs. If you want to configure the application in SP -initiated mode, in the Sign-on
URL text box, enter a URL that uses the following formula: https://<subdomain>.jamfcloud.com
NOTE
These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. You'll get the
actual identifier value from the Single Sign-On section in Jamf Pro portal, which is explained later in the tutorial. You
can extract the actual subdomain value from the identifier value and use that subdomain information as your sign-on
URL and reply URL. You can also refer to the formulas shown in the Basic SAML Configuration section in the Azure
portal.
6. On the Set up Single Sign-On with SAML page, go to the SAML Signing Certificate section, select the
copy button to copy App Federation Metadata URL, and then save it to your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select B.Simon from the Users list, and then select the Select button
at the bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user. Then, select the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select the Assign button.
3. To set up Jamf Pro manually, open a new web browser window and sign in to your Jamf Pro company site
as an administrator. Then, take the following steps.
4. Select the Settings icon from the upper-right corner of the page.
NOTE
Use the value in the <SUBDOMAIN> field to complete the sign-on URL and reply URL in the Basic SAML
Configuration section in the Azure portal.
e. Select Metadata URL from the IDENTITY PROVIDER METADATA SOURCE drop-down menu. In the
field that appears, paste the App Federation Metadata Url value that you've copied from the Azure portal.
7. On the same page, scroll down to the User Mapping section. Then, take the following steps.
a. Select the NameID option for IDENTITY PROVIDER USER MAPPING. By default, this option is set
to NameID, but you can define a custom attribute.
b. Select Email for JAMF PRO USER MAPPING. Jamf Pro maps SAML attributes sent by the IdP first by
users and then by groups. When a user tries to access Jamf Pro, Jamf Pro gets information about the user
from the Identity Provider and matches it against all Jamf Pro user accounts. If the incoming user account
isn't found, then Jamf Pro attempts to match it by group name.
c. Paste the value http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in the IDENTITY
PROVIDER GROUP ATTRIBUTE NAME field.
d. Select Allow users to bypass the Single Sign-On authentication. As a result, users won't be
redirected to the Identity Provider sign-in page for authentication and can sign in to Jamf Pro directly
instead. When a user tries to access Jamf Pro via the Identity Provider, IdP -initiated SSO authentication and
authorization occurs.
e. Select Save.
Create a Jamf Pro test user
In order for Azure AD users to sign in to Jamf Pro, they must be provisioned in to Jamf Pro. Provisioning in Jamf
Pro is a manual task.
To provision a user account, take the following steps:
1. Sign in to your Jamf Pro company site as an administrator.
2. Select the Settings icon in the upper-right corner of the page.
4. Select New.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
Single sign-on to applications in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Try Jamf Pro with Azure AD
Tutorial: Azure Active Directory integration with JDA
Cloud
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate JDA Cloud with Azure Active Directory (Azure AD ). Integrating JDA
Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to JDA Cloud.
You can enable your users to be automatically signed-in to JDA Cloud (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with JDA Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
JDA Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
JDA Cloud supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type JDA Cloud, select JDA Cloud from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.jdadelivers.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.jdadelivers.com/sp/ACS.saml2
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://ssonp-dl2.jdadelivers.com/sp/startSSO.ping?PartnerIdpId=<Azure AD Identifier>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. You will get the
Azure AD Identifier value from the Set up JDA Cloud section. Contact JDA Cloud Client support team to get these
values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up JDA Cloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure JDA Cloud Single Sign-On
To configure single sign-on on JDA Cloud side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to JDA Cloud support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create JDA Cloud test user
In this section, you create a user called Britta Simon in JDA Cloud. Work with JDA Cloud support team to add the
users in the JDA Cloud platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the JDA Cloud tile in the Access Panel, you should be automatically signed in to the JDA Cloud for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate JFrog Artifactory with Azure Active
Directory
9/3/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate JFrog Artifactory with Azure Active Directory (Azure AD ). When you
integrate JFrog Artifactory with Azure AD, you can:
Control in Azure AD who has access to JFrog Artifactory.
Enable your users to be automatically signed-in to JFrog Artifactory with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
JFrog Artifactory single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
JFrog Artifactory supports SP and IDP initiated SSO
JFrog Artifactory supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: <servername>.jfrog.io
b. In the Reply URL text box, type a URL using the following pattern:
https://<servername>.jfrog.io/<servername>/webapp/saml/loginResponse
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<servername>.jfrog.io/<servername>/webapp/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact JFrog
Artifactory Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. JFrog Artifactory application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, JFrog Artifactory application expects few more attributes to be passed back in SAML
response. In the User Attributes & Claims section on the Group Claims (Preview) dialog, perform the
following steps:
a. Click the pen next to Groups returned in claim.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create JFrog Artifactory test user
In this section, a user called B.Simon is created in JFrog Artifactory. JFrog Artifactory supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in JFrog Artifactory, a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the JFrog Artifactory tile in the Access Panel, you should be automatically signed in to the JFrog
Artifactory for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with JIRA SAML SSO by Microsoft
11/27/2019 • 9 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate JIRA SAML SSO by Microsoft with Azure Active Directory (Azure AD ).
When you integrate JIRA SAML SSO by Microsoft with Azure AD, you can:
Control in Azure AD who has access to JIRA SAML SSO by Microsoft.
Enable your users to be automatically signed-in to JIRA SAML SSO by Microsoft with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Description
Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way
all your organization users can use the Azure AD credentials to sign in into the JIRA application. This plugin uses
SAML 2.0 for federation.
Prerequisites
To configure Azure AD integration with JIRA SAML SSO by Microsoft, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
JIRA Core and Software 6.4 to 8.0 or JIRA Service Desk 3.0 to 3.5 should installed and configured on Windows
64-bit version
JIRA server is HTTPS enabled
Note the supported versions for JIRA Plugin are mentioned in below section.
JIRA server is reachable on internet particularly to Azure AD Login page for authentication and should able to
receive the token from Azure AD
Admin credentials are set up in JIRA
WebSudo is disabled in JIRA
Test user created in the JIRA server application
NOTE
To test the steps in this tutorial, we do not recommend using a production environment of JIRA. Test the integration first in
development or staging environment of the application and then use the production environment.
NOTE
Please note that our JIRA Plugin also works on Ubuntu Version 16.04 and Linux.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
JIRA SAML SSO by Microsoft supports SP initiated SSO
Configure and test Azure AD single sign-on for JIRA SAML SSO by
Microsoft
Configure and test Azure AD SSO with JIRA SAML SSO by Microsoft using a test user called B.Simon. For SSO
to work, you need to establish a link relationship between an Azure AD user and the related user in JIRA SAML
SSO by Microsoft.
To configure and test Azure AD SSO with JIRA SAML SSO by Microsoft, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure JIRA SAML SSO by Microsoft SSO - to configure the single sign-on settings on application side.
a. Create JIRA SAML SSO by Microsoft test user - to have a counterpart of B.Simon in JIRA SAML
SSO by Microsoft that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
b. In the Identifier box, type a URL using the following pattern: https://<domain:port>/
c. In the Reply URL text box, type a URL using the following pattern:
https://<domain:port>/plugins/servlet/saml/auth
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Port is optional
in case it’s a named URL. These values are received during the configuration of Jira plugin, which is explained later in
the tutorial.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Download the plugin from Microsoft Download Center. Manually upload the plugin provided by Microsoft
using Upload add-on menu. The download of plugin is covered under Microsoft Service Agreement.
4. For running the JIRA reverse proxy scenario or load balancer scenario perform the following steps:
NOTE
You should be configuring the server first with the below instructions and then install the plugin.
a. Add below attribute in connector port in server.xml file of JIRA server application.
scheme="https" proxyName="<subdomain.domain.com>" proxyPort="<proxy_port>" secure="true"
5. Once the plugin is installed, it appears in User Installed add-ons section of Manage Add-on section. Click
Configure to configure the new plugin.
a. In the Metadata URL textbox, paste App Federation Metadata Url value which you have copied
from the Azure portal and click the Resolve button. It reads the IdP metadata URL and populates all
the fields information.
b. Copy the Identifier, Reply URL and Sign on URL values and paste them in Identifier, Reply URL
and Sign on URL textboxes respectively in JIRA SAML SSO by Microsoft Domain and URLs
section on Azure portal.
c. In Login Button Name type the name of button your organization wants the users to see on login
screen.
d. In Login Button Description type the description of button your organization wants the users to
see on login screen.
e. In SAML User ID Locations select either User ID is in the NameIdentifier element of the
Subject statement or User ID is in an Attribute element. This ID has to be the JIRA user ID. If
the user ID is not matched, then system will not allow users to sign in.
NOTE
Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the
appropriate attribute name.
f. If you select User ID is in an Attribute element option, then in Attribute name textbox type the
name of the attribute where User ID is expected.
g. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the Enable
Home Realm Discovery option and configure the Domain Name.
h. In Domain Name type the domain name here in case of the ADFS -based login.
i. Check Enable Single Sign out if you wish to sign out from Azure AD when a user sign out from
JIRA.
j. Enable Force Azure Login checkbox, if you wish to sign in through Azure AD credentials only.
NOTE
To enable the default login form for admin login on login page when force azure login is enabled, add the
query parameter in the browser URL. https://<domain:port>/login.jsp?force_azure_login=false
NOTE
For more information about installation and troubleshooting, visit MS JIRA SSO Connector Admin Guide.
There is also an FAQ for your assistance.
3. You are redirected to Administrator Access page to enter Password and click Confirm button.
4. Under User management tab section, click create user.
5. On the “Create new user” dialog page, perform the following steps:
a. In the Email address textbox, type the email address of user like B.simon@contoso.com.
b. In the Full Name textbox, type full name of the user like B.Simon.
c. In the Username textbox, type the email of user like B.simon@contoso.com.
d. In the Password textbox, type the password of user.
e. Click Create user.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the JIRA SAML SSO by Microsoft tile in the Access Panel, you should be automatically signed in to
the JIRA SAML SSO by Microsoft for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try JIRA SAML SSO by Microsoft with Azure AD
Tutorial: Azure Active Directory integration with JIRA
SAML SSO by Microsoft (V5.2)
6/13/2019 • 9 minutes to read • Edit Online
In this tutorial, you learn how to integrate JIRA SAML SSO by Microsoft (V5.2) with Azure Active Directory (Azure
AD ). Integrating JIRA SAML SSO by Microsoft (V5.2) with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to JIRA SAML SSO by Microsoft (V5.2).
You can enable your users to be automatically signed-in to JIRA SAML SSO by Microsoft (V5.2) (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Description
Use your Microsoft Azure Active Directory account with Atlassian JIRA server to enable single sign-on. This way
all your organization users can use the Azure AD credentials to sign in into the JIRA application. This plugin uses
SAML 2.0 for federation.
Prerequisites
To configure Azure AD integration with JIRA SAML SSO by Microsoft (V5.2), you need the following items:
An Azure AD subscription
JIRA Core and Software 5.2 should installed and configured on Windows 64-bit version
JIRA server is HTTPS enabled
Note the supported versions for JIRA Plugin are mentioned in below section.
JIRA server is reachable on internet particularly to Azure AD Login page for authentication and should able to
receive the token from Azure AD
Admin credentials are set up in JIRA
WebSudo is disabled in JIRA
Test user created in the JIRA server application
NOTE
To test the steps in this tutorial, we do not recommend using a production environment of JIRA. Test the integration first in
development or staging environment of the application and then use the production environment.
To test the steps in this tutorial, you should follow these recommendations:
Do not use your production environment, unless it is necessary.
If you don't have an Azure AD trial environment, you can get a one-month trial here: Trial offer.
NOTE
Please note that our JIRA Plugin also works on Ubuntu Version 16.04
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
JIRA SAML SSO by Microsoft (V5.2) supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type JIRA SAML SSO by Microsoft (V5.2), select JIRA SAML SSO by Microsoft
(V5.2) from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with JIRA SAML SSO by Microsoft (V5.2) based on
a test user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the
related user in JIRA SAML SSO by Microsoft (V5.2) needs to be established.
To configure and test Azure AD single sign-on with JIRA SAML SSO by Microsoft (V5.2), you need to complete
the following building blocks:
1. Configure Azure AD Single Sign-On - to enable your users to use this feature.
2. Configure JIRA SAML SSO by Microsoft (V5.2) Single Sign-On - to configure the Single Sign-On settings
on application side.
3. Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
4. Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
5. Create JIRA SAML SSO by Microsoft (V5.2) test user - to have a counterpart of Britta Simon in JIRA
SAML SSO by Microsoft (V5.2) that is linked to the Azure AD representation of user.
6. Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with JIRA SAML SSO by Microsoft (V5.2), perform the following steps:
1. In the Azure portal, on the JIRA SAML SSO by Microsoft (V5.2) application integration page, select
Single sign-on.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<domain:port>/plugins/servlet/saml/auth
b. In the Identifier box, type a URL using the following pattern: https://<domain:port>/
c. In the Reply URL text box, type a URL using the following pattern:
https://<domain:port>/plugins/servlet/saml/auth
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Port is optional
in case it’s a named URL. These values are received during the configuration of Jira plugin, which is explained later in
the tutorial.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Download the plugin from Microsoft Download Center. Manually upload the plugin provided by Microsoft
using Upload add-on menu. The download of plugin is covered under Microsoft Service Agreement.
5. Once the plugin is installed, it appears in User Installed add-ons section. Click Configure to configure the
new plugin.
a. In Metadata URL textbox, paste App Federation Metadata Url value which you have copied from the
Azure portal and click the Resolve button. It reads the IdP metadata URL and populates all the fields
information.
b. Copy the Identifier, Reply URL and Sign on URL values and paste them in Identifier, Reply URL and
Sign on URL textboxes respectively in Basic SAML Configuration section on Azure portal.
c. In Login Button Name type the name of button your organization wants the users to see on login
screen.
d. In SAML User ID Locations select either User ID is in the NameIdentifier element of the Subject
statement or User ID is in an Attribute element. This ID has to be the JIRA user ID. If the user ID is not
matched, then system will not allow users to sign in.
NOTE
Default SAML User ID location is Name Identifier. You can change this to an attribute option and enter the
appropriate attribute name.
e. If you select User ID is in an Attribute element option, then in Attribute name textbox type the name
of the attribute where User ID is expected.
f. If you are using the federated domain (like ADFS etc.) with Azure AD, then click on the Enable Home
Realm Discovery option and configure the Domain Name.
g. In Domain Name type the domain name here in case of the ADFS -based login.
h. Check Enable Single Sign out if you wish to sign out from Azure AD when a user signs out from JIRA.
i. Click Save button to save the settings.
NOTE
For more information about installation and troubleshooting, visit MS JIRA SSO Connector Admin Guide and there is
also FAQ for your assistance
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create JIRA SAML SSO by Microsoft (V5.2) test user
To enable Azure AD users to sign in to JIRA on-premises server, they must be provisioned into JIRA on-premises
server.
To provision a user account, perform the following steps:
1. Sign in to your JIRA on-premises server as an administrator.
2. Hover on cog and click the User management.
3. You are redirected to Administrator Access page to enter Password and click Confirm button.
5. On the “Create new user” dialog page, perform the following steps:
a. In the Email address textbox, type the email address of user like Brittasimon@contoso.com.
b. In the Full Name textbox, type full name of the user like Britta Simon.
c. In the Username textbox, type the email of user like Brittasimon@contoso.com.
d. In the Password textbox, type the password of user.
e. Click Create user.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the JIRA SAML SSO by Microsoft (V5.2) tile in the Access Panel, you should be automatically
signed in to the JIRA SAML SSO by Microsoft (V5.2) for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Jitbit
Helpdesk
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Jitbit Helpdesk with Azure Active Directory (Azure AD ). Integrating Jitbit
Helpdesk with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Jitbit Helpdesk.
You can enable your users to be automatically signed-in to Jitbit Helpdesk (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Jitbit Helpdesk, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Jitbit Helpdesk single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Jitbit Helpdesk supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Jitbit Helpdesk, select Jitbit Helpdesk from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This value is not real. Update this value with the actual Sign-On URL. Contact Jitbit Helpdesk Client support team to
get this value.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. In the Set up Jitbit Helpdesk section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Jitbit Helpdesk Single Sign-On
1. In a different web browser window, sign in to your Jitbit Helpdesk company site as an administrator.
2. In the toolbar on the top, click Administration.
a. Select Enable SAML 2.0 single sign on, to sign in using Single Sign-On (SSO ), with OneLogin.
b. In the EndPoint URL textbox, paste the value of Login URL which you have copied from Azure portal.
c. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then
paste it to the X.509 Certificate textbox
d. Click Save changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Jitbit Helpdesk test user
In order to enable Azure AD users to sign in to Jitbit Helpdesk, they must be provisioned into Jitbit Helpdesk. In
the case of Jitbit Helpdesk, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Jitbit Helpdesk tenant.
2. In the menu on the top, click Administration.
5. In the Create section, type the data of the Azure AD account you want to provision as follows:
a. In the Username textbox, type the username of the user like BrittaSimon.
b. In the Email textbox, type email of the user like **BrittaSimon@contoso.com**.
c. In the First Name textbox, type first name of the user like Britta.
d. In the Last Name textbox, type last name of the user like Simon.
e. Click Create.
NOTE
You can use any other Jitbit Helpdesk user account creation tools or APIs provided by Jitbit Helpdesk to provision Azure AD
user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Jive
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Jive with Azure Active Directory (Azure AD ). Integrating Jive with Azure
AD provides you with the following benefits:
You can control in Azure AD who has access to Jive.
You can enable your users to be automatically signed-in to Jive (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Jive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Jive single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Jive supports SP initiated SSO
Jive supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Jive, select Jive from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<instance name>.jiveon.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Jive Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Jive section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Jive Single Sign-On
1. To configure single sign-on on Jive side, sign-on to your Jive tenant as an administrator.
2. In the menu on the top, Click SAML.
a. In the Email textbox, copy and paste the attribute name of mail value.
b. In the First Name textbox, copy and paste the attribute name of givenname value.
c. In the Last Name textbox, copy and paste the attribute name of surname value.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Jive test user
The objective of this section is to create a user called Britta Simon in Jive. Jive supports automatic user
provisioning, which is by default enabled. You can find more details here on how to configure automatic user
provisioning.
If you need to create user manually, work with Jive Client support team to add the users in the Jive platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Jive tile in the Access Panel, you should be automatically signed in to the Jive for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Tutorial: Azure Active Directory integration with
Jobbadmin
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Jobbadmin with Azure Active Directory (Azure AD ). Integrating
Jobbadmin with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Jobbadmin.
You can enable your users to be automatically signed-in to Jobbadmin (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Jobbadmin, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Jobbadmin single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Jobbadmin supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Jobbadmin, select Jobbadmin from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<instancename>.jobnorge.no
c. In the Reply URL textbox, type a URL using the following pattern:
https://<instancename>.jobbnorge.no/auth/saml2/login.ashx
NOTE
These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact
Jobbadmin Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Jobbadmin section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Jobbadmin Single Sign-On
To configure single sign-on on Jobbadmin side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Jobbadmin support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Jobbadmin test user
In this section, you create a user called Britta Simon in Jobbadmin. Work with Jobbadmin support team to add the
users in the Jobbadmin platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Jobbadmin tile in the Access Panel, you should be automatically signed in to the Jobbadmin for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate JOBHUB with Azure Active
Directory
6/17/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate JOBHUB with Azure Active Directory (Azure AD ). When you integrate
JOBHUB with Azure AD, you can:
Control in Azure AD who has access to JOBHUB.
Enable your users to be automatically signed-in to JOBHUB with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
JOBHUB single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. JOBHUB supports SP initiated SSO.
4. On the Basic SAML Configuration section, enter the values for the following fields: In the Sign-on URL
text box, type a URL using the following pattern: https://pasona.jobhub.jp/saml/init
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact JOBHUB Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
7. On the Set up JOBHUB section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure JOBHUB SSO
To configure single sign-on on JOBHUB side, you need to send the Thumbprint value and appropriate copied
URLs from Azure portal to JOBHUB support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called Britta Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter Britta Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to JOBHUB.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select JOBHUB.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create JOBHUB test user
In this section, you create a user called Britta Simon in JOBHUB. Work with JOBHUB support team to add the
users in the JOBHUB platform. Users must be created and activated before you use single sign-on.
Test SSO
When you select the JOBHUB tile in the Access Panel, you should be automatically signed in to the JOBHUB for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Jobscience
2/12/2019 • 8 minutes to read • Edit Online
In this tutorial, you learn how to integrate Jobscience with Azure Active Directory (Azure AD ).
Integrating Jobscience with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Jobscience
You can enable your users to automatically get signed-on to Jobscience (Single Sign-On) with their Azure AD
accounts
You can manage your accounts in one central location - the Azure portal
If you want to know more details about SaaS app integration with Azure AD, see what is application access and
single sign-on with Azure Active Directory.
Prerequisites
To configure Azure AD integration with Jobscience, you need the following items:
An Azure AD subscription
A Jobscience single sign-on enabled subscription
NOTE
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
Do not use your production environment, unless it is necessary.
If you don't have an Azure AD trial environment, you can get a one-month trial here: Trial offer.
Scenario description
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial
consists of two main building blocks:
1. Adding Jobscience from the gallery
2. Configuring and testing Azure AD single sign-on
3. To add new application, click New application button on the top of dialog.
5. In the results panel, select Jobscience, and then click Add button to add the application.
2. On the Single sign-on dialog, select Mode as SAML -based Sign-on to enable single sign-on.
3. On the Jobscience Domain and URLs section, perform the following steps:
In the Sign-on URL textbox, type a URL using the following pattern:
http://<company name>.my.salesforce.com
NOTE
This value is not real. Update this value with the actual Sign-On URL. Get this value by Jobscience Client support
team or from the SSO profile you will create which is explained later in the tutorial.
4. On the SAML Signing Certificate section, click Certificate (Base64) and then save the certificate file on
your computer.
6. On the Jobscience Configuration section, click Configure Jobscience to open Configure sign-on
window. Copy the Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL from the
Quick Reference section.
9. On the left navigation pane, in the Administer section, click Domain Management to expand the related
section, and then click My Domain to open the My Domain page.
10. To verify that your domain has been set up correctly, make sure that it is in “Step 4 Deployed to Users”
and review your “My Domain Settings”.
11. On the Jobscience company site, click Security Controls, and then click Single Sign-On Settings.
12. In the Single Sign-On Settings section, perform the following steps:
15. On the My Domain page, in the Login Page Branding section, click Edit.
16. On the Login Page Branding page, in the Authentication Service section, the name of your SAML SSO
Settings is displayed. Select it, and then click Save.
17. To get the SP initiated Single Sign on Login URL click on the Single Sign On settings in the Security
Controls menu section.
Click the SSO profile you have created in the step above. This page shows the Single Sign on URL for your
company (for example, https://companyname.my.salesforce.com?so=companyid.
TIP
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After
adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and
access the embedded documentation through the Configuration section at the bottom. You can read more about the
embedded documentation feature here: Azure AD embedded documentation
2. To display the list of users, go to Users and groups and click All users.
3. To open the User dialog, click Add on the top of the dialog.
NOTE
You can use any other Jobscience user account creation tools or APIs provided by Jobscience to provision Azure Active
Directory user accounts.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes
active.
4. Click Add button. Then select Users and groups on Add Assignment dialog.
5. On Users and groups dialog, select Britta Simon in the Users list.
6. Click Select button on Users and groups dialog.
7. Click Assign button on Add Assignment dialog.
Testing single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Jobscience tile in the Access Panel, you should get automatically signed-on to your Jobscience
application. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
Tutorial: Azure Active Directory integration with
JobScore
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate JobScore with Azure Active Directory (Azure AD ). Integrating JobScore
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to JobScore.
You can enable your users to be automatically signed-in to JobScore (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with JobScore, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
JobScore single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
JobScore supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type JobScore, select JobScore from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact JobScore Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up JobScore section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure JobScore Single Sign-On
To configure single sign-on on JobScore side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to JobScore support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create JobScore test user
In this section, you create a user called Britta Simon in JobScore. Work with JobScore support team to add the
users in the JobScore platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the JobScore tile in the Access Panel, you should be automatically signed in to the JobScore for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
join.me
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate join.me with Azure Active Directory (Azure AD ). Integrating join.me with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to join.me.
You can enable your users to be automatically signed-in to join.me (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with join.me, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
join.me single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
join.me supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type join.me, select join.me from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create join.me test user
In this section, you create a user called Britta Simon in join.me. Work with join.me support team to add the users in
the join.me platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the join.me tile in the Access Panel, you should be automatically signed in to the join.me for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Jostle
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Jostle with Azure Active Directory (Azure AD ). Integrating Jostle with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Jostle.
You can enable your users to be automatically signed-in to Jostle (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Jostle, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Jostle single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Jostle supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Jostle, select Jostle from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Jostle section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Jostle Single Sign-On
To configure single sign-on on Jostle side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Jostle support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Jostle test user
In this section, you create a user called Britta Simon in Jostle. Work with Jostle support team to add the users in the
Jostle platform. Users must be created and activated before you use single sign-on.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes
active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Juno Journey
10/10/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Juno Journey with Azure Active Directory (Azure AD ). When you
integrate Juno Journey with Azure AD, you can:
Control in Azure AD who has access to Juno Journey.
Enable your users to be automatically signed-in to Juno Journey with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Juno Journey single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Juno Journey supports SP and IDP initiated SSO
Juno Journey supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<tenant-subdomain>.the-juno.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<tenant-subdomain>.the-juno.com/sso/saml/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<tenant-subdomain>.the-juno.com/sso/saml/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Juno
Journey Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
7. On the Set up Juno Journey section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Juno Journey tile in the Access Panel, you should be automatically signed in to the Juno
Journey for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Juno Journey with Azure AD
Tutorial: Integrate Kallidus with Azure Active
Directory
7/9/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Kallidus with Azure Active Directory (Azure AD ). When you integrate
Kallidus with Azure AD, you can:
Control in Azure AD who has access to Kallidus.
Enable your users to be automatically signed-in to Kallidus with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Kallidus single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Kallidus supports IDP initiated SSO.
NOTE
The value is not real. Update the value with the actual Reply URL. Contact Kallidus Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Kallidus
To configure single sign-on on Kallidus side, you need to send the App Federation Metadata Url to Kallidus
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kallidus.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Kallidus.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Kallidus test user
In this section, you create a user called Britta Simon in Kallidus. Work with Kallidus support team to add the users
in the Kallidus platform. Users must be created and activated before you use single sign-on.
Test SSO
When you select the Kallidus tile in the Access Panel, you should be automatically signed in to the Kallidus for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Kanbanize
10/15/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Kanbanize with Azure Active Directory (Azure AD ). When you
integrate Kanbanize with Azure AD, you can:
Control in Azure AD who has access to Kanbanize.
Enable your users to be automatically signed-in to Kanbanize with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Kanbanize single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Kanbanize supports SP and IDP initiated SSO
Kanbanize supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.kanbanize.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.kanbanize.com/saml/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<subdomain>.kanbanize.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Kanbanize Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Kanbanize application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. Kanbanize application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Kanbanize section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Kanbanize will direct you to the Kanbanize
application. From there, provide the admin credentials to sign into Kanbanize. The browser extension will
automatically configure the application for you and automate steps 3-7.
3. If you want to setup Kanbanize manually, open a new web browser window and sign into your Kanbanize
company site as an administrator and perform the following steps:
4. Go to top right of the page, click on Settings logo.
5. On the Administration panel page from the left side of menu click Integrations and then enable Single
Sign-On.
6. Under Integrations section, click on CONFIGURE to open Single Sign-On Integration page.
7. On the Single Sign-On Integration page under Configurations, perform the following steps:
a. In the Idp Entity ID textbox, paste the value of Azure AD Identifier, which you have copied from the
Azure portal.
b. In the Idp Login Endpoint textbox, paste the value of Login URL, which you have copied from the
Azure portal.
c. In the Idp Logout Endpoint textbox, paste the value of Logout URL, which you have copied from the
Azure portal.
d. In Attribute name for Email textbox, enter this value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
NOTE
You can get these values by combining namespace and name values of the respective attribute from the User
attributes section in Azure portal.
g. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal, copy its
content (without the start and end markers), and then paste it into the Idp X.509 Certificate box.
h. Check Enable login with both SSO and Kanbanize.
i. Click Save Settings.
Create Kanbanize test user
In this section, a user called B.Simon is created in Kanbanize. Kanbanize supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Kanbanize, a new one is created after authentication. If you need to create a user manually, contact Kanbanize
Client support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Kanbanize tile in the Access Panel, you should be automatically signed in to the Kanbanize for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Kanbanize with Azure AD
Tutorial: Azure Active Directory integration with
Kantega SSO for Bamboo
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kantega SSO for Bamboo with Azure Active Directory (Azure AD ).
Integrating Kantega SSO for Bamboo with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kantega SSO for Bamboo.
You can enable your users to be automatically signed-in to Kantega SSO for Bamboo (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kantega SSO for Bamboo, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kantega SSO for Bamboo single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kantega SSO for Bamboo supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kantega SSO for Bamboo, select Kantega SSO for Bamboo from result panel
then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values
are received during the configuration of Bamboo plugin which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Kantega SSO for Bamboo section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kantega SSO for Bamboo Single Sign-On
1. In a different web browser window, sign in to your Bamboo on-premises server as an administrator.
2. Hover on cog and click the Add-ons.
3. Under Add-ons tab section, click Find new add-ons. Search Kantega SSO for Bamboo (SAML &
Kerberos) and click Install button to install the new SAML plugin.
6. Click Manage.
8. In the SAML section. Select Azure Active Directory (Azure AD ) from the Add identity provider
dropdown.
a. Copy the App ID URI value and use it as Identifier, Reply URL, and Sign-On URL on the Basic SAML
Configuration section in Azure portal.
b. Click Next.
11. On the Metadata import section, perform following steps:
a. Select Metadata file on my computer, and upload metadata file, which you have downloaded from
Azure portal.
b. Click Next.
12. On the Name and SSO location section, perform following steps:
a. Add Name of the Identity Provider in Identity provider name textbox (e.g Azure AD ).
b. Click Next.
13. Verify the Signing certificate and click Next.
14. On the Bamboo user accounts section, perform following steps:
a. Select Create users in Bamboo's internal Directory if needed and enter the appropriate name of the
group for users (can be multiple no. of groups separated by comma).
b. Click Next.
15. Click Finish.
16. On the Known domains for Azure AD section, perform following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kantega SSO for Bamboo test user
To enable Azure AD users to sign in to Bamboo, they must be provisioned into Bamboo. In case of Kantega SSO
for Bamboo, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Bamboo on-premises server as an administrator.
2. Hover on cog and click the User management.
3. Click Users. Under the Add user section, Perform following steps:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kantega SSO for Bitbucket
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kantega SSO for Bitbucket with Azure Active Directory (Azure AD ).
Integrating Kantega SSO for Bitbucket with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kantega SSO for Bitbucket.
You can enable your users to be automatically signed-in to Kantega SSO for Bitbucket (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kantega SSO for Bitbucket, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kantega SSO for Bitbucket single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kantega SSO for Bitbucket supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kantega SSO for Bitbucket, select Kantega SSO for Bitbucket from result panel
then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values
are received during the configuration of Bitbucket plugin which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Kantega SSO for Bitbucket section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kantega SSO for Bitbucket Single Sign-On
1. In a different web browser window, sign in to your Bitbucket admin portal as an administrator.
2. Click cog and click the Find new add-ons.
3. Search Kantega SSO for Bitbucket SAML & Kerberos and click Install button to install the new SAML
plugin.
4. The plugin installation starts.
6. Click Manage.
a. Select Metadata file on my computer, and upload metadata file, which you have downloaded from
Azure portal.
b. Click Next.
12. On the Name and SSO location section, perform following steps:
a. Add Name of the Identity Provider in Identity provider name textbox (e.g Azure AD ).
b. Click Next.
13. Verify the Signing certificate and click Next.
a. Select Create users in Bitbucket's internal Directory if needed and enter the appropriate name of the
group for users (can be multiple no. of groups separated by comma).
b. Click Next.
15. Click Finish.
16. On the Known domains for Azure AD section, perform following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kantega SSO for Bitbucket test user
To enable Azure AD users to sign in to Bitbucket, they must be provisioned into Bitbucket. In case of Kantega SSO
for Bitbucket, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Bitbucket company site as an administrator.
2. Click on settings icon.
3. Under Administration tab section, click Users.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kantega SSO for Confluence
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kantega SSO for Confluence with Azure Active Directory (Azure AD ).
Integrating Kantega SSO for Confluence with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kantega SSO for Confluence.
You can enable your users to be automatically signed-in to Kantega SSO for Confluence (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kantega SSO for Confluence, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kantega SSO for Confluence single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kantega SSO for Confluence supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kantega SSO for Confluence, select Kantega SSO for Confluence from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values
are received during the configuration of Confluence plugin, which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Kantega SSO for Confluence section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kantega SSO for Confluence Single Sign-On
1. In a different web browser window, sign in to your Confluence admin portal as an administrator.
2. Hover on cog and click the Add-ons.
4. Search Kantega SSO for Confluence SAML Kerberos and click Install button to install the new SAML
plugin.
5. The plugin installation starts.
7. Click Manage.
9. This new plugin can also be found under USERS & SECURITY tab.
10. In the SAML section. Select Azure Active Directory (Azure AD ) from the Add identity provider
dropdown.
a. Select Metadata file on my computer, and upload metadata file, which you have downloaded from
Azure portal.
b. Click Next.
14. On the Name and SSO location section, perform following steps:
a. Add Name of the Identity Provider in Identity provider name textbox (e.g Azure AD ).
b. Click Next.
15. Verify the Signing certificate and click Next.
a. Select Create users in Confluence's internal Directory if needed and enter the appropriate name of
the group for users (can be multiple no. of groups separated by comma).
b. Click Next.
17. Click Finish.
18. On the Known domains for Azure AD section, perform following steps:
a. Select Known domains from the left panel of the page.
b. Enter domain name in the Known domains textbox.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kantega SSO for Confluence test user
To enable Azure AD users to sign in to Confluence, they must be provisioned into Confluence. In the case of
Kantega SSO for Confluence, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Kantega SSO for Confluence company site as an administrator.
2. Hover on cog and click the User management.
3. Under Users section, click Add Users tab. On the Add a User dialog page, perform the following steps:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kantega SSO for FishEye/Crucible
7/5/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kantega SSO for FishEye/Crucible with Azure Active Directory (Azure
AD ). Integrating Kantega SSO for FishEye/Crucible with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kantega SSO for FishEye/Crucible.
You can enable your users to be automatically signed-in to Kantega SSO for FishEye/Crucible (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kantega SSO for FishEye/Crucible, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kantega SSO for FishEye/Crucible single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kantega SSO for FishEye/Crucible supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kantega SSO for FishEye/Crucible, select Kantega SSO for FishEye/Crucible
from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values
are received during the configuration of FishEye/Crucible plugin which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Kantega SSO for FishEye/Crucible section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kantega SSO for FishEye/Crucible Single Sign-On
1. In a different web browser window, sign in to your FishEye/Crucible on-premises server as an administrator.
2. Hover on cog and click the Add-ons.
4. Search Kantega SSO for Crucible and click Install button to install the new SAML plugin.
7. Click Manage.
9. In the SAML section. Select Azure Active Directory (Azure AD ) from the Add identity provider
dropdown.
10. Select subscription level as Basic.
a. Copy the App ID URI value and use it as Identifier, Reply URL, and Sign-On URL on the Basic SAML
Configuration section in Azure portal.
b. Click Next.
12. On the Metadata import section, perform following steps:
a. Select Metadata file on my computer, and upload metadata file, which you have downloaded from
Azure portal.
b. Click Next.
13. On the Name and SSO location section, perform following steps:
a. Add Name of the Identity Provider in Identity provider name textbox (e.g Azure AD ).
b. Click Next.
14. Verify the Signing certificate and click Next.
15. On the FishEye user accounts section, perform following steps:
a. Select Create users in FishEye's internal Directory if needed and enter the appropriate name of the
group for users (can be multiple no. of groups separated by comma).
b. Click Next.
16. Click Finish.
17. On the Known domains for Azure AD section, perform following steps:
a. Select Known domains from the left panel of the page.
b. Enter domain name in the Known domains textbox.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kantega SSO for FishEye/Crucible test user
To enable Azure AD users to sign in to FishEye/Crucible, they must be provisioned into FishEye/Crucible. In
Kantega SSO for FishEye/Crucible, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Crucible on-premises server as an administrator.
2. Hover on cog and click the Users.
3. Under Users tab section, click Add user.
4. On the Add New User dialog page, perform the following steps:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kantega SSO for JIRA
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kantega SSO for JIRA with Azure Active Directory (Azure AD ).
Integrating Kantega SSO for JIRA with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kantega SSO for JIRA.
You can enable your users to be automatically signed-in to Kantega SSO for JIRA (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kantega SSO for JIRA, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kantega SSO for JIRA single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kantega SSO for JIRA supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kantega SSO for JIRA, select Kantega SSO for JIRA from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/no.kantega.saml/sp/<uniqueid>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. These values
are received during the configuration of Jira plugin, which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Kantega SSO for JIRA section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kantega SSO for JIRA Single Sign-On
1. In a different web browser window, sign in to your JIRA on-premises server as an administrator.
2. Hover on cog and click the Add-ons.
3. Under Add-ons tab section, click Find new add-ons. Search Kantega SSO for JIRA (SAML & Kerberos)
and click Install button to install the new SAML plugin.
6. Click Manage.
7. New plugin is listed under INTEGRATIONS. Click Configure to configure the new plugin.
8. In the SAML section. Select Azure Active Directory (Azure AD ) from the Add identity provider
dropdown.
a. Copy the App ID URI value and use it as Identifier, Reply URL, and Sign-On URL on the Basic SAML
Configuration section in Azure portal.
b. Click Next.
11. On the Metadata import section, perform following steps:
a. Select Metadata file on my computer, and upload metadata file, which you have downloaded from
Azure portal.
b. Click Next.
12. On the Name and SSO location section, perform following steps:
a. Add Name of the Identity Provider in Identity provider name textbox (e.g Azure AD ).
b. Click Next.
13. Verify the Signing certificate and click Next.
a. Select Create users in JIRA's internal Directory if needed and enter the appropriate name of the
group for users (can be multiple no. of groups separated by comma).
b. Click Next.
15. Click Finish.
16. On the Known domains for Azure AD section, perform following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kantega SSO for JIRA test user
To enable Azure AD users to sign in to JIRA, they must be provisioned into JIRA. In Kantega SSO for JIRA,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your JIRA on-premises server as an administrator.
2. Hover on cog and click the User management.
3. Under User management tab section, click Create user.
4. On the “Create new user” dialog page, perform the following steps:
a. In the Email address textbox, type the email address of user like Brittasimon@contoso.com.
b. In the Full Name textbox, type full name of the user like Britta Simon.
c. In the Username textbox, type the email of user like Brittasimon@contoso.com.
d. In the Password textbox, type the password of user.
e. Click Create user.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Kantega SSO for JIRA tile in the Access Panel, you should be automatically signed in to the
Kantega SSO for JIRA for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Keeper Password Manager & Digital Vault
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Keeper Password Manager & Digital Vault with Azure Active Directory
(Azure AD ). Integrating Keeper Password Manager & Digital Vault with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to Keeper Password Manager & Digital Vault.
You can enable your users to be automatically signed-in to Keeper Password Manager & Digital Vault (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Keeper Password Manager & Digital Vault, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Keeper Password Manager & Digital Vault single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Keeper Password Manager & Digital Vault supports SP initiated SSO
Keeper Password Manager & Digital Vault supports Just In Time user provisioning
Adding Keeper Password Manager & Digital Vault from the gallery
To configure the integration of Keeper Password Manager & Digital Vault into Azure AD, you need to add Keeper
Password Manager & Digital Vault from the gallery to your list of managed SaaS apps.
To add Keeper Password Manager & Digital Vault from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Keeper Password Manager & Digital Vault, select Keeper Password Manager
& Digital Vault from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://{SSO CONNECT SERVER}/sso-connect
c. In the Reply URL textbox, type a URL using the following pattern:
https://{SSO CONNECT SERVER}/sso-connect/saml/sso
NOTE
These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact Keeper
Password Manager & Digital Vault Client support team to get these values. You can also refer to the patterns shown
in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Keeper Password Manager & Digital Vault section, copy the appropriate URL (s) as per
your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Keeper Password Manager & Digital Vault Single Sign-On
To configure single sign-on on Keeper Password Manager & Digital Vault Configuration side, follow the
guidelines given at Keeper Support Guide.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. In the applications list, select Keeper Password Manager & Digital Vault.
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Keeper Password Manager & Digital Vault test user
To enable Azure AD users to log in to Keeper Password Manager & Digital Vault, they must be provisioned into
Keeper Password Manager & Digital Vault. Application supports Just in time user provisioning and after
authentication users will be created in the application automatically. You can contact Keeper Support, if you want to
setup users manually.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Keeper Password Manager & Digital Vault tile in the Access Panel, you should be automatically
signed in to the Keeper Password Manager & Digital Vault for which you set up SSO. For more information about
the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kindling
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kindling with Azure Active Directory (Azure AD ). Integrating Kindling
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kindling.
You can enable your users to be automatically signed-in to Kindling (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kindling, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Kindling single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kindling supports SP initiated SSO
Kindling supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kindling, select Kindling from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.kindlingapp.com/saml/module.php/saml/sp/metadata.php/clientIDP
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Kindling Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Kindling section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Kindling Single Sign-On
To configure single sign-on on Kindling side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Kindling support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kindling test user
In this section, a user called Britta Simon is created in Kindling. Kindling supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Kindling,
a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Kindling tile in the Access Panel, you should be automatically signed in to the Kindling for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Kintone
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kintone with Azure Active Directory (Azure AD ). Integrating Kintone
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kintone.
You can enable your users to be automatically signed-in to Kintone (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kintone, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kintone single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kintone supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kintone, select Kintone from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.cybozu.com
https://<companyname>.kintone.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Kintone Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Kintone section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kintone Single Sign-On
1. In a different web browser window, sign into your Kintone company site as an administrator.
2. Click Settings icon.
a. In the Login URL textbox, paste the value of Login URL which you have copied from Azure portal.
b. In the Logout URL textbox, paste the value of Logout URL which you have copied from Azure portal.
c. Click Browse to upload your downloaded certificate file from Azure portal.
d. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kintone test user
To enable Azure AD users to sign in to Kintone, they must be provisioned into Kintone. In the case of Kintone,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Kintone company site as an administrator.
2. Click Settings icon.
3. Click Users & System Administration.
a. Type a Display Name, Login Name, New Password, Confirm Password, E -mail Address, and other
details of a valid Azure AD account you want to provision into the related textboxes.
b. Click Save.
NOTE
You can use any other Kintone user account creation tools or APIs provided by Kintone to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Kiteworks with Azure Active
Directory
7/16/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Kiteworks with Azure Active Directory (Azure AD ). When you integrate
Kiteworks with Azure AD, you can:
Control in Azure AD who has access to Kiteworks.
Enable your users to be automatically signed-in to Kiteworks with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Kiteworks single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Kiteworks supports SP initiated SSO
Kiteworks supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<kiteworksURL>.kiteworks.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<kiteworksURL>/sp/module.php/saml/sp/saml2-acs.php/sp-sso
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Kiteworks Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Kiteworks section, copy the appropriate URL (s) based on your requirement.
Configure Kiteworks SSO
1. Sign on to your Kiteworks company site as an administrator.
2. In the toolbar on the top, click Settings.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Kiteworks test user
The objective of this section is to create a user called Britta Simon in Kiteworks.
Kiteworks supports just-in-time provisioning, which is by default enabled. There is no action item for you in this
section. A new user is created during an attempt to access Kiteworks if it doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the Kiteworks support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Kiteworks tile in the Access Panel, you should be automatically signed in to the Kiteworks for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Klue
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Klue with Azure Active Directory (Azure AD ). Integrating Klue with Azure
AD provides you with the following benefits:
You can control in Azure AD who has access to Klue.
You can enable your users to be automatically signed-in to Klue (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Klue, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Klue single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Klue supports SP and IDP initiated SSO
Klue supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Klue, select Klue from result panel then click Add button to add the application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: urn:klue:<Customer ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://app.klue.com/account/auth/saml/<Customer UUID>/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://app.klue.com/account/auth/saml/<Customer UUID>/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Klue
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. Klue application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application
integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User
Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
first_name user.givenname
last_name user.surname
email user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
9. On the Set up Klue section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Klue Single Sign-On
To configure single sign-on on Klue side, you need to send the downloaded Certificate (Base64) and appropriate
copied URLs from Azure portal to Klue support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Klue test user
In this section, a user called Britta Simon is created in Klue. Klue supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Klue, a new one
is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Klue tile in the Access Panel, you should be automatically signed in to the Klue for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
KnowBe4 Security Awareness Training
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate KnowBe4 Security Awareness Training with Azure Active Directory
(Azure AD ). Integrating KnowBe4 Security Awareness Training with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to KnowBe4 Security Awareness Training.
You can enable your users to be automatically signed-in to KnowBe4 Security Awareness Training (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with KnowBe4 Security Awareness Training, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
KnowBe4 Security Awareness Training single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
KnowBe4 Security Awareness Training supports SP initiated SSO
KnowBe4 Security Awareness Training supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type KnowBe4 Security Awareness Training, select KnowBe4 Security Awareness
Training from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The sign on URL value is not real. Update this value with the actual Sign on URL. Contact KnowBe4 Security
Awareness Training Client support team to get this value. You can also refer to the pattern shown in the Basic SAML
Configuration section in the Azure portal.
b. In the Identifier (Entity ID ) text box, type the string value: KnowBe4
NOTE
This is case-sensitive.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up KnowBe4 Security Awareness Training section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure KnowBe4 Security Awareness Training Single Sign-On
To configure single sign-on on KnowBe4 Security Awareness Training side, you need to send the downloaded
Certificate (Raw) and appropriate copied URLs from Azure portal to KnowBe4 Security Awareness Training
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create KnowBe4 Security Awareness Training test user
The objective of this section is to create a user called Britta Simon in KnowBe4 Security Awareness Training.
KnowBe4 Security Awareness Training supports just-in-time provisioning, which is by default enabled.
There is no action item for you in this section. A new user is created during an attempt to access KnowBe4 Security
Awareness Training if it doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the KnowBe4 Security Awareness Training support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Knowledge Anywhere LMS with
Azure Active Directory
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Knowledge Anywhere LMS with Azure Active Directory (Azure AD ).
When you integrate Knowledge Anywhere LMS with Azure AD, you can:
Control in Azure AD who has access to Knowledge Anywhere LMS.
Enable your users to be automatically signed-in to Knowledge Anywhere LMS with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Knowledge Anywhere LMS single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Knowledge Anywhere LMS supports
SP initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<CLIENTNAME>.knowledgeanywhere.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<CLIENTNAME>.knowledgeanywhere.com/SSO/SAML/Response.aspx?<IDPNAME>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL, which is explained later in the
tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<CLIENTNAME>.knowledgeanywhere.com/
NOTE
The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact Knowledge Anywhere LMS
Client support team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Knowledge Anywhere LMS section, copy the appropriate URL (s) based on your
requirement.
2. After adding extension to the browser, click on Setup Knowledge Anywhere LMS will direct you to the
Knowledge Anywhere LMS application. From there, provide the admin credentials to sign into Knowledge
Anywhere LMS. The browser extension will automatically configure the application for you and automate
steps 3-7.
3. If you want to setup Knowledge Anywhere LMS manually, open a new web browser window and sign into
your Knowledge Anywhere LMS company site as an administrator and perform the following steps:
4. Select on the Site tab.
5. Select on the SAML Settings tab.
a. Enter the IDP Name as per your organization. For ex:- Azure .
b. In the IDP Entity ID textbox, paste Azure AD Identifier value ,which you have copied from Azure
portal.
c. In the IDP URL textbox, paste Login URL value, which you have copied from Azure portal.
d. Open the downloaded certificate file from the Azure portal into notepad, copy the content of the
certificate and paste it into Certificate textbox.
e. In the Logout URL textbox, paste Logout URL value, which you have copied from Azure portal.
f. Select Main Site from the dropdown for the Domain.
g. Copy the SP Entity ID value and paste it into Identifier text box in the Basic SAML Configuration
section in the Azure portal.
h. Copy the SP Response(ACS ) URL value and paste it into Reply URL text box in the Basic SAML
Configuration section in the Azure portal.
i. Click Save.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B. Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B. Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Knowledge Anywhere
LMS.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Knowledge Anywhere LMS.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Knowledge Anywhere LMS test user
In this section, a user called B. Simon is created in Knowledge Anywhere LMS. Knowledge Anywhere LMS
supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section.
If a user doesn't already exist in Knowledge Anywhere LMS, a new one is created after authentication.
Test SSO
When you select the Knowledge Anywhere LMS tile in the Access Panel, you should be automatically signed in to
the Knowledge Anywhere LMS for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with KnowledgeOwl
10/22/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate KnowledgeOwl with Azure Active Directory (Azure AD ). When you integrate
KnowledgeOwl with Azure AD, you can:
Control in Azure AD who has access to KnowledgeOwl.
Enable your users to be automatically signed-in to KnowledgeOwl with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure
Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
KnowledgeOwl single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
KnowledgeOwl supports SP and IDP initiated SSO
KnowledgeOwl supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the
values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://app.knowledgeowl.com/sp
https://app.knowledgeowl.com/sp/id/<unique ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://subdomain.knowledgeowl.com/help/saml-login
https://subdomain.knowledgeowl.com/docs/saml-login
https://subdomain.knowledgeowl.com/home/saml-login
https://privatedomain.com/help/saml-login
https://privatedomain.com/docs/saml-login
https://privatedomain.com/home/saml-login
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated
mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://subdomain.knowledgeowl.com/help/saml-login
https://subdomain.knowledgeowl.com/docs/saml-login
https://subdomain.knowledgeowl.com/home/saml-login
https://privatedomain.com/help/saml-login
https://privatedomain.com/docs/saml-login
https://privatedomain.com/home/saml-login
NOTE
These values are not real. You'll need to update these value from actual Identifier, Reply URL, and Sign-On URL which is explained
later in the tutorial.
6. KnowledgeOwl application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default
attributes.
7. In addition to above, KnowledgeOwl application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your requirements.
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Raw)
and select Download to download the certificate and save it on your computer.
9. On the Set up KnowledgeOwl section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the
screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the
user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create a user manually, contact KnowledgeOwl support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the KnowledgeOwl tile in the Access Panel, you should be automatically signed in to the KnowledgeOwl for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try KnowledgeOwl with Azure AD
Tutorial: Azure Active Directory integration with
Kontiki
6/13/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kontiki with Azure Active Directory (Azure AD ).
Integrating Kontiki with Azure AD gives you the following benefits:
You can use Azure AD to control who has access to Kontiki.
Users can be automatically signed in to Kontiki with their Azure AD accounts (single sign-on).
You can manage your accounts in one central location, the Azure portal.
For more information about software as a service (SaaS ) app integration with Azure AD, see Single sign-on to
applications in Azure Active Directory.
Prerequisites
To configure Azure AD integration with Kontiki, you need the following items:
An Azure AD subscription. If you don't have an Azure AD subscription, create a free account before you begin.
A Kontiki subscription with single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment and integrate Kontiki with
Azure AD.
Kontiki supports the following features:
SP -initiated single sign-on
Just-in-time user provisioning
5. In the search box, enter Kontiki. In the search results, select Kontiki, and then select Add.
TASK DESCRIPTION
Configure Azure AD single sign-on Enables your users to use this feature.
Configure Kontiki single sign-on Configures the single sign-on settings in the application.
Create an Azure AD test user Tests Azure AD single sign-on for a user named Britta Simon.
Assign the Azure AD test user Enables Britta Simon to use Azure AD single sign-on.
Create a Kontiki test user Creates a counterpart of Britta Simon in Kontiki that is linked
to the Azure AD representation of the user.
2. In the Select a single sign-on method pane, select SAML or SAML/WS -Fed mode to enable single sign-
on.
3. In the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML
Configuration pane.
4. In the Basic SAML Configuration pane, in the Sign on URL text box, enter a URL that has the following
pattern: https://<companyname>.mc.eval.kontiki.com
NOTE
Contact the Kontiki Client support team to get the correct value to use. You can also refer to the patterns shown in
the Basic SAML Configuration section in the Azure portal.
5. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select
Download next to Federation Metadata XML. Select a download option based on your requirements.
Save the certificate on your computer.
6. In the Set up Kontiki section, copy the following URLs based on your requirements:
Login URL
Azure AD Identifier
Logout URL
4. Select Add user. Then, in the Add assignment pane, select Users and groups.
5. In the Users and groups pane, select Britta Simon in the list of users. Choose Select.
6. If you are expecting a role value in the SAML assertion, in the Select role pane, select the relevant role for
the user from the list. Choose Select.
7. In the Add Assignment pane, select Assign.
Create a Kontiki test user
There's no action item for you to configure user provisioning in Kontiki. When an assigned user tries to sign in to
Kontiki by using the My Apps portal, Kontiki checks whether the user exists. If no user account is found, Kontiki
automatically creates the user account.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.
After you set up single sign-on, when you select Kontiki in the My Apps portal, you are automatically signed in to
Kontiki. For more information about the My Apps portal, see Access and use apps in the My Apps portal.
Next steps
To learn more, review these articles:
List of tutorials for integrating SaaS apps with Azure Active Directory
Single sign-on to applications in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Korn
Ferry ALP
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Korn Ferry ALP with Azure Active Directory (Azure AD ). Integrating Korn
Ferry ALP with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Korn Ferry ALP.
You can enable your users to be automatically signed-in to Korn Ferry ALP (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Korn Ferry ALP, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Korn Ferry ALP single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Korn Ferry ALP supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Korn Ferry ALP, select Korn Ferry ALP from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://intappextin01/portalweb/sso/client/audience?guid=<customerguid>
https://qaassessment.kfnaqa.com/portalweb/sso/client/audience?guid=<customerguid>
https://assessments.kornferry.com/portalweb/sso/client/audience?guid=<customerguid>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://intappextin01/portalweb/sso/client/audience?guid=<customerguid>
https://qaassessment.kfnaqa.com/portalweb/sso/client/audience?guid=<customerguid>
https://assessments.kornferry.com/portalweb/sso/client/audience?guid=<customerguid>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Korn Ferry ALP
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure Korn Ferry ALP Single Sign-On
To configure single sign-on on Korn Ferry ALP side, you need to send the App Federation Metadata Url to
Korn Ferry ALP support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Korn Ferry ALP test user
In this section, you create a user called Britta Simon in Korn Ferry ALP. Work with Korn Ferry ALP support team to
add the users in the Korn Ferry ALP platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Korn Ferry ALP tile in the Access Panel, you should be automatically signed in to the Korn Ferry
ALP for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Kronos
8/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Kronos with Azure Active Directory (Azure AD ). When you integrate
Kronos with Azure AD, you can:
Control in Azure AD who has access to Kronos.
Enable your users to be automatically signed-in to Kronos with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Kronos single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Kronos supports IDP initiated SSO
4. On the Set up Single Sign-On with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<company name>.kronos.net/
b. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.kronos.net/wfc/navigator/logonWithUID
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Kronos Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Kronos application expects the SAML assertions in a specific format. Configure the following claims for this
application. You can manage the values of these attributes from the User Attributes section on application
integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User
Attributes dialog.
6. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
b. From the Transformation list, select ExtractMailPrefix().
c. From the Parameter 1 list, select user.userprinicipalname.
d. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up Kronos section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kronos.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Kronos.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Kronos tile in the Access Panel, you should be automatically signed in to the Kronos for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Kronos with Azure AD
Tutorial: Azure Active Directory integration with
Kudos
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Kudos with Azure Active Directory (Azure AD ). Integrating Kudos with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Kudos.
You can enable your users to be automatically signed-in to Kudos (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Kudos, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Kudos single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Kudos supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Kudos, select Kudos from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Kudos Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Kudos section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Kudos Single Sign-On
1. In a different web browser window, sign into your Kudos company site as an administrator.
2. In the menu on the top, click Settings icon.
a. In Sign on URL textbox, paste the value of Login URL which you have copied from Azure portal.
b. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then
paste it to the X.509 certificate textbox
c. In Logout To URL textbox, paste the value of Logout URL which you have copied from Azure portal.
d. In the Your Kudos URL textbox, type your company name.
e. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Kudos test user
In order to enable Azure AD users to sign in to Kudos, they must be provisioned into Kudos. In the case of Kudos,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Kudos company site as administrator.
2. In the menu on the top, click Settings icon.
3. Click User Admin.
4. Click the Users tab, and then click Add a User.
a. Type the First Name, Last Name, Email and other details of a valid Azure Active Directory account you
want to provision into the related textboxes.
b. Click Create User.
NOTE
You can use any other Kudos user account creation tools or APIs provided by Kudos to provision Azure AD user accounts.
In this tutorial, you'll learn how to integrate Land Gorilla with Azure Active Directory (Azure AD ). When you
integrate Land Gorilla with Azure AD, you can:
Control in Azure AD who has access to Land Gorilla.
Enable your users to be automatically signed-in to Land Gorilla with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Land Gorilla single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Land Gorilla supports IDP initiated SSO
4. On the Set up Single Sign-On with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using one of the following pattern:
https://<customer domain>.landgorilla.com/
https://www.<customer domain>.landgorilla.com
b. In the Reply URL text box, type a URL using one of the following pattern:
https://<customer
domain>.landgorilla.com/simplesaml/module.php/core/authenticate.php
https://www.<customer
domain>.landgorilla.com/simplesaml/module.php/core/authenticate.php
https://<customer
domain>.landgorilla.com/simplesaml/module.php/saml/sp/saml2-
acs.php/default-sp
https://www.<customer
domain>.landgorilla.com/simplesaml/module.php/saml/sp/saml2-
acs.php/default-sp
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use
the unique value of string in the Identifier. Contact Land Gorilla Client support team to get these values. You can also
refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Land Gorilla section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Land Gorilla test user
In this section, you create a user called Britta Simon in Land Gorilla. Work with Land Gorilla support team to add
the users in the Land Gorilla platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Land Gorilla tile in the Access Panel, you should be automatically signed in to the Land Gorilla
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LaunchDarkly
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate LaunchDarkly with Azure Active Directory (Azure AD ). Integrating
LaunchDarkly with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LaunchDarkly.
You can enable your users to be automatically signed-in to LaunchDarkly (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LaunchDarkly, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
LaunchDarkly single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LaunchDarkly supports SP and IDP initiated SSO
LaunchDarkly supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LaunchDarkly, select LaunchDarkly from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: app.launchdarkly.com
b. In the Reply URL text box, type a URL using the following pattern:
https://app.launchdarkly.com/trust/saml2/acs/<customers-unique-id>
NOTE
The Reply URL value is not real. You will update the value with the actual Reply URL, which is explained later in the
tutorial. If you are intending to use the application in IDP mode you need to leave the Sign on URL field blank,
otherwise you will not be able to initiate the login from the IDP. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://app.launchdarkly.com
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up LaunchDarkly section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure LaunchDarkly Single Sign-On
1. In a different web browser window, log into your LaunchDarkly company site as an administrator.
2. Select Account Settings from the left navigation panel.
a. Copy the SAML consumer service URL for your instance and paste it in Reply URL textbox in
LaunchDarkly Domain and URLs section on Azure portal.
b. In the Sign-on URL textbox, paste the Login URL value, which you have copied from the Azure portal.
c. Open the downloaded certificate from the Azure portal into Notepad, copy the content and then paste it
into the X.509 certificate box or you can directly upload the certificate by clicking the upload one.
d. Click Save
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LaunchDarkly test user
The objective of this section is to create a user called Britta Simon in LaunchDarkly. LaunchDarkly supports just-in-
time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created
during an attempt to access LaunchDarkly if it doesn't exist yet.
NOTE
If you need to create a user manually, contact LaunchDarkly Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LCVista
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate LCVista with Azure Active Directory (Azure AD ). Integrating LCVista
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LCVista.
You can enable your users to be automatically signed-in to LCVista (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LCVista, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
LCVista single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LCVista supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LCVista, select LCVista from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.lcvista.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact LCVista Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up LCVista section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure LCVista Single Sign-On
1. Sign on to your LCVista application as an administrator.
2. In the SAML Config section, check the Enable SAML login and enter the details as mentioned in below
image.
a. In the Entity ID textbox, paste Azure Ad Identifier value, which you have copied from the Azure portal.
b. In the URL textbox, paste Login URL value, which you have copied from the Azure portal.
c. Open the Metadata XML file which you have downloaded from Azure portal into Notepad, copy the value
X509Certificate and paste it in the x509 Certificate section.
d. In the First name attribute textbox, paste the value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname .
e. In the Last name attribute textbox, paste the value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname .
f. In the Email attribute textbox, paste the value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress .
g. In the Username attribute textbox, paste the value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .
e. Click Save to save the settings.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LCVista test user
In this section, you create a user called Britta Simon in LCVista. Work with LCVista Client support team to add the
users in the LCVista platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LCVista tile in the Access Panel, you should be automatically signed in to the LCVista for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Lean
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Lean with Azure Active Directory (Azure AD ). Integrating Lean with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Lean.
You can enable your users to be automatically signed-in to Lean (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Lean, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Lean single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Lean supports SP initiated SSO
Lean supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Lean, select Lean from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
bloom-goodpractice-<SUBDOMAIN>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Lean Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Lean section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Lean Single Sign-On
To configure single sign-on on Lean side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Lean support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Lean test user
In this section, a user called Britta Simon is created in Lean. Lean supports just-in-time user provisioning, which is
enabled by default. There is no action item for you in this section. If a user doesn't already exist in Lean, a new one
is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Lean tile in the Access Panel, you should be automatically signed in to the Lean for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Leapsome
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Leapsome with Azure Active Directory (Azure AD ). Integrating
Leapsome with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Leapsome.
You can enable your users to be automatically signed-in to Leapsome (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Leapsome, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Leapsome single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Leapsome supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Leapsome, select Leapsome from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: https://www.leapsome.com
b. In the Reply URL text box, type a URL using the following pattern:
https://www.leapsome.com/api/users/auth/saml/<CLIENTID>/assert
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.leapsome.com/api/users/auth/saml/<CLIENTID>/login
NOTE
The preceding Reply URL and Sign-on URL value is not real value. You will update these with the actual values, which
is explained later in the tutorial.
6. Your Leapsome application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE NAMESPACE
NOTE
The value of picture attribute is not real. Update this value with actual picture URL. To get this value contact
Leapsome Client support team.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type the namespace uri for that row.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
9. On the Set up Leapsome section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Leapsome Single Sign-On
1. In a different web browser window, sign in to Leapsome as a Security Administrator.
2. On the top right, Click on Settings logo and then click Admin Settings.
3. On the left menu bar click Single Sign On (SSO ), and on the SAML -based single sign-on (SSO ) page
perform the following steps:
a. Select Enable SAML -based single sign-on.
b. Copy the Login URL (point your users here to start login) value and paste it into the Sign-on URL
textbox in Basic SAML Configuration section on Azure portal.
c. Copy the Reply URL (receives response from your identity provider) value and paste it into the
Reply URL textbox in Basic SAML Configuration section on Azure portal.
d. In the SSO Login URL (provided by identity provider) textbox, paste the value of Login URL, which
you copied from the Azure portal.
e. Copy the Certificate that you have downloaded from Azure portal without
--BEGIN CERTIFICATE and END CERTIFICATE-- comments and paste it in the Certificate (provided by
identity provider) textbox.
f. Click UPDATE SSO SETTINGS.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Leapsome test user
In this section, you create a user called Britta Simon in Leapsome. Work with Leapsome Client support team to add
the users or the domain that must be added to an allow list for the Leapsome platform. If the domain is added by
the team, users will get automatically provisioned to the Leapsome platform. Users must be created and activated
before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Leapsome tile in the Access Panel, you should be automatically signed in to the Leapsome for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Learning at Work with Azure Active
Directory
9/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Learning at Work with Azure Active Directory (Azure AD ). When you
integrate Learning at Work with Azure AD, you can:
Control in Azure AD who has access to Learning at Work.
Enable your users to be automatically signed-in to Learning at Work with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Learning at Work single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Learning at Work supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<subdomain>.sabacloud.com/Saba/Web/<company code>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.sabacloud.com/Saba/saml/SSO/alias/<company name>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Learning at Work
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Learning at Work application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
You can update the nameidentifier value in Azure AD based on your Organization setup and this value
needs to match with the User ID in the SABA cloud, for that you need to edit the attribute mapping by
clicking on Edit icon and change the attribute mapping.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Learning at Work section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Learning at Work test user
In this section, you create a user called B.Simon in Learning at Work. Work with Learning at Work support team to
add the users in the Learning at Work platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Learning at Work tile in the Access Panel, you should be automatically signed in to the Learning
at Work for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Learning Seat LMS
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Learning Seat LMS with Azure Active Directory (Azure AD ). Integrating
Learning Seat LMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Learning Seat LMS.
You can enable your users to be automatically signed-in to Learning Seat LMS (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Learning Seat LMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Learning Seat LMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Learning Seat LMS supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Learning Seat LMS, select Learning Seat LMS from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.learningseatlms.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.learningseatlms.com/Account/AssertionConsumerService
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.learningseatlms.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Learning Seat LMS Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Learning Seat LMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Learning Seat LMS Single Sign-On
To configure single sign-on on Learning Seat LMS side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Learning Seat LMS support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Learning Seat LMS test user
In this section, you create a user called Britta Simon in Learning Seat LMS. Work with Learning Seat LMS support
team to add the users in the Learning Seat LMS platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Learning Seat LMS tile in the Access Panel, you should be automatically signed in to the
Learning Seat LMS for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Learningpool Act
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Learningpool Act with Azure Active Directory (Azure AD ). Integrating
Learningpool Act with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Learningpool Act.
You can enable your users to be automatically signed-in to Learningpool Act (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Learningpool Act, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Learningpool Act single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Learningpool Act supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Learningpool Act, select Learningpool Act from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.Learningpool.com/shibboleth
https://<subdomain>.preview.Learningpool.com/shibboleth
NOTE
The Identifier value is not real. Update this value with the actual Identifier. Contact Learningpool Act Client support
team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. Your Learningpool Act application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
NAME SOURCE ATTRIBUTE
urn:oid:1.2.840.113556.1.4.221 user.userprincipalname
urn:oid:2.5.4.42 user.givenname
urn:oid:0.9.2342.19200300.100.1.3 user.mail
urn:oid:2.5.4.4 user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Learningpool Act section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Learningpool Act Single Sign-On
To configure single sign-on on Learningpool Act side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Learningpool Act support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Learningpool Act test user
To enable Azure AD users to log in to Learningpool Act, they must be provisioned into Learningpool Act.
There is no action item for you to configure user provisioning to Learningpool Act.
Users need to be created by your Learningpool Act support team.
NOTE
You can use any other Learningpool Act user account creation tools or APIs provided by Learningpool Act to provision Azure
AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LearnUpon
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate LearnUpon with Azure Active Directory (Azure AD ). Integrating
LearnUpon with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LearnUpon.
You can enable your users to be automatically signed-in to LearnUpon (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LearnUpon, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LearnUpon single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LearnUpon supports IDP initiated SSO
LearnUpon supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LearnUpon, select LearnUpon from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Reply URL. Contact LearnUpon Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, locate the THUMBPRINT - This will be added to your
LearnUpon SAML Settings.
6. On the Set up LearnUpon section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LearnUpon Single Sign-On
1. Open another browser instance and sign in into LearnUpon with an administrator account.
2. Click the settings tab.
3. Click Single Sign On - SAML, and then click General Settings to configure SAML settings.
f. In the Identify Provider Location textbox, type the value that indicates where the users are sent to if they
click on your uploaded icon from your Azure portal login screen.
g. In the Sign out URL textbox, paste the Logout URL value, which you have copied from the Azure portal.
h. Click Manage finger prints, and then upload the finger print of your downloaded certificate.
5. Click User Settings, and then perform the following steps:
a. In the First Name Identifier Format textbox, type the value that tells us where in your SAML Assertion
the users firstname resides - for example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname .
b. In the Last Name Identifier Format textbox, type the value that tells us where in your SAML Assertion
the users lastname resides - for example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname .
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LearnUpon test user
In this section, a user called Britta Simon is created in LearnUpon. LearnUpon supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in LearnUpon, a new one is created after authentication. If you need to create an user manually, you need to
contact LearnUpon support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LearnUpon tile in the Access Panel, you should be automatically signed in to the LearnUpon for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Lecorpio
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Lecorpio with Azure Active Directory (Azure AD ). Integrating Lecorpio
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Lecorpio.
You can enable your users to be automatically signed-in to Lecorpio (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Lecorpio, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Lecorpio single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Lecorpio supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Lecorpio, select Lecorpio from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<instance name>.lecorpio.com/<customer name>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Lecorpio Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Lecorpio section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Lecorpio Single Sign-On
To configure single sign-on on Lecorpio side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Lecorpio support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Lecorpio test user
In this section, you create a user called Britta Simon in Lecorpio. Work with Lecorpio support team to add the users
in the Lecorpio platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Lecorpio tile in the Access Panel, you should be automatically signed in to the Lecorpio for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Lesson.ly
11/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Lesson.ly with Azure Active Directory (Azure AD ). When you integrate
Lesson.ly with Azure AD, you can:
Control in Azure AD who has access to Lesson.ly.
Enable your users to be automatically signed-in to Lesson.ly with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Lesson.ly single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Lesson.ly supports SP initiated SSO
Lesson.ly supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<companyname>.lessonly.com/signin
NOTE
When referencing a generic name that companyname needs to be replaced by an actual name.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.lessonly.com/auth/saml/metadata
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Lessonly.com Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Lesson.ly application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
6. In addition to above, Lesson.ly application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
urn:oid:2.5.4.42 user.givenname
urn:oid:2.5.4.4 user.surname
urn:oid:0.9.2342.19200300.100.1.3 user.mail
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 user.objectid
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up Lesson.ly section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create an user manually, you need to contact the Lessonly.com support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Lesson.ly tile in the Access Panel, you should be automatically signed in to the Lesson.ly for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Lesson.ly with Azure AD
Tutorial: Azure Active Directory integration with
Lifesize Cloud
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Lifesize Cloud with Azure Active Directory (Azure AD ). Integrating
Lifesize Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Lifesize Cloud.
You can enable your users to be automatically signed-in to Lifesize Cloud (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Lifesize Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Lifesize Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Lifesize Cloud supports SP initiated SSO
Lifesize Cloud supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Lifesize Cloud, select Lifesize Cloud from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier text box, type a URL using the following pattern:
https://login.lifesizecloud.com/<companyname>
NOTE
These values are not real. Update these values with the actual Sign-on URL, Identifier and Relay State. Contact Lifesize
Cloud Client support team to get Sign-On URL, and Identifier values and you can get Relay State value from SSO
Configuration that is explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Lifesize Cloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Lifesize Cloud Single Sign-On
1. To get SSO configured for your application, login into the Lifesize Cloud application with Admin privileges.
2. In the top right corner click on your name and then click on the Advance Settings.
3. In the Advance Settings now click on the SSO Configuration link. It will open the SSO Configuration page
for your instance.
e. In the SAML Attribute mapping for the Last Name text box enter the value as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
f. In the SAML Attribute mapping for the Email text box enter the value as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
NOTE
For successful testing you need to complete the configuration wizard in Azure AD and also provide access to users or
groups who can perform the test.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Lifesize Cloud test user
In this section, you create a user called Britta Simon in Lifesize Cloud. Lifesize cloud does support automatic user
provisioning. After successful authentication at Azure AD, the user will be automatically provisioned in the
application.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Lifesize Cloud tile in the Access Panel, you should get login page of Lifesize Cloud application.
Here you need to enter your username, and after that you will redirected to the application homepage.
For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with LINE
WORKS
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate LINE WORKS with Azure Active Directory (Azure AD ). Integrating LINE
WORKS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LINE WORKS.
You can enable your users to be automatically signed-in to LINE WORKS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LINE WORKS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LINE WORKS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LINE WORKS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LINE WORKS, select LINE WORKS from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up LINE WORKS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LINE WORKS Single Sign-On
To configure single sign-on on LINE WORKS side, please read the LINE WORKS SSO documents and configure a
LINE WORKS setting.
NOTE
You need to convert the downloaded Certificate file from .cert to .pem
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LINE WORKS test user
In this section, you create a user called Britta Simon in LINE WORKS. Access LINE WORKS admin page and add
the users in the LINE WORKS platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LINE WORKS tile in the Access Panel, you should be automatically signed in to the LINE
WORKS for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Learnster
10/10/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Learnster with Azure Active Directory (Azure AD ). When you integrate
Learnster with Azure AD, you can:
Control in Azure AD who has access to Learnster.
Enable your users to be automatically signed-in to Learnster with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Learnster single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Learnster supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.learnster.com/auth/login/force
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.learnster.com/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Learnster Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Learnster section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Learnster.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Learnster.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Learnster tile in the Access Panel, you should be automatically signed in to the Learnster for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Learnster with Azure AD
Tutorial: Azure Active Directory integration with
LinkedIn Elevate
8/6/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate LinkedIn Elevate with Azure Active Directory (Azure AD ). Integrating
LinkedIn Elevate with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LinkedIn Elevate.
You can enable your users to be automatically signed-in to LinkedIn Elevate (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LinkedIn Elevate, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LinkedIn Elevate single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LinkedIn Elevate supports SP and IDP initiated SSO
LinkedIn Elevate supports Just In Time user provisioning
LinkedIn Elevate supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LinkedIn Elevate, select LinkedIn Elevate from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, enter the Entity ID value, you will copy Entity ID value from the Linkedin Portal
explained later in this tutorial.
b. In the Reply URL text box, enter the Assertion Consumer Access (ACS ) Url value, you will copy
Assertion Consumer Access (ACS ) Url value from the Linkedin Portal explained later in this tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.linkedin.com/checkpoint/enterprise/login/<AccountId>?
application=elevate&applicationInstanceId=<InstanceId>
6. LinkedIn Elevate application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. LinkedIn
Elevate application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute
mapping by clicking on Edit icon and change the attribute mapping.
7. In addition to above, LinkedIn Elevate application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
department user.department
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up LinkedIn Elevate section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LinkedIn Elevate Single Sign-On
1. In a different web browser window, sign-on to your LinkedIn Elevate tenant as an administrator.
2. In Account Center, click Global Settings under Settings. Also, select Elevate - Elevate AAD Test from
the dropdown list.
3. Click on OR Click Here to load and copy individual fields from the form and perform the following
steps:
a. Copy Entity Id and paste it into the Identifier text box in the Basic SAML Configuration in the Azure
portal.
b. Copy Assertion Consumer Access (ACS ) Url and paste it into the Reply URL text box in the Basic
SAML Configuration in the Azure portal.
4. Go to LinkedIn Admin Settings section. Upload the XML file that you have downloaded from the Azure
portal by clicking on the Upload XML file option.
5. Click On to enable SSO. SSO status will change from Not Connected to Connected
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LinkedIn Elevate test user
LinkedIn Elevate Application supports Just in time user provisioning and after authentication users will be created
in the application automatically. On the admin settings page on the LinkedIn Elevate portal flip the switch
Automatically Assign licenses to active Just in time provisioning and this will also assign a license to the user.
LinkedIn Elevate also supports automatic user provisioning, you can find more details here on how to configure
automatic user provisioning.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LinkedIn Elevate tile in the Access Panel, you should be automatically signed in to the LinkedIn
Elevate for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with LinkedIn Learning
9/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate LinkedIn Learning with Azure Active Directory (Azure AD ). When you
integrate LinkedIn Learning with Azure AD, you can:
Control in Azure AD who has access to LinkedIn Learning.
Enable your users to be automatically signed-in to LinkedIn Learning with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
LinkedIn Learning single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
LinkedIn Learning supports SP and IDP initiated SSO
LinkedIn Learning supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier textbox, enter the Entity ID copied from LinkedIn Portal.
b. In the Reply URL textbox, enter the Assertion Consumer Service (ACS ) Url copied from LinkedIn
Portal.
c. If you wish to configure the application in SP Initiated mode then click Set additional URLs option in
the Basic SAML Configuration section where you will specify your sign-on URL. To create your login Url
copy the Assertion Consumer Service (ACS ) Url and replace /saml/ with /login/. Once that has been
done, the sign-on URL should have the following pattern:
https://www.linkedin.com/checkpoint/enterprise/login/<AccountId>?
application=learning&applicationInstanceId=<InstanceId>
NOTE
These values are not real value. You will update these values with the actual Identifier and Reply URL, which is
explained later in the Configure LinkedIn Learning SSO section of tutorial.
5. LinkedIn Learning application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. LinkedIn
Learning application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute
mapping by clicking on Edit icon and change the attribute mapping.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up LinkedIn Learning section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Click OR Click Here to load and copy individual fields from the form and copy Entity Id and
Assertion Consumer Service (ACS ) Url and paste it in the Basic SAML Configuration section in Azure
portal.
4. Go to LinkedIn Admin Settings section. Upload the XML file you downloaded from the Azure portal by
clicking the Upload XML file option.
5. Click On to enable SSO. SSO status changes from Not Connected to Connected
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LinkedIn Learning tile in the Access Panel, you should be automatically signed in to the
LinkedIn Learning for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try LinkedIn Learning with Azure AD
Tutorial: Azure Active Directory integration with
LinkedIn Sales Navigator
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate LinkedIn Sales Navigator with Azure Active Directory (Azure AD ).
Integrating LinkedIn Sales Navigator with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LinkedIn Sales Navigator.
You can enable your users to be automatically signed-in to LinkedIn Sales Navigator (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LinkedIn Sales Navigator, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LinkedIn Sales Navigator single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LinkedIn Sales Navigator supports SP and IDP initiated SSO
LinkedIn Sales Navigator supports Just In Time user provisioning
LinkedIn Sales Navigator supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LinkedIn Sales Navigator, select LinkedIn Sales Navigator from result panel
then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, enter the Entity ID value, you will copy Entity ID value from the Linkedin Portal
explained later in this tutorial.
b. In the Reply URL text box, enter the Assertion Consumer Access (ACS ) Url value, you will copy
Assertion Consumer Access (ACS ) Url value from the Linkedin Portal explained later in this tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.linkedin.com/checkpoint/enterprise/login/<account id>?application=salesNavigator
6. LinkedIn Sales Navigator application expects the SAML assertions in a specific format, which requires you
to add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
LinkedIn Sales Navigator application expects nameidentifier to be mapped with user.mail, so you need to
edit the attribute mapping by clicking on Edit icon and change the attribute mapping.
7. In addition to above, LinkedIn Sales Navigator application expects few more attributes to be passed back in
SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to
add SAML token attribute as shown in the below table:
email user.mail
NAME SOURCE ATTRIBUTE
department user.department
firstname user.givenname
lastname user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up LinkedIn Sales Navigator section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LinkedIn Sales Navigator Single Sign-On
1. In a different web browser window, sign-on to your LinkedIn Sales Navigator website as an administrator.
2. In Account Center, click Global Settings under Settings. Also, select Sales Navigator from the
dropdown list.
3. Click on OR Click Here to load and copy individual fields from the form and perform the following
steps:
a. Copy Entity Id and paste it into the Identifier text box in the Basic SAML Configuration in the Azure
portal.
b. Copy Assertion Consumer Access (ACS ) Url and paste it into the Reply URL text box in the Basic
SAML Configuration in the Azure portal.
4. Go to LinkedIn Admin Settings section. Upload the XML file that you have downloaded from the Azure
portal by clicking on the Upload XML file option.
5. Click On to enable SSO. SSO status changes from Not Connected to Connected
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LinkedIn Sales Navigator test user
Linked Sales Navigator Application supports Just in Time (JIT) user provisioning and after authentication users are
created in the application automatically. Activate Automatically assign licenses to assign a license to the user.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LinkedIn Sales Navigator tile in the Access Panel, you should be automatically signed in to the
LinkedIn Sales Navigator for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LiquidFiles
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate LiquidFiles with Azure Active Directory (Azure AD ). Integrating
LiquidFiles with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LiquidFiles.
You can enable your users to be automatically signed-in to LiquidFiles (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LiquidFiles, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LiquidFiles single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LiquidFiles supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LiquidFiles, select LiquidFiles from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://<YOUR_SERVER_URL>
c. In the Reply URL textbox, type a URL using the following pattern:
https://<YOUR_SERVER_URL>/saml/consume
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact LiquidFiles Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
7. On the Set up LiquidFiles section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LiquidFiles Single Sign-On
1. Sign-on to your LiquidFiles company site as administrator.
2. Click Single Sign-On in the Admin > Configuration from the menu.
3. On the Single Sign-On Configuration page, perform the following steps
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LiquidFiles test user
The objective of this section is to create a user called Britta Simon in LiquidFiles. Work with your LiquidFiles server
administrator to get yourself added as a user before logging in to your LiquidFiles application.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LiquidFiles tile in the Access Panel, you should be automatically signed in to the LiquidFiles for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Litmos
8/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Litmos with Azure Active Directory (Azure AD ). When you integrate
Litmos with Azure AD, you can:
Control in Azure AD who has access to Litmos.
Enable your users to be automatically signed-in to Litmos with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Litmos single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Litmos supports IDP initiated SSO
Litmos supports Just In Time user provisioning
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<companyname>.litmos.com/account/Login
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.litmos.com/integration/samllogin
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL, which are explained later in
tutorial or contact Litmos Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Litmos section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Litmos.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Litmos.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
4. On the Integrations tab, scroll down to 3rd Party Integrations, and then click SAML 2.0 tab.
5. Copy the value under The SAML endpoint for litmos is: and paste it into the Reply URL textbox in the
Litmos Domain and URLs section in Azure portal.
6. In your Litmos application, perform the following steps:
4. On the Integrations tab, scroll down to 3rd Party Integrations, and then click SAML 2.0 tab.
5. Select Autogenerate Users
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Litmos tile in the Access Panel, you should be automatically signed in to the Litmos for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Litmos with Azure AD
Tutorial: Azure Active Directory integration with
LockPath Keylight
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate LockPath Keylight with Azure Active Directory (Azure AD ). Integrating
LockPath Keylight with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LockPath Keylight.
You can enable your users to be automatically signed-in to LockPath Keylight (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LockPath Keylight, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LockPath Keylight single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LockPath Keylight supports SP initiated SSO
LockPath Keylight supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LockPath Keylight, select LockPath Keylight from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company name>.keylightgrc.com
c. In the Reply URL textbox, type a URL using the following pattern:
https://<company name>.keylightgrc.com/Login.aspx
NOTE
These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact
LockPath Keylight Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up LockPath Keylight section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LockPath Keylight Single Sign-On
1. To enable SSO in LockPath Keylight, perform the following steps:
a. Sign-on to your LockPath Keylight account as administrator.
b. In the menu on the top, click Person, and select Keylight Setup.
2. On the Edit SAML Settings dialog page, perform the following steps:
a. Set SAML authentication to Active.
b. In the Identity Provider Login URL textbox, paste the Login URL value which you have copied from
the Azure portal.
c. In the Identity Provider Logout URL textbox, paste the Logout URL value which you have copied from
the Azure portal.
d. Click Choose File to select your downloaded LockPath Keylight certificate, and then click Open to upload
the certificate.
e. Set SAML User Id location to NameIdentifier element of the subject statement.
f. Provide the Keylight Service Provider using the following pattern:
https://<CompanyName>.keylightgrc.com .
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LockPath Keylight test user
In this section, a user called Britta Simon is created in LockPath Keylight. LockPath Keylight supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in LockPath Keylight, a new one is created after authentication. If you need to create a user manually,
you need to contact the LockPath Keylight Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LockPath Keylight tile in the Access Panel, you should be automatically signed in to the
LockPath Keylight for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LogicMonitor
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate LogicMonitor with Azure Active Directory (Azure AD ). Integrating
LogicMonitor with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LogicMonitor.
You can enable your users to be automatically signed-in to LogicMonitor (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LogicMonitor, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
LogicMonitor single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LogicMonitor supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LogicMonitor, select LogicMonitor from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.logicmonitor.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact LogicMonitor Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up LogicMonitor section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure LogicMonitor Single Sign-On
1. Log in to your LogicMonitor company site as an administrator.
2. In the menu on the top, click Settings.
4. In the Single Sign-on (SSO ) settings section, perform the following steps:
a. Select Enable Single Sign-on.
b. As Default Role Assignment, select readonly.
c. Open the downloaded metadata file in notepad, and then paste content of the file into the Identity
Provider Metadata textbox.
d. Click Save Changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LogicMonitor test user
For Azure AD users to be able to sign in, they must be provisioned to the LogicMonitor application using their
Azure Active Directory user names.
To configure user provisioning, perform the following steps:
1. Log in to your LogicMonitor company site as an administrator.
2. In the menu on the top, click Settings, and then click Roles and Users.
3. Click Add.
4. In the Add an account section, perform the following steps:
a. Type the Username, Email, Password, and Retype password values of the Azure Active Directory user
you want to provision into the related textboxes.
b. Select Roles, View Permissions, and the Status.
c. Click Submit.
NOTE
You can use any other LogicMonitor user account creation tools or APIs provided by LogicMonitor to provision Azure Active
Directory user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
LoginRadius
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate LoginRadius with Azure Active Directory (Azure AD ). Integrating
LoginRadius with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to LoginRadius.
You can enable your users to be automatically signed-in to LoginRadius (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with LoginRadius, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
LoginRadius single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
LoginRadius supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type LoginRadius, select LoginRadius from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
Open the Sign-on URL page. Click on Single Sign-On tab and enter plugin name given by the LoginRadius support
team then click Sign in button and you will be redirected to the Azure AD page for login.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up LoginRadius section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure LoginRadius Single Sign-On
To configure single sign-on on LoginRadius side, you need to send the downloaded Metadata XML and
appropriate copied URLs from Azure portal to LoginRadius support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create LoginRadius test user
In this section, you create a user called Britta Simon in LoginRadius. Work with LoginRadius support team to add
the users in the LoginRadius platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the LoginRadius tile in the Access Panel, you should be automatically signed in to the LoginRadius
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Lucidchart
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Lucidchart with Azure Active Directory (Azure AD ). Integrating
Lucidchart with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Lucidchart.
You can enable your users to be automatically signed-in to Lucidchart (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Lucidchart, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Lucidchart single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Lucidchart supports SP initiated SSO
Lucidchart supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Lucidchart, select Lucidchart from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Lucidchart section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Lucidchart Single Sign-On
1. In a different web browser window, log into your Lucidchart company site as an administrator.
2. In the menu on the top, click Team.
b. In the Domain textbox, type your domain, and then click Change Certificate.
c. Open your downloaded metadata file, copy the content, and then paste it into the Upload Metadata
textbox.
d. Select Automatically Add new users to the team, and then click Save changes.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Lucidchart test user
There is no action item for you to configure user provisioning to Lucidchart. When an assigned user tries to log
into Lucidchart using the access panel, Lucidchart checks whether the user exists.
If there is no user account available yet, it is automatically created by Lucidchart.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Lucidchart tile in the Access Panel, you should be automatically signed in to the Lucidchart for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Lynda.com
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Lynda.com with Azure Active Directory (Azure AD ). Integrating
Lynda.com with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Lynda.com.
You can enable your users to be automatically signed-in to Lynda.com (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Lynda.com, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Lynda.com single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Lynda.com supports SP initiated SSO
Lynda.com supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Lynda.com, select Lynda.com from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Lynda.com Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Lynda.com section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Lynda.com Single Sign-On
To configure single sign-on on Lynda.com side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Lynda.com support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Lynda.com test user
There is no action item for you to configure user provisioning to Lynda.com.
When an assigned user tries to log in to Lynda.com using the access panel, Lynda.com checks whether the user
exists.
If there is no user account available yet, it is automatically created by Lynda.com.
NOTE
You can use any other Lynda.com user account creation tools or APIs provided by Lynda.com to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with M-
Files
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate M -Files with Azure Active Directory (Azure AD ). Integrating M -Files with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to M -Files.
You can enable your users to be automatically signed-in to M -Files (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with M -Files, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
M -Files single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
M -Files supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type M -Files, select M -Files from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenantname>.cloudvault.m-files.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact M-Files Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up M -Files section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure M -Files Single Sign-On
1. To get SSO configured for your application, contact M -Files support team and provide them the
downloaded Metadata.
NOTE
Follow the next steps if you want to configure SSO for you M-File desktop application. No extra steps are required if
you only want to configure SSO for M-Files web version.
2. Follow the next steps to configure the M -File desktop application to enable SSO with Azure AD. To
download M -Files, go to M -Files download page.
3. Open the M -Files Desktop Settings window. Then, click Add.
4. On the Document Vault Connection Properties window, perform the following steps:
Under the Server section type, the values as follows:
a. For Name, type <tenant-name>.cloudvault.m-files.com .
b. For Port Number, type 4466.
c. For Protocol, select HTTPS.
d. In the Authentication field, select Specific Windows user. Then, you are prompted with a signing page.
Insert your Azure AD credentials.
e. For the Vault on Server, select the corresponding vault on server.
f. Click OK.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create M -Files test user
The objective of this section is to create a user called Britta Simon in M -Files. Work with M -Files support team to
add the users in the M -Files.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the M -Files tile in the Access Panel, you should be automatically signed in to the M -Files for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Mail Luck!
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Mail Luck! with Azure Active Directory (Azure AD ). When you integrate
Mail Luck! with Azure AD, you can:
Control in Azure AD who has access to Mail Luck!.
Enable your users to be automatically signed-in to Mail Luck! with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Mail Luck! single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Mail Luck! supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://manage<UNITID>.ml-sgw.jp/<TENANT_NAME>/saml/sign_in
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://manage<UNITID>.ml-sgw.jp/<TENANT_NAME>/saml/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Mail Luck! Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Mail Luck! with Azure AD
Tutorial: Azure Active Directory integration with
Manabi Pocket
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Manabi Pocket with Azure Active Directory (Azure AD ). Integrating
Manabi Pocket with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Manabi Pocket.
You can enable your users to be automatically signed-in to Manabi Pocket (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Manabi Pocket, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Manabi Pocket single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Manabi Pocket supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Manabi Pocket, select Manabi Pocket from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SERVER-NAME>.ed-cl.com/<TENANT-ID>/idp/provider
NOTE
The Identifier value is not real. Update this value with the actual Identifier. Contact Manabi Pocket Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Manabi Pocket section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Manabi Pocket Single Sign-On
To configure single sign-on on Manabi Pocket side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Manabi Pocket support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Manabi Pocket test user
In this section, you create a user called Britta Simon in Manabi Pocket. Work with Manabi Pocket support team to
add the users in the Manabi Pocket platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Manabi Pocket tile in the Access Panel, you should be automatically signed in to the Manabi
Pocket for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Marketo
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Marketo with Azure Active Directory (Azure AD ). Integrating Marketo
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Marketo.
You can enable your users to be automatically signed-in to Marketo (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Marketo, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Marketo single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Marketo supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Marketo, select Marketo from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://saml.marketo.com/sp
b. In the Reply URL text box, type a URL using the following pattern:
https://login.marketo.com/saml/assertion/\<munchkinid\>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Marketo Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Marketo section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Marketo Single Sign-On
1. To get Munchkin Id of your application, log in to Marketo using admin credentials and perform following
actions:
a. Log in to Marketo app using admin credentials.
b. Click the Admin button on the top navigation pane.
d. Copy the Munchkin Id shown on the screen and complete your Reply URL in the Azure AD configuration
wizard.
i. Upload the certificate, which you have downloaded from Azure AD configuration wizard. Save the
settings.
j. Edit the Redirect Pages settings.
k. Paste the Login URL in the Login URL textbox.
l. Paste the Logout URL in the Logout URL textbox.
m. In the Error URL, copy your Marketo instance URL and click Save button to save settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Marketo test user
In this section, you create a user called Britta Simon in Marketo. follow these steps to create a user in Marketo
platform.
1. Log in to Marketo app using admin credentials.
2. Click the Admin button on the top navigation pane.
3. Navigate to the Security menu and click Users & Roles
8. User receives the email notification and has to click the link and change the password to activate the
account.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Marketo tile in the Access Panel, you should be automatically signed in to the Marketo for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MaxxPoint
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MaxxPoint with Azure Active Directory (Azure AD ). Integrating
MaxxPoint with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MaxxPoint.
You can enable your users to be automatically signed-in to MaxxPoint (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MaxxPoint, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MaxxPoint single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MaxxPoint supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MaxxPoint, select MaxxPoint from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
the user does not have to perform any step as the app is already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign on URL text box, type a URL using the following pattern:
https://maxxpoint.westipc.com/default/sso/login/entity/<customer-id>-azure
NOTE
This is not the real value. Update the value with the actual Sign on URL. Call MaxxPoint team on 888-728-0950 to
get this value.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up MaxxPoint section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure MaxxPoint Single Sign-On
To get SSO configured for your application, call MaxxPoint support team on 888-728-0950 and they'll assist you
further on how to provide them the downloaded Federation Metadata XML file.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MaxxPoint test user
In this section, you create a user called Britta Simon in MaxxPoint. Please call MaxxPoint support team on 888-728-
0950 to add the users in the MaxxPoint application.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MaxxPoint tile in the Access Panel, you should be automatically signed in to the MaxxPoint for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MCM
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MCM with Azure Active Directory (Azure AD ). Integrating MCM with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MCM.
You can enable your users to be automatically signed-in to MCM (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MCM, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MCM single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MCM supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MCM, select MCM from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://myaba.co.uk/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact MCM Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up MCM section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure MCM Single Sign-On
To configure single sign-on on MCM side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to MCM support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MCM test user
In this section, you create a user called Britta Simon in MCM. Work with MCM support team to add the users in
the MCM platform. Users must be created and activated before you use single sign-on.
NOTE
You can use any other MCM user account creation tools or APIs provided by MCM to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Menlo Security
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Menlo Security with Azure Active Directory (Azure AD ). Integrating
Menlo Security with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Menlo Security.
You can enable your users to be automatically signed-in to Menlo Security (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Menlo Security, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Menlo Security single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Menlo Security supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Menlo Security, select Menlo Security from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.menlosecurity.com/safeview-auth-server/saml/metadata
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Menlo Security
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Menlo Security section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Menlo Security Single Sign-On
1. To configure single sign-on on Menlo Security side, login to the Menlo Security website as an
administrator.
2. Under Settings go to Authentication and perform following actions:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Menlo Security test user
In this section, you create a user called Britta Simon in Menlo Security. Work with Menlo Security Client support
team to add the users in the Menlo Security platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Menlo Security tile in the Access Panel, you should be automatically signed in to the Menlo
Security for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mercell
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mercell with Azure Active Directory (Azure AD ). Integrating Mercell with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mercell.
You can enable your users to be automatically signed-in to Mercell (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mercell, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mercell single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mercell supports IDP initiated SSO
Mercell supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mercell, select Mercell from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mercell test user
In this section, a user called Britta Simon is created in Mercell. Mercell supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Mercell,
a new one is created after authentication.
NOTE
If you need to create a user manually, contact Mercell support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Mercell tile in the Access Panel, you should be automatically signed in to the Mercell for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mercer BenefitsCentral (MBC)
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mercer BenefitsCentral (MBC ) with Azure Active Directory (Azure AD ).
Integrating Mercer BenefitsCentral (MBC ) with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mercer BenefitsCentral (MBC ).
You can enable your users to be automatically signed-in to Mercer BenefitsCentral (MBC ) (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mercer BenefitsCentral (MBC ), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mercer BenefitsCentral (MBC ) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mercer BenefitsCentral (MBC ) supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mercer BenefitsCentral (MBC ), select Mercer BenefitsCentral (MBC ) from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: stg.mercerhrs.com/saml2.0
b. In the Reply URL text box, type a URL using the following pattern:
https://ssous-stg.mercerhrs.com/SP2/Saml2AssertionConsumer.aspx
NOTE
The Reply URL value is not real. Update this value with the actual Reply URL. Contact Mercer BenefitsCentral (MBC)
Client support team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Mercer BenefitsCentral (MBC ) section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Mercer BenefitsCentral (MBC ) Single Sign-On
To configure single sign-on on Mercer BenefitsCentral (MBC ) side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to Mercer BenefitsCentral (MBC )
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mercer BenefitsCentral (MBC ) test user
In this section, you create a user called Britta Simon in Mercer BenefitsCentral (MBC ). Work with Mercer
BenefitsCentral (MBC ) support team to add the users in the Mercer BenefitsCentral (MBC ) platform. Users must
be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Mercer BenefitsCentral (MBC ) tile in the Access Panel, you should be automatically signed in to
the Mercer BenefitsCentral (MBC ) for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Merchlogix
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Merchlogix with Azure Active Directory (Azure AD ). Integrating
Merchlogix with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Merchlogix.
You can enable your users to be automatically signed-in to Merchlogix (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Merchlogix, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Merchlogix single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Merchlogix supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Merchlogix, select Merchlogix from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<DOMAIN>/simplesaml/module.php/saml/sp/metadata.php/<SAML_NAME>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Merchlogix Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Merchlogix section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Merchlogix Single Sign-On
To configure single sign-on on Merchlogix side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Merchlogix support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Merchlogix test user
In this section, you create a user called Britta Simon in Merchlogix. Work with Merchlogix support team to add the
users in the Merchlogix platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Merchlogix tile in the Access Panel, you should be automatically signed in to the Merchlogix for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Meta4 Global HR
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Meta4 Global HR with Azure Active Directory (Azure AD ). Integrating
Meta4 Global HR with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Meta4 Global HR.
You can enable your users to be automatically signed-in to Meta4 Global HR (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Meta4 Global HR, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Meta4 Global HR single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Meta4 Global HR supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button on the top of the dialog.
4. In the search box, type Meta4 Global HR, select Meta4 Global HR from the result panel then click the
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click the Edit icon to open the Basic SAML
Configuration dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.meta4globalhr.com/saml.sso/SAML2/POST
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.meta4globalhr.com
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Meta4 Global HR
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Meta4 Global HR section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Meta4 Global HR Single Sign-On
To configure single sign-on on Meta4 Global HR side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Meta4 Global HR support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Meta4 Global HR test user
In this section, you create a user called Britta Simon in Meta4 Global HR. Work with Meta4 Global HR support
team to add the users in the Meta4 Global HR platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Meta4 Global HR tile in the Access Panel, you should be automatically signed in to the Meta4
Global HR for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Meta
Networks Connector
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Meta Networks Connector with Azure Active Directory (Azure AD ). Integrating
Meta Networks Connector with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Meta Networks Connector.
You can enable your users to be automatically signed-in to Meta Networks Connector (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-
on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Meta Networks Connector, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Meta Networks Connector single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Meta Networks Connector supports SP and IDP initiated SSO
Meta Networks Connector supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Meta Networks Connector, select Meta Networks Connector from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode, perform
the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://login.nsof.io/v1/<ORGANIZATION-SHORT-NAME>/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://login.nsof.io/v1/<ORGANIZATION-SHORT-NAME>/sso/saml
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated
mode:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<ORGANIZATION-SHORT-NAME>.metanetworks.com/login
b. In the Relay State textbox, type a URL using the following pattern:
https://<ORGANIZATION-SHORT-NAME>.metanetworks.com/#/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL are explained later in the
tutorial.
6. Meta Networks Connector application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Meta Networks Connector application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
firstname user.givenname
lastname user.surname
phone user.telephonenumber
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to
download the Certificate (Base64) from the given options as per your requirement and save it on your computer.
9. On the Set up Meta Networks Connector section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Meta Networks Connector Single Sign-On
1. Open a new tab in your browser and log in to your Meta Networks Connector administrator account.
NOTE
Meta Networks Connector is a secure system. So before accessing their portal you need to get your public IP address added to
an allow list on their side. To get your public IP address,follow the below link specified here. Send your IP address to the Meta
Networks Connector Client support team to get your IP address added to an allow list.
3. Make sure Log Internet Traffic and Force VPN MFA are set to off.
a. Copy SSO URL value and paste it into the Sign-In URL textbox in the Meta Networks Connector Domain and
URLs section.
b. Copy Recipient URL value and paste it into the Reply URL textbox in the Meta Networks Connector Domain
and URLs section.
c. Copy Audience URI (SP Entity ID ) value and paste it into the Identifier (Entity ID ) textbox in the Meta
Networks Connector Domain and URLs section.
d. Enable the SAML
6. On the GENERAL tab. perform the following steps:
a. In the Identity Provider Single Sign-On URL, paste the Login URL value which you have copied from the Azure
portal.
b. In the Identity Provider Issuer, paste the Azure AD Identifier value which you have copied from the Azure
portal.
c. Open the downloaded certificate from Azure portal in notepad, paste it into the X.509 Certificate textbox.
d. Enable the Just-in-Time Provisioning.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the
screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for
the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Meta Networks Connector test user
In this section, a user called Britta Simon is created in Meta Networks Connector. Meta Networks Connector supports just-
in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist
in Meta Networks Connector, a new one is created when you attempt to access Meta Networks Connector.
NOTE
If you need to create a user manually, contact Meta Networks Connector Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mimecast Admin Console
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mimecast Admin Console with Azure Active Directory (Azure AD ).
Integrating Mimecast Admin Console with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mimecast Admin Console.
You can enable your users to be automatically signed-in to Mimecast Admin Console (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mimecast Admin Console, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mimecast Admin Console single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mimecast Admin Console supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mimecast Admin Console, select Mimecast Admin Console from result panel
then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://webmail-uk.mimecast.com
https://webmail-us.mimecast.com
NOTE
The sign on URL is region specific.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Mimecast Admin Console section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Mimecast Admin Console Single Sign-On
1. In a different web browser window, log into your Mimecast Admin Console as an administrator.
2. Go to Services > Application.
NOTE
The Login URL value and the Logout URL value are for the Mimecast Admin Console the same.
g. Open your base-64 certificate downloaded from Azure portal in notepad, remove the first line (“ --“) and
the last line (“--“), copy the remaining content of it into your clipboard, and then paste it to the Identity
Provider Certificate (Metadata) textbox.
h. Select Allow Single Sign On.
i. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mimecast Admin Console test user
In order to enable Azure AD users to log into Mimecast Admin Console, they must be provisioned into Mimecast
Admin Console. In the case of Mimecast Admin Console, provisioning is a manual task.
You need to register a domain before you can create users.
To configure user provisioning, perform the following steps:
1. Sign on to your Mimecast Admin Console as administrator.
2. Go to Directories > Internal.
3. Click Register New Domain.
4. After your new domain has been created, click New Address.
a. Type the Email Address, Global Name, Password, and Confirm Password attributes of a valid Azure
AD account you want to provision into the related textboxes.
b. Click Save.
NOTE
You can use any other Mimecast Admin Console user account creation tools or APIs provided by Mimecast Admin Console to
provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mimecast Personal Portal
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mimecast Personal Portal with Azure Active Directory (Azure AD ).
Integrating Mimecast Personal Portal with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mimecast Personal Portal.
You can enable your users to be automatically signed-in to Mimecast Personal Portal (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mimecast Personal Portal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mimecast Personal Portal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mimecast Personal Portal supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mimecast Personal Portal, select Mimecast Personal Portal from result panel
then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
REGION VALUE
Europe https://eu-api.mimecast.com/login/saml
Australia https://au-api.mimecast.com/login/saml
Offshore https://jer-api.mimecast.com/login/saml
REGION VALUE
Europe https://eu-api.mimecast.com/sso/<accountcode>
Australia https://au-api.mimecast.com/sso/<accountcode>
Offshore https://jer-api.mimecast.com/sso/<accountcode>
REGION VALUE
Europe https://eu-api.mimecast.com/login/saml
REGION VALUE
Australia https://au-api.mimecast.com/login/saml
Offshore https://jer-api.mimecast.com/login/saml
NOTE
The Identifier value is not real. Update the value with the actual Identifier. Contact Mimecast Personal Portal Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Mimecast Personal Portal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Mimecast Personal Portal Single Sign-On
1. In a different web browser window, log into your Mimecast Personal Portal as an administrator.
2. Go to Services > Applications.
3. Click Authentication Profiles.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mimecast Personal Portal test user
In order to enable Azure AD users to log into Mimecast Personal Portal, they must be provisioned into Mimecast
Personal Portal. In the case of Mimecast Personal Portal, provisioning is a manual task.
You need to register a domain before you can create users.
To configure user provisioning, perform the following steps:
1. Sign on to your Mimecast Personal Portal as administrator.
2. Go to Directories > Internal.
3. Click Register New Domain.
4. After your new domain has been created, click New Address.
5. In the new address dialog, perform the following steps of a valid Azure AD account you want to provision:
a. In the Email Address textbox, type Email Address of the user as BrittaSimon@contoso.com.
b. In the Global Name textbox, type the username as BrittaSimon.
c. In the Password, and Confirm Password textboxes, type the Password of the user.
b. Click Save.
NOTE
You can use any other Mimecast Personal Portal user account creation tools or APIs provided by Mimecast Personal Portal to
provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mindflash
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mindflash with Azure Active Directory (Azure AD ). Integrating Mindflash
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mindflash.
You can enable your users to be automatically signed-in to Mindflash (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mindflash, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mindflash single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mindflash supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mindflash, select Mindflash from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.mindflash.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Mindflash Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Mindflash section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Mindflash Single Sign-On
To configure single sign-on on Mindflash side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Mindflash support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mindflash test user
In order to enable Azure AD users to log into Mindflash, they must be provisioned into Mindflash. In the case of
Mindflash, provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Log in to your Mindflash company site as an administrator.
2. Go to Manage Users.
NOTE
You can use any other Mindflash user account creation tools or APIs provided by Mindflash to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MindTickle
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MindTickle with Azure Active Directory (Azure AD ). Integrating
MindTickle with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MindTickle.
You can enable your users to be automatically signed-in to MindTickle (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MindTickle, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MindTickle single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MindTickle supports SP initiated SSO
MindTickle supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MindTickle, select MindTickle from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier value gets auto populated in Basic SAML
Configuration section:
In the Sign-on URL text box, type a URL using the following pattern: https://<subdomain>.mindtickle.com
NOTE
If the Identifier value does not get auto polulated, then please fill in the value manually according to your
requirement. The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact MindTickle
support team to get this value.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up MindTickle section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure MindTickle Single Sign-On
To configure single sign-on on MindTickle side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to MindTickle support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MindTickle test user
In this section, a user called Britta Simon is created in MindTickle. MindTickle supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in MindTickle, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MindTickle tile in the Access Panel, you should be automatically signed in to the MindTickle for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with mindWireless
10/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate mindWireless with Azure Active Directory (Azure AD ). When you
integrate mindWireless with Azure AD, you can:
Control in Azure AD who has access to mindWireless.
Enable your users to be automatically signed-in to mindWireless with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
mindWireless single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
mindWireless supports IDP initiated SSO
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.mwsmart.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.mwsmart.com/SAML/AssertionConsumerService.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact mindWireless Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. mindWireless application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes.
6. In addition to above, mindWireless application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirements.
NAME NAMESPACE SOURCE ATTRIBUTE
Employee ID user.employeeid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
NOTE
The claim name always be Employee ID and the value of which we have mapped to user.employeeid, which
contains the EmployeeID of the user. Here the user mapping from Azure AD to mindWireless is done on the
EmployeeID but you can map it to a different value also based on your application settings. You can work with the
mindWireless support team first to use the correct identifier of a user and map that value with the Employee ID
claim.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up mindWireless section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the mindWireless tile in the Access Panel, you should be automatically signed in to the
mindWireless for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try mindWireless with Azure AD
Tutorial: Integrate Miro with Azure Active Directory
6/24/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Miro with Azure Active Directory (Azure AD ). When you integrate Miro
with Azure AD, you can:
Control in Azure AD who has access to Miro.
Enable your users to be automatically signed-in to Miro with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Miro single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Miro supports SP and IDP initiated
SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://miro.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://miro.com/sso/saml
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Miro section, copy the appropriate URL (s) based on your requirement.
Configure Miro
To configure single sign-on on Miro side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Miro support team. They set this setting to have the SAML SSO
connection set properly on both sides
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Miro.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Miro.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Miro test user
In this section, a user called B.Simon is created in Miro. Miro supports just-in-time provisioning, which can be
enabled as per requirement. There is no action item for you in this section. If a user doesn't already exist in Miro, a
new one is created when you attempt to access Miro.
Test SSO
When you select the Miro tile in the Access Panel, you should be automatically signed in to the Miro for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Mitel
MiCloud Connect
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Mitel MiCloud Connect with Azure Active Directory (Azure AD ).
Integrating MiCloud Connect with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MiCloud Connect apps using their enterprise credentials.
You can enable users on your account to be automatically signed-in to MiCloud Connect (Single Sign-On) with
their Azure AD accounts.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MiCloud Connect, you need the following items:
An Azure AD subscription
If you don't have an Azure AD environment, you can get a free account
A Mitel MiCloud Connect account
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on (SSO ).
Mitel Connect supports SP initiated SSO
4. Type Mitel Connect in the search field, click Mitel Connect from results panel, and then click Add.
4. In the Azure portal, click the Edit icon in the Basic SAML Configuration section.
The Basic SAML Configuration dialog box appears.
5. Copy the URL from the Mitel Identifier (Entity ID ) field in the Mitel Account portal and paste it into the
Identifier (Entity ID ) field in the Azure portal.
6. Copy the URL from the Reply URL (Assertion Consumer Service URL ) field in the Mitel Account portal
and paste it into the Reply URL (Assertion Consumer Service URL ) field in the Azure portal.
7. In the Sign on URL text box, type one of the following URLs:
https://portal.shoretelsky.com - to use the Mitel Account portal as your default Mitel application
https://teamwork.shoretel.com - to use Teamwork as your default Mitel application
NOTE: The default Mitel application is the application accessed when a user clicks on the Mitel Connect tile
in the Access Panel. This is also the application accessed when doing a test setup from Azure AD.
8. Click Save in the Basic SAML Configuration dialog box in the Azure portal.
9. In the SAML Signing Certificate section on the SAML -based sign-on page in the Azure portal, click
Download next to Certificate (Base64) to download the Signing Certificate and save it to your
computer.
10. Open the Signing Certificate file in a text editor, copy all data in the file, and then paste the data in the
Signing Certificate field in the Mitel Account portal.
11. In the Setup Mitel Connect section on the SAML -based sign-on page of the Azure portal, do the
following:
a. Copy the URL from the Login URL field and paste it into the Sign-in URL field in the Mitel Account
portal.
b. Copy the URL from the Azure AD Identifier field and paste it into the Entity ID field in the Mitel
Account portal.
12. Click Save on the Connect Single Sign-On Settings dialog box in the Mitel Account portal.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, in the left pane, click Azure Active Directory, click Users, and then click All users.
4. Click Add user, then click Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click Select at the bottom of the
screen.
6. If you are expecting any role value in the SAML assertion, select the appropriate role for the user from the
list in the Select Role dialog, and then click Select at the bottom of the screen.
7. In the Add Assignment dialog, click Assign.
Create a Mitel MiCloud Connect test user
In this section, you create a user named Britta Simon on your MiCloud Connect account. Users must be created
and activated before using single sign-on.
For details about adding users in the Mitel Account portal, see the Adding a User article in the Mitel Knowledge
Base.
Create a user on your MiCloud Connect account with the following details:
Name: Britta Simon
Business Email Address: brittasimon@<yourcompanydomain>.<extension>
(Example: brittasimon@contoso.com)
Username: brittasimon@<yourcompanydomain>.<extension>
(Example: brittasimon@contoso.com; the user’s username is typically the same as the user’s business email
address)
NOTE: The user’s MiCloud Connect username must be identical to the user’s email address in Azure.
Test single sign-on
In this section, you'll test your Azure AD single sign-on configuration using the Access Panel.
When you click the Mitel Connect tile in the Access Panel, you should be automatically redirected to sign in to the
MiCloud Connect application you configured as your default in the Sign on URL field. For more information
about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mixpanel
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mixpanel with Azure Active Directory (Azure AD ). Integrating Mixpanel
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mixpanel.
You can enable your users to be automatically signed-in to Mixpanel (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mixpanel, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mixpanel single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mixpanel supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mixpanel, select Mixpanel from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
Please register at https://mixpanel.com/register/ to set up your login credentials and contact the Mixpanel support
team to enable SSO settings for your tenant. You can also get your Sign On URL value if necessary from your
Mixpanel support team.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Mixpanel section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Mixpanel Single Sign-On
1. In a different browser window, sign-on to your Mixpanel application as an administrator.
2. On bottom of the page, click the little gear icon in the left corner.
3. Click the Access security tab, and then click Change settings.
4. On the Change your certificate dialog page, click Choose file to upload your downloaded certificate, and
then click NEXT.
5. In the authentication URL textbox on the Change your authentication URL dialog page, paste the value
of Login URL which you have copied from Azure portal, and then click NEXT.
6. Click Done.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mixpanel test user
The objective of this section is to create a user called Britta Simon in Mixpanel.
1. Sign on to your Mixpanel company site as an administrator.
2. On the bottom of the page, click the little gear button on the left corner to open the Settings window.
3. Click the Team tab.
4. In the team member textbox, type Britta's email address in the Azure.
5. Click Invite.
NOTE
The user will get an email to set up the profile.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MOBI
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MOBI with Azure Active Directory (Azure AD ). Integrating MOBI with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MOBI.
You can enable your users to be automatically signed-in to MOBI (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MOBI, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MOBI single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MOBI supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MOBI, select MOBI from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<subdomain>.thefutureis.mobi
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.thefutureis.mobi/saml_consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.thefutureis.mobi/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact MOBI
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up MOBI section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure MOBI Single Sign-On
To configure single sign-on on MOBI side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to MOBI support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MOBI test user
In this section, you create a user called Britta Simon in MOBI. Work with MOBI support team to add the users in
the MOBI platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MOBI tile in the Access Panel, you should be automatically signed in to the MOBI for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MobiControl
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MobiControl with Azure Active Directory (Azure AD ). Integrating
MobiControl with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MobiControl.
You can enable your users to be automatically signed-in to MobiControl (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MobiControl, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MobiControl single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MobiControl supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MobiControl, select MobiControl from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.mobicontrolcloud.com/mobicontrol
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact MobiControl Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MobiControl test user
In this section, you create a user called Britta Simon in MobiControl. Work with MobiControl support team to add
the users in the MobiControl platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MobiControl tile in the Access Panel, you should be automatically signed in to the MobiControl
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mobile Xpense
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mobile Xpense with Azure Active Directory (Azure AD ). Integrating
Mobile Xpense with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mobile Xpense.
You can enable your users to be automatically signed-in to Mobile Xpense (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mobile Xpense, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mobile Xpense single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mobile Xpense supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mobile Xpense, select Mobile Xpense from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://mobilexpense.com/ServiceProvider
b. In the Reply URL text box, type a URL using the following pattern:
https://<sub-domain>.mobilexpense.com/NET/SSO/SAML20/SAML/AssertionConsumerService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<sub-domain>.mobilexpense.com/<customername>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Mobile
Xpense Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Mobile Xpense section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Mobile Xpense Single Sign-On
To configure single sign-on on Mobile Xpense side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Mobile Xpense support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mobile Xpense test user
In this section, you create a user called Britta Simon in Mobile Xpense. Work with Mobile Xpense support team to
add the users in the Mobile Xpense platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Mobile Xpense tile in the Access Panel, you should be automatically signed in to the Mobile
Xpense for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
MobileIron
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate MobileIron with Azure Active Directory (Azure AD ). Integrating
MobileIron with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to MobileIron.
You can enable your users to be automatically signed-in to MobileIron (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MobileIron, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MobileIron single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MobileIron supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MobileIron, select MobileIron from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, perform the following steps if you wish to configure the
application in IDP initiated mode:
a. In the Identifier text box, type a URL using the following pattern: https://www.mobileiron.com/<key>
b. In the Reply URL text box, type a URL using the following pattern:
https://<host>.mobileiron.com/saml/SSO/alias/<key>
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<host>.mobileiron.com/user/login.html
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. You will get the
values of key and host from the administrative portal of MobileIron which is explained later in the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
3. Copy the values of Key and Host and paste them to complete the URLs in the Basic SAML Configuration
section in Azure portal.
4. In the Export metadata file from AAD and import to MobileIron Cloud Field click Choose File to
upload the downloaded metadata from Azure portal. Click Done once uploaded.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MobileIron test user
To enable Azure AD users to log in to MobileIron, they must be provisioned into MobileIron.
In the case of MobileIron, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your MobileIron company site as an administrator.
2. Go to Users and Click on Add > Single User.
a. In E -mail Address text box, enter the email of user like brittasimon@contoso.com.
b. In First Name text box, enter the first name of user like Britta.
c. In Last Name text box, enter the last name of user like Simon.
d. Click Done.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MobileIron tile in the Access Panel, you should be automatically signed in to the MobileIron for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
moconavi
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate moconavi with Azure Active Directory (Azure AD ). Integrating moconavi
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to moconavi.
You can enable your users to be automatically signed-in to moconavi (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with moconavi, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
moconavi single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
moconavi supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type moconavi, select moconavi from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<yourserverurl>/moconavi-saml2
c. In the Reply URL text box, type a URL using the following pattern:
https://<yourserverurl>/moconavi-saml2/saml/SSO
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
moconavi Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up moconavi section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure moconavi Single Sign-On
To configure single sign-on on moconavi side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to moconavi support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create moconavi test user
In this section, you create a user called Britta Simon in moconavi. Work with moconavi support team to add the
users in the moconavi platform. Users must be created and activated before you use single sign-on.
Test single sign-on
1. Install moconavi from Microsoft store.
2. Start moconavi.
3. Click Connect setting button.
4. Enter https://mcs-admin.moconavi.biz/gateway into Connect to URL textbox and then click Done button.
a. Enter Input Authentication Key: azureAD into Input Authentication Key textbox.
b. Enter Input User ID: your ad account into Input User ID textbox.
c. Click LOGIN.
6. Input your Azure AD password to Password textbox and then click Login button.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate monday.com with Azure Active
Directory
8/15/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate monday.com with Azure Active Directory (Azure AD ). When you
integrate monday.com with Azure AD, you can:
Control in Azure AD who has access to monday.com.
Enable your users to be automatically signed-in to monday.com with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
monday.com single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. monday.com supports SP and IDP
initiated SSO and supports Just In Time user provisioning.
4. In the Basic SAML Configuration pane, if you have a service provider metadata file and you want to
configure in IDP -initiated mode, perform the following steps:
a. Select Upload metadata file.
b. To select the metadata file, select the folder icon, and then select Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane:
NOTE
If the Identifier and Reply URL values do not get populated automatically, then fill in the values manually.
The Identifier and the Reply URL are the same and value is in the following pattern:
https://<your-domain>.monday.com/saml/saml_callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<your-domain>.monday.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-On URL. Contact
monday.com Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Your monday.com application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, monday.com application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
Email user.mail
FirstName user.givenname
LastName user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Remove the Namespace.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok.
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up monday.com section, copy the appropriate URL (s) based on your requirement.
Configure monday.com
1. To automate the configuration within monday.com, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup monday.com which will direct you to the
monday.com application. From there, provide the admin credentials to sign into monday.com. The browser
extension will automatically configure the application for you and automate steps 3-6.
3. If you want to setup monday.com manually, open a new web browser window and sign in to monday.com as
an administrator and perform the following steps:
4. Go to the Profile on the top right corner of page and click on Admin.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create monday.com test user
In this section, a user called B.Simon is created in monday.com. monday.com supports just-in-time provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
monday.com, a new one is created when you attempt to access monday.com.
Test SSO
When you select the monday.com tile in the Access Panel, you should be automatically signed in to the
monday.com for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Montage Online
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Montage Online with Azure Active Directory (Azure AD ). Integrating
Montage Online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Montage Online.
You can enable your users to be automatically signed-in to Montage Online (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Montage Online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Montage Online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Montage Online supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Montage Online, select Montage Online from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact Montage Online Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Montage Online section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Montage Online Single Sign-On
To configure single sign-on on Montage Online side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to Montage Online support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Montage Online test user
In this section, you create a user called Britta Simon in Montage Online. Work with Montage Online support team
to add the users in the Montage Online platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Montage Online tile in the Access Panel, you should be automatically signed in to the Montage
Online for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Motus
11/26/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Motus with Azure Active Directory (Azure AD ). When you integrate
Motus with Azure AD, you can:
Control in Azure AD who has access to Motus.
Enable your users to be automatically signed-in to Motus with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Motus single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Motus supports SP and IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.motus.com/
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up Motus section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Motus.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Motus.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Motus tile in the Access Panel, you should be automatically signed in to the Motus for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Motus with Azure AD
Tutorial: Azure Active Directory integration with
MOVEit Transfer - Azure AD integration
10/30/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate MOVEit Transfer - Azure AD integration with Azure Active Directory
(Azure AD ). Integrating MOVEit Transfer - Azure AD integration with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to MOVEit Transfer - Azure AD integration.
You can enable your users to be automatically signed-in to MOVEit Transfer - Azure AD integration (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with MOVEit Transfer - Azure AD integration, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
MOVEit Transfer - Azure AD integration single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
MOVEit Transfer - Azure AD integration supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type MOVEit Transfer - Azure AD integration, select MOVEit Transfer - Azure AD
integration from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL value gets auto populated
in Basic SAML Configuration section:
In the Sign-on URL text box, type a URL using the following pattern: https://contoso.com
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact MOVEit Transfer - Azure
AD integration Client support team to get the value. You can download the Service Provider Metadata file from
the Service Provider Metadata URL which is explained later in the Configure MOVEit Transfer - Azure AD
integration Single Sign-On section of the tutorial. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up MOVEit Transfer - Azure AD integration section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure MOVEit Transfer - Azure AD integration Single Sign-On
1. Sign on to your MOVEit Transfer tenant as an administrator.
2. On the left navigation pane, click Settings.
3. Click Single Signon link, which is under Security Policies -> User Auth.
6. Click Browse... to select the metadata file which you downloaded from Azure portal, then click Add
Identity Provider to upload the downloaded file.
7. Select "Yes" as Enabled in the Edit Federated Identity Provider Settings... page and click Save.
8. In the Edit Federated Identity Provider User Settings page, perform the following actions:
a. Select SAML NameID as Login name.
b. Select Other as Full name and in the Attribute name textbox put the value:
http://schemas.microsoft.com/identity/claims/displayname .
c. Select Other as Email and in the Attribute name textbox put the value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress .
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create MOVEit Transfer - Azure AD integration test user
The objective of this section is to create a user called Britta Simon in MOVEit Transfer - Azure AD integration.
MOVEit Transfer - Azure AD integration supports just-in-time provisioning, which you have enabled. There is no
action item for you in this section. A new user is created during an attempt to access MOVEit Transfer - Azure AD
integration if it doesn't exist yet.
NOTE
If you need to create a user manually, you need to contact the MOVEit Transfer - Azure AD integration Client support team.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Moxi
Engage
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Moxi Engage with Azure Active Directory (Azure AD ). Integrating Moxi
Engage with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Moxi Engage.
You can enable your users to be automatically signed-in to Moxi Engage (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Moxi Engage, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Moxi Engage single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Moxi Engage supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Moxi Engage, select Moxi Engage from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Moxi Engage Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Moxi Engage section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Moxi Engage Single Sign-On
To configure single sign-on on Moxi Engage side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Moxi Engage support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Moxi Engage test user
In this section, you create a user called Britta Simon in Moxi Engage. Work with Moxi Engage support team to add
the users in the Moxi Engage platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Moxi Engage tile in the Access Panel, you should be automatically signed in to the Moxi Engage
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Moxtra
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Moxtra with Azure Active Directory (Azure AD ). Integrating Moxtra with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Moxtra.
You can enable your users to be automatically signed-in to Moxtra (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Moxtra, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Moxtra single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Moxtra supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Moxtra, select Moxtra from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. Moxtra application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Moxtra application expects few more attributes to be passed back in SAML response.
In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
firstname user.givenname
lastname user.surname
NOTE
The value of idpid attribute is not real. You can get the actual value from Set up Moxtra section from step#8.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up Moxtra section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Moxtra Single Sign-On
1. In another browser window, sign on to your Moxtra company site as an administrator.
2. In the toolbar on the left, click Admin Console > SAML Single Sign-on, and then click New.
a. In the Name textbox, type a name for your configuration (e.g.: SAML).
b. In the IdP Entity ID textbox, paste the value of Azure AD Identifier which you have copied from Azure
portal.
c. In Login URL textbox, paste the value of Login URL which you have copied from Azure portal.
d. In the AuthnContextClassRef textbox, type urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
e. In the NameID Format textbox, type urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
f. Open certificate which you have downloaded from Azure portal in notepad, copy the content, and then
paste it into the Certificate textbox.
g. In the SAML email domain textbox, type your SAML email domain.
NOTE
To see the steps to verify the domain, click the "i" below.
h. Click Update.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Moxtra test user
The objective of this section is to create a user called Britta Simon in Moxtra.
To create a user called Britta Simon in Moxtra, perform the following steps:
1. Sign on to your Moxtra company site as an administrator.
2. In the toolbar on the left, click Admin Console > User Management, and then Add User.
3. On the Add User dialog, perform the following steps:
a. In the First Name textbox, type Britta.
b. In the Last Name textbox, type Simon.
c. In the Email textbox, type Britta's email address same as on Azure portal.
d. In the Division textbox, type Dev.
e. In the Department textbox, type IT.
f. Select Administrator.
g. Click Add.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Moxtra tile in the Access Panel, you should be automatically signed in to the Moxtra for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Mozy Enterprise
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Mozy Enterprise with Azure Active Directory (Azure AD ). Integrating
Mozy Enterprise with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Mozy Enterprise.
You can enable your users to be automatically signed-in to Mozy Enterprise (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Mozy Enterprise, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Mozy Enterprise single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Mozy Enterprise supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Mozy Enterprise, select Mozy Enterprise from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Mozy Enterprise Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Mozy Enterprise section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Mozy Enterprise Single Sign-On
1. In a different web browser window, log into your Mozy Enterprise company site as an administrator.
2. In the Configuration section, click Authentication Policy.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Mozy Enterprise test user
In order to enable Azure AD users to log into Mozy Enterprise, they must be provisioned into Mozy Enterprise. In
the case of Mozy Enterprise, provisioning is a manual task.
NOTE
You can use any other Mozy Enterprise user account creation tools or APIs provided by Mozy Enterprise to provision Azure
AD user accounts.
NOTE
The Add New User option is only displayed only if Mozy is selected as the provider under Authentication policy. If
SAML Authentication is configured, then the users are added automatically on their first login through Single sign on.
NOTE
After creating the user, an email will be sent to the Azure AD user that includes a link to confirm the account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with MS Azure SSO Access for Ethidex
Compliance Office™
9/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate MS Azure SSO Access for Ethidex Compliance Office™ with Azure
Active Directory (Azure AD ). When you integrate MS Azure SSO Access for Ethidex Compliance Office™ with
Azure AD, you can:
Control in Azure AD who has access to MS Azure SSO Access for Ethidex Compliance Office™.
Enable your users to be automatically signed-in to MS Azure SSO Access for Ethidex Compliance Office™ with
their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
MS Azure SSO Access for Ethidex Compliance Office™ single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
MS Azure SSO Access for Ethidex Compliance Office™ supports IDP initiated SSO
Configure and test Azure AD single sign-on for MS Azure SSO Access
for Ethidex Compliance Office™
Configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Compliance Office™ using a test user
called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the
related user in MS Azure SSO Access for Ethidex Compliance Office™.
To configure and test Azure AD SSO with MS Azure SSO Access for Ethidex Compliance Office™, complete the
following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure MS Azure SSO Access for Ethidex Compliance Office SSO - to configure the single sign-on
settings on application side.
a. Create MS Azure SSO Access for Ethidex Compliance Office test user - to have a counterpart of
B.Simon in MS Azure SSO Access for Ethidex Compliance Office™ that is linked to the Azure AD
representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: com.ethidex.prod.<CLIENTID>
b. In the Reply URL text box, type a URL using the following pattern:
https://www.ethidex.com/saml2/sp/acs/<CLIENTID>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact MS Azure SSO Access
for Ethidex Compliance Office™ support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. MS Azure SSO Access for Ethidex Compliance Office™ application application expects the SAML assertions
in a specific format, which requires you to add custom attribute mappings to your SAML token attributes
configuration. The following screenshot shows the list of default attributes, where as nameidentifier is
mapped with user.userprincipalname. MS Azure SSO Access for Ethidex Compliance Office™ application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
7. On the Set up MS Azure SSO Access for Ethidex Compliance Office™ section, copy the appropriate
URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MS Azure SSO Access for Ethidex Compliance Office™ tile in the Access Panel, you should be
automatically signed in to the MS Azure SSO Access for Ethidex Compliance Office™ for which you set up SSO.
For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try MS Azure SSO Access for Ethidex Compliance Office™ with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with MyAryaka
11/26/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate MyAryaka with Azure Active Directory (Azure AD ). When you integrate
MyAryaka with Azure AD, you can:
Control in Azure AD who has access to MyAryaka.
Enable your users to be automatically signed-in to MyAryaka with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
MyAryaka single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
MyAryaka supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, use one of the following pattern:
https://my.aryaka.com/
https://kso.aryaka.com/auth/realms/<CUSTOMERID>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://kso.aryaka.com/auth/realms/<CUSTOMERID>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact MyAryaka Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MyAryaka tile in the Access Panel, you should be automatically signed in to the MyAryaka for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try MyAryaka with Azure AD
Tutorial: Azure Active Directory integration with My
Award Points Top Sub/Top Team
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate My Award Points Top Sub/Top Team with Azure Active Directory (Azure
AD ). Integrating My Award Points Top Sub/Top Team with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to My Award Points Top Sub/Top Team.
You can enable your users to be automatically signed-in to My Award Points Top Sub/Top Team (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with My Award Points Top Sub/Top Team, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
My Award Points Top Sub/Top Team single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
My Award Points Top Sub/Top Team supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type My Award Points Top Sub/Top Team, select My Award Points Top Sub/Top
Team from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. You will get the <Azure AD Identifier> value in the later steps in this tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up My Award Points Top Sub/Top Team section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
NOTE
Append the copied Azure AD Identifier value with the Sign on URL in the place of <Azure AD Identifier> in the
Basic SAML Configuration section in the Azure portal.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create My Award Points Top Sub/Top Team test user
In this section, you create a user called Britta Simon in My Award Points Top Sub/Top Team. Work with My Award
Points Top Sub/Top Team support team to add the users in the My Award Points Top Sub/Top Team platform.
Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the My Award Points Top Sub/Top Team tile in the Access Panel, you should be automatically
signed in to the My Award Points Top Sub/Top Team for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
myPolicies
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate myPolicies with Azure Active Directory (Azure AD ). Integrating
myPolicies with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to myPolicies.
You can enable your users to be automatically signed-in to myPolicies (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with myPolicies, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
myPolicies single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
myPolicies supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type myPolicies, select myPolicies from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<tenantname>.mypolicies.com/
b. In the Reply URL text box, type a URL using the following pattern:
https://<tenantname>.mypolicies.com/users/auth/saml/callback
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact myPolicies Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up myPolicies section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure myPolicies Single Sign-On
To configure single sign-on on myPolicies side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to myPolicies support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create myPolicies test user
In this section, you create a user called Britta Simon in myPolicies. Work with myPolicies support team to add the
users in the myPolicies platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the myPolicies tile in the Access Panel, you should be automatically signed in to the myPolicies for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with MyVR
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate MyVR with Azure Active Directory (Azure AD ). When you integrate
MyVR with Azure AD, you can:
Control in Azure AD who has access to MyVR.
Enable your users to be automatically signed-in to MyVR with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
MyVR single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
MyVR supports SP and IDP initiated SSO
MyVR supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://ess.virtualroster.net/ess/login.aspx
6. MyVR application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, MyVR application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirement.
NAME SOURCE ATTRIBUTE
employeeid user.employeeid
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up MyVR section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the MyVR tile in the Access Panel, you should be automatically signed in to the MyVR for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try MyVR with Azure AD
Tutorial: Integrate MyWorkDrive with Azure Active
Directory
11/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate MyWorkDrive with Azure Active Directory (Azure AD ). When you
integrate MyWorkDrive with Azure AD, you can:
Control in Azure AD who has access to MyWorkDrive.
Enable your users to be automatically signed-in to MyWorkDrive with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
MyWorkDrive single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. MyWorkDrive supports SP and IDP
initiated SSO
4. On the Basic SAML Configuration page, If you wish to configure the application in IDP initiated mode,
enter the values for the following field:
In the Reply URL text box, type a URL using the following pattern:
https://<SERVER.DOMAIN.COM>/SAML/AssertionConsumerService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SERVER.DOMAIN.COM>/Account/Login-saml
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Input your own
company's MyWorkDrive Server host name:e.g.
Reply URL: https://yourserver.yourdomain.com/SAML/AssertionConsumerService.aspx
Contact MyWorkDrive support team if you are unsure how to setup your own host name and SSL certificate for
these values.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url to your clipboard.
Configure MyWorkDrive SSO
1. To automate the configuration within MyWorkDrive, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup MyWorkDrive will direct you to the MyWorkDrive
application. From there, provide the admin credentials to sign into MyWorkDrive. The browser extension
will automatically configure the application for you and automate steps 3-4.
3. If you want to setup MyWorkDrive manually, In a different web browser window, sign in to MyWorkDrive
as a Security Administrator.
4. On the MyWorkDrive Server in the admin panel, click on ENTERPRISE and perform the following steps:
NOTE
For additional information review the MyWorkDrive Azure AD support article.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create MyWorkDrive test user
In this section, you create a user called Britta Simon in MyWorkDrive. Work with MyWorkDrive support team to
add the users in the MyWorkDrive platform. Users must be created and activated before you use single sign-on.
Test SSO
When you select the MyWorkDrive tile in the Access Panel, you should be automatically signed in to the
MyWorkDrive for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with N2F
- Expense reports
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate N2F - Expense reports with Azure Active Directory (Azure AD ).
Integrating N2F - Expense reports with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to N2F - Expense reports.
You can enable your users to be automatically signed-in to N2F - Expense reports (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with N2F - Expense reports, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
N2F - Expense reports single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
N2F - Expense reports supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type N2F - Expense reports, select N2F - Expense reports from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
the user does not have to perform any steps as the app is already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
7. On the Set up myPolicies section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure N2F - Expense reports Single Sign-On
1. In a different web browser window, sign in to your N2F - Expense reports company site as an administrator.
2. Click on Settings and then select Advance Settings from the dropdown.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create N2F - Expense reports test user
To enable Azure AD users to log in to N2F - Expense reports, they must be provisioned into N2F - Expense reports.
In the case of N2F - Expense reports, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your N2F - Expense reports company site as an administrator.
2. Click on Settings and then select Advance Settings from the dropdown.
3. Select Users tab from left navigation panel.
NOTE
If you are facing any problems while adding the user, please contact N2F - Expense reports support team
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Namely
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Namely with Azure Active Directory (Azure AD ). Integrating Namely
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Namely.
You can enable your users to be automatically signed-in to Namely (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Namely, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Namely single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Namely supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Namely, select Namely from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.namely.com/saml/metadata
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Namely Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Namely section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Namely Single Sign-On
1. In another browser window, sign on to your Namely company site as an administrator.
2. In the toolbar on the top, click Company.
4. Click SAML.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Namely test user
The objective of this section is to create a user called Britta Simon in Namely.
To create a user called Britta Simon in Namely, perform the following steps:
1. Sign-on to your Namely company site as an administrator.
2. In the toolbar on the top, click People.
3. Click the Directory tab.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with NegometrixPortal Single Sign On
(SSO)
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate NegometrixPortal Single Sign On (SSO ) with Azure Active Directory
(Azure AD ). When you integrate NegometrixPortal Single Sign On (SSO ) with Azure AD, you can:
Control in Azure AD who has access to NegometrixPortal Single Sign On (SSO ).
Enable your users to be automatically signed-in to NegometrixPortal Single Sign On (SSO ) with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
NegometrixPortal Single Sign On (SSO ) single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
NegometrixPortal Single Sign On (SSO ) supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://portal.negometrix.com/sso/<CUSTOMURL>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact NegometrixPortal Single Sign On (SSO)
Client support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. NegometrixPortal Single Sign On (SSO ) application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes.
6. In addition to above, NegometrixPortal Single Sign On (SSO ) application expects few more attributes to be
passed back in SAML response which are shown below. These attributes are also pre populated but you can
review them as per your requirements.
upn user.userprincipalname
7. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the NegometrixPortal Single Sign On (SSO ) tile in the Access Panel, you should be automatically
signed in to the NegometrixPortal Single Sign On (SSO ) for which you set up SSO. For more information about
the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try NegometrixPortal Single Sign On (SSO ) with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with NEOGOV
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate NEOGOV with Azure Active Directory (Azure AD ). When you integrate
NEOGOV with Azure AD, you can:
Control in Azure AD who has access to NEOGOV.
Enable your users to be automatically signed-in to NEOGOV with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
NEOGOV single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
NEOGOV supports IDP initiated SSO
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
Production https://www.neogov.com/
Sandbox https://www.uat.neogov.net/
b. In the Reply URL text box, type a URL using the following pattern:
Production https://login.neogov.com/authentication/saml/consumer
Sandbox https://login.uat.neogov.net/authentication/saml/consumer
5. NEOGOV application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. NEOGOV
application expects nameidentifier to be mapped with user.objectid, so you need to edit the attribute
mapping by clicking on Edit icon and change the attribute mapping.
6. In addition to above, NEOGOV application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirements.
mail user.mail
7. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the NEOGOV tile in the Access Panel, you should be automatically signed in to the NEOGOV for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try NEOGOV with Azure AD
Tutorial: Azure Active Directory integration with
Neota Logic Studio
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Neota Logic Studio with Azure Active Directory (Azure AD ). Integrating
Neota Logic Studio with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Neota Logic Studio.
You can enable your users to be automatically signed-in to Neota Logic Studio (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Neota Logic Studio, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Neota Logic Studio single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Neota Logic Studio supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Neota Logic Studio, select Neota Logic Studio from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<sub domain>.neotalogic.com/wb
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Neota Logic Studio
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Neota Logic Studio section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Neota Logic Studio Single Sign-On
To configure single sign-on on Neota Logic Studio side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Neota Logic Studio support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Neota Logic Studio test user
In this section, you create a user called Britta Simon in Neota Logic Studio. Work with Neota Logic Studio support
team to add the users in the Neota Logic Studio platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Neota Logic Studio tile in the Access Panel, you should be automatically signed in to the Neota
Logic Studio for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with NetDocuments
10/8/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate NetDocuments with Azure Active Directory (Azure AD ). When you
integrate NetDocuments with Azure AD, you can:
Control in Azure AD who has access to NetDocuments.
Enable your users to be automatically signed-in to NetDocuments with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
NetDocuments single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
NetDocuments supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>
b. In the Reply URL text box, type a URL using the following pattern:
https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>
c. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
http://netdocuments.com/VAULT
NOTE
These values are not real. Update these values with the actual Sign on URL and Reply URL. Repository ID is a value
starting with CA- followed by 8 character code associated with your NetDocuments Repository. You can check the
NetDocuments Federated Identity support document for more information. Alternatively you can contact
NetDocuments Client support team to get these values if you have difficulties configuring using the above
information . You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. NetDocuments application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
NetDocuments application expects nameidentifier to be mapped with employeeid or any other claim
which is applicable to your Organization as nameidentifier, so you need to edit the attribute mapping by
clicking on Edit icon and change the attribute mapping.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up NetDocuments section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
4. In the Email Address textbox, type the email address of a valid Azure Active Directory account you want to
provision, and then click Add User.
NOTE
The Azure Active Directory account holder will get an email that includes a link to confirm the account before it
becomes active. You can use any other NetDocuments user account creation tools or APIs provided by
NetDocuments to provision Azure Active Directory user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the NetDocuments tile in the Access Panel, you should be automatically signed in to the
NetDocuments for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try NetDocuments with Azure AD
Tutorial: Azure Active Directory integration with
Netop Portal
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Netop Portal with Azure Active Directory (Azure AD ). Integrating Netop
Portal with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Netop Portal.
You can enable your users to be automatically signed-in to Netop Portal (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Netop Portal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Netop Portal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Netop Portal supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Netop Portal, select Netop Portal from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Your Netop Portal application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Netop Portal application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NRC-ACCOUNT-ID "adfs-demo"
NRC-EMAIL user.userprincipalname
NRC-GIVEN-NAME user.givenname
NRC-SURNAME user.surname
NRC-USERNAME user.userprincipalname
nameidentifier user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. In the Namespace textbox, type https://secure.netop.com.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Netop Portal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Netop Portal Single Sign-On
To configure single sign-on on Netop Portal side, you need to the downloaded Federation Metadata XML and
the Login URL from Azure portal. Follow the instructions in Step 3 of the documentation here to configure NetOp
Portal for Azure AD authentication.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Netop Portal test user
In this section, you create a user called Britta Simon in Netop Portal. Work with Netop Portal support team to add
the users in the Netop Portal platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Netop Portal tile in the Access Panel, you should be automatically signed in to the Netop Portal
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Netskope Administrator Console
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Netskope Administrator Console with Azure Active Directory (Azure
AD ). When you integrate Netskope Administrator Console with Azure AD, you can:
Control in Azure AD who has access to Netskope Administrator Console.
Enable your users to be automatically signed-in to Netskope Administrator Console with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Netskope Administrator Console single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Netskope Administrator Console supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: Netskope_<OrgKey>
b. In the Reply URL text box, type a URL using the following pattern: https://<tenant_host_name>/saml/acs
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. You will get these values
explained later in the tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<tenantname>.goskope.com
NOTE
The Sign-on URL values is not real. Update Sign-on URL value with the actual Sign-on URL. Contact Netskope
Administrator Console Client support team to get Sign-on URL value. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
6. Netskope Administrator Console application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes.
7. In addition to above, Netskope Administrator Console application expects few more attributes to be passed
back in SAML response which are shown below. These attributes are also pre populated but you can review
them as per your requirements.
admin-role user.assignedroles
NOTE
Click here to know how to create roles in Azure AD.
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Netskope Administrator Console section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. Copy Assertion Consumer Service URL value and paste it into the Reply URL textbox in the Basic
SAML Configuration section in the Azure portal.
b. Copy Service Provider Entity ID value and paste it into the Identifier textbox in the Basic SAML
Configuration section in the Azure portal.
6. Click on the EDIT SETTINGS under the SSO/SLO Settings section.
7. On the Settings popup window, perform the following steps;
a. Select Enable SSO.
b. In the IDP URL textbox, paste the Login URL value, which you have copied from the Azure portal.
c. In the IDP ENTITY ID textbox, paste the Azure AD Identifier value, which you have copied from the
Azure portal.
d. Open your downloaded Base64 encoded certificate in notepad, copy the content of it into your clipboard,
and then paste it to the IDP CERTIFICATE textbox.
e. Select Enable SSO.
f. In the IDP SLO URL textbox, paste the Logout URL value, which you have copied from the Azure portal.
g. Click SUBMIT.
Create Netskope Administrator Console test user
1. Open a new tab in your browser, and sign in to your Netskope Administrator Console company site as an
administrator.
2. Click on the Settings tab from the left navigation pane.
6. Enter the email address of the user you want to add and click ADD.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Netskope Administrator Console tile in the Access Panel, you should be automatically signed in
to the Netskope Administrator Console for which you set up SSO. For more information about the Access Panel,
see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Netskope Administrator Console with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Netskope User Authentication
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Netskope User Authentication with Azure Active Directory (Azure AD ).
When you integrate Netskope User Authentication with Azure AD, you can:
Control in Azure AD who has access to Netskope User Authentication.
Enable your users to be automatically signed-in to Netskope User Authentication with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Netskope User Authentication single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Netskope User Authentication supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<tenantname>.goskope.com/<customer entered string>
b. In the Reply URL text box, type a URL using the following pattern:
https://<tenantname>.goskope.com/nsauth/saml2/http-post/<customer entered string>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. You will get these values
explained later in the tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<tenantname>.goskope.com
NOTE
The Sign-on URL values is not real. Update Sign-on URL value with the actual Sign-on URL. Contact Netskope User
Authentication Client support team to get Sign-on URL value. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Netskope User Authentication section, copy the appropriate URL (s) based on your
requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
6. Enter the email address of the user you want to add and click ADD.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Netskope User Authentication tile in the Access Panel, you should be automatically signed in to
the Netskope User Authentication for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Netskope User Authentication with Azure AD
Tutorial: Integrate Azure AD single sign-on (SSO)
with NetSuite
10/21/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate NetSuite with Azure Active Directory (Azure AD ). When you integrate
NetSuite with Azure AD, you can:
Control in Azure AD who has access to NetSuite.
Enable your users to be automatically signed in to NetSuite with their Azure AD accounts.
Manage your accounts in one central location, the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory?.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A NetSuite single sign-on (SSO )-enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
NetSuite supports:
IDP -initiated SSO.
JIT (just-in-time) user provisioning.
Automated user provisioning.
NOTE
Because the identifier of this application is a fixed string value, only one instance can be configured in one tenant.
4. In the Basic SAML Configuration section, in the Reply URL text box, type a URL in one of the following
formats:
https://<tenant-name>.NetSuite.com/saml2/acs
https://<tenant-name>.na1.NetSuite.com/saml2/acs
https://<tenant-name>.na2.NetSuite.com/saml2/acs
https://<tenant-name>.sandbox.NetSuite.com/saml2/acs
https://<tenant-name>.na1.sandbox.NetSuite.com/saml2/acs
https://<tenant-name>.na2.sandbox.NetSuite.com/saml2/acs
NOTE
The values in the preceding URLs are not real. Update them with the actual Reply URL. To get the value, contact the
NetSuite Client support team. You can also refer to the formats shown in the Basic SAML Configuration section in
the Azure portal.
The NetSuite application expects the SAML assertions to be displayed in a specific format. You'll need to
add custom attribute mappings to your SAML token attributes configuration.
5. To open the User Attributes pane, select the Edit ("pencil") icon. The pane displays a list of default
attributes, as shown in the following image:
In addition to these attributes, the NetSuite application expects a few more attributes to be passed back in
the SAML response.
6. In the User Attributes pane, under User Claims, perform the following steps to add the SAML token
attribute that's shown in the following table:
account account id
a. Select Add new claim to open the Manage user claims pane.
b. In the Name box, type the attribute name that's shown for that row.
c. Leave the Namespace box blank.
d. In the Source drop-down list, select Attribute.
e. In the Source attribute list, enter the attribute value that's shown for that row.
f. Select OK.
g. Select Save.
NOTE
The value of the account attribute is not real. You'll update this value, as explained later in this tutorial.
7. In the Set up single sign-on with SAML pane, in the SAML Signing Certificate section, look for
Federation Metadata XML.
8. Select Download to download the certificate and save it on your computer.
9. In the Set up NetSuite section, copy the appropriate URL or URLs, depending on your requirement.
Create an Azure AD test user
In this section, you create a test user in the Azure portal called B.Simon.
1. In the left pane of the Azure portal, select Azure Active Directory > Users > All users.
2. Select New user at the top of the screen.
3. In the User properties pane, follow these steps:
a. In the Name box, enter B.Simon.
b. In the User name box, enter the username@companydomain.extension (for example,
B.Simon@contoso.com).
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Select Create.
Assign the Azure AD test user
In this section, you enable user B.Simon to use Azure single sign-on by granting access to NetSuite.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select NetSuite.
3. In the overview pane, look for the Manage section, and then select the Users and groups link.
4. Select Add user and then, in the Add Assignment pane, select Users and groups.
5. In the Users and groups pane, in the Users drop-down list, select B.Simon, and then select the Select
button at the bottom of the screen.
6. If you're expecting any role value in the SAML assertion, do the following:
a. In the Select Role pane, in the drop-down list, select the appropriate role for the user.
b. At the bottom of the screen, select the Select button.
7. In the Add Assignment pane, select the Assign button.
4. Under Manage Authentication, select the SAML Single Sign-on check box to enable the SAML single
sign-on option in NetSuite.
j. In the left pane, select Users/Roles, and then select Manage Users.
k. Select a test user, select Edit, and then select the Access tab.
l. In the Roles pane, assign the appropriate role that you have created.
m. Select Save.
Create the NetSuite test user
In this section, a user called B.Simon is created in NetSuite. NetSuite supports just-in-time user provisioning,
which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in NetSuite,
a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration by using the Access Panel.
When you select the NetSuite tile in the Access Panel, you should be automatically signed in to the NetSuite for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try NetSuite with Azure AD
Tutorial: Azure Active Directory integration with New
Relic
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate New Relic with Azure Active Directory (Azure AD ). Integrating New Relic
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to New Relic.
You can enable your users to be automatically signed-in to New Relic (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with New Relic, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
New Relic single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
New Relic supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type New Relic, select New Relic from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up New Relic section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure New Relic Single Sign-On
1. In a different web browser window, sign on to your New Relic company site as administrator.
2. In the menu on the top, click Account Settings.
3. Click the Security and authentication tab, and then click the Single sign on tab.
a. Click Choose File to upload your downloaded Azure Active Directory certificate.
b. In the Remote login URL textbox, paste the value of Login URL, which you have copied from Azure
portal.
c. In the Logout landing URL textbox, paste the value of Logout URL, which you have copied from Azure
portal.
d. Click Save my changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create New Relic test user
In order to enable Azure Active Directory users to log in to New Relic, they must be provisioned into New Relic. In
the case of New Relic, provisioning is a manual task.
To provision a user account to New Relic, perform the following steps:
1. Log in to your New Relic company site as administrator.
2. In the menu on the top, click Account Settings.
3. In the Account pane on the left side, click Summary, and then click Add user.
a. In the Email textbox, type the email address of a valid Azure Active Directory user you want to provision.
b. As Role select User.
c. Click Add this user.
NOTE
You can use any other New Relic user account creation tools or APIs provided by New Relic to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Nexonia
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Nexonia with Azure Active Directory (Azure AD ). Integrating Nexonia
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Nexonia.
You can enable your users to be automatically signed-in to Nexonia (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Nexonia, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Nexonia single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Nexonia supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Nexonia, select Nexonia from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: Nexonia
b. In the Reply URL text box, type a URL using the following pattern:
https://system.nexonia.com/assistant/saml.do?orgCode=<organizationcode>
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Nexonia Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Nexonia section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Nexonia Single Sign-On
To configure single sign-on on Nexonia side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Nexonia support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Nexonia test user
In this section, you create a user called Britta Simon in Nexonia. Work with Nexonia support team to add the users
in the Nexonia platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Nexonia tile in the Access Panel, you should be automatically signed in to the Nexonia for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Nimblex
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Nimblex with Azure Active Directory (Azure AD ). Integrating Nimblex
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Nimblex.
You can enable your users to be automatically signed-in to Nimblex (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Nimblex, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Nimblex single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Nimblex supports SP initiated SSO
Nimblex supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Nimblex, select Nimblex from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<YOUR APPLICATION PATH>/
c. In the Reply URL text box, type a URL using the following pattern:
https://<path-to-application>/SamlReply.aspx
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Nimblex Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Nimblex section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Nimblex Single Sign-On
1. In a different web browser window, sign in to Nimblex as a Security Administrator.
2. On the top right-side of the page, click Settings logo.
3. On the Control Panel page, under Security section click Single Sign-on.
4. On the Manage Single Sign-On page, select your instance name and click Edit.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Nimblex test user
In this section, a user called Britta Simon is created in Nimblex. Nimblex supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Nimblex,
a new one is created after authentication.
NOTE
If you need to create a user manually, contact Nimblex Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Nimblex tile in the Access Panel, you should be automatically signed in to the Nimblex for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Nomadesk
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Nomadesk with Azure Active Directory (Azure AD ). Integrating
Nomadesk with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Nomadesk.
You can enable your users to be automatically signed-in to Nomadesk (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Nomadesk, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Nomadesk single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Nomadesk supports SP initiated SSO
Nomadesk supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Nomadesk, select Nomadesk from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://secure.nomadesk.com/saml/<instancename>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Nomadesk Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Nomadesk section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Nomadesk Single Sign-On
To configure single sign-on on Nomadesk side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Nomadesk support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Nomadesk test user
In this section, a user called Britta Simon is created in Nomadesk. Nomadesk supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Nomadesk, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Nomadesk support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Nomadic
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Nomadic with Azure Active Directory (Azure AD ). Integrating Nomadic
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Nomadic.
You can enable your users to be automatically signed-in to Nomadic (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Nomadic, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Nomadic single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Nomadic supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Nomadic, select Nomadic from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company name>.nomadic.fm/auth/saml2/sp
https://<company name>.staging.nomadic.fm/auth/saml2/sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Nomadic Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Nomadic section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Nomadic Single Sign-On
To configure single sign-on on Nomadic side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Nomadic support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Nomadic test user
In this section, you create a user called Britta Simon in Nomadic. Work with Nomadic support team to add the
users in the Nomadic platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Nomadic tile in the Access Panel, you should be automatically signed in to the Nomadic for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Novatus
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Novatus with Azure Active Directory (Azure AD ). Integrating Novatus
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Novatus.
You can enable your users to be automatically signed-in to Novatus (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Novatus, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Novatus single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Novatus supports SP initiated SSO
Novatus supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Novatus, select Novatus from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Novatus Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Novatus section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Novatus Single Sign-On
To configure single sign-on on Novatus side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Novatus support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Novatus test user
In this section, a user called Britta Simon is created in Novatus. Novatus supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Novatus,
a new one is created after authentication.
NOTE
If you need to create an user manually, you need to contact the Novatus support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Nuclino
10/17/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Nuclino with Azure Active Directory (Azure AD ). When you integrate
Nuclino with Azure AD, you can:
Control in Azure AD who has access to Nuclino.
Enable your users to be automatically signed-in to Nuclino with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Nuclino single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Nuclino supports SP and IDP initiated SSO
Nuclino supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://api.nuclino.com/api/sso/<UNIQUE-ID>/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://api.nuclino.com/api/sso/<UNIQUE-ID>/acs
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL from the Authentication
section, which is explained later in this tutorial.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://app.nuclino.com/<UNIQUE-ID>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Nuclino
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. Nuclino application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Nuclino application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
first_name user.givenname
last_name user.surname
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up Nuclino section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Nuclino will direct you to the Nuclino application.
From there, provide the admin credentials to sign into Nuclino. The browser extension will automatically
configure the application for you and automate steps 3-7.
3. If you want to setup Nuclino manually, open a new web browser window and sign into your Nuclino
company site as an administrator and perform the following steps:
4. Click on the ICON.
5. Click on the Azure AD SSO and select Team settings from the dropdown.
NOTE
If you need to create a user manually, contact Nuclino support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Nuclino tile in the Access Panel, you should be automatically signed in to the Nuclino for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Nuclino with Azure AD
Tutorial: Azure Active Directory integration with O.C.
Tanner - AppreciateHub
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate O.C. Tanner - AppreciateHub with Azure Active Directory (Azure AD ).
Integrating O.C. Tanner - AppreciateHub with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to O.C. Tanner - AppreciateHub.
You can enable your users to be automatically signed-in to O.C. Tanner - AppreciateHub (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with O.C. Tanner - AppreciateHub, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
O.C. Tanner - AppreciateHub single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
O.C. Tanner - AppreciateHub supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type O.C. Tanner - AppreciateHub, select O.C. Tanner - AppreciateHub from result
panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
NOTE
You can download the Service Provider metadata file from here
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in Basic SAML Configuration section.
NOTE
If the Identifier and Reply URL values do not get auto polulated, then please fill in the values manually according to
your requirement. Contact O.C. Tanner - AppreciateHub Client support team to get these values. You can also refer
to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up O.C. Tanner - AppreciateHub section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure O.C. Tanner - AppreciateHub Single Sign-On
To configure single sign-on on O.C. Tanner - AppreciateHub side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to O.C. Tanner - AppreciateHub support team.
They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create O.C. Tanner - AppreciateHub test user
The objective of this section is to create a user called Britta Simon in O.C. Tanner - AppreciateHub.
To create a user called Britta Simon in O.C. Tanner - AppreciateHub, perform the following steps:
Ask your O.C. Tanner - AppreciateHub support team to create a user that has as nameID attribute the same value
as the user name of Britta Simon in Azure AD.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the O.C. Tanner - AppreciateHub tile in the Access Panel, you should be automatically signed in to
the O.C. Tanner - AppreciateHub for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
OfficeSpace Software
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate OfficeSpace Software with Azure Active Directory (Azure AD ).
Integrating OfficeSpace Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to OfficeSpace Software.
You can enable your users to be automatically signed-in to OfficeSpace Software (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OfficeSpace Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OfficeSpace Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OfficeSpace Software supports SP initiated SSO
OfficeSpace Software supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OfficeSpace Software, select OfficeSpace Software from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
<company name>.officespacesoftware.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact OfficeSpace
Software Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. OfficeSpace Software application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
OfficeSpace Software application expects nameidentifier to be mapped with user.mail, so you need to edit
the attribute mapping by clicking on Edit icon and change the attribute mapping.
6. In addition to above, OfficeSpace Software application expects few more attributes to be passed back in
SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to
add SAML token attribute as shown in the below table:
email user.mail
name user.displayname
NAME SOURCE ATTRIBUTE
first_name user.givenname
last_name user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
8. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
9. On the Set up OfficeSpace Software section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure OfficeSpace Software Single Sign-On
1. In a different web browser window, log into your OfficeSpace Software tenant as an administrator.
2. Go to Settings and click Connectors.
a. In the Logout provider url textbox, paste the value of Logout URL which you have copied from Azure
portal.
b. In the Client idp target url textbox, paste the value of Login URL which you have copied from Azure
portal.
c. Paste the Thumbprint value which you have copied from Azure portal, into the Client IDP certificate
fingerprint textbox.
d. Click Save Settings.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OfficeSpace Software test user
In this section, a user called Britta Simon is created in OfficeSpace Software. OfficeSpace Software supports just-
in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user
doesn't already exist in OfficeSpace Software, a new one is created after authentication.
NOTE
If you need to create an user manually, you need to Contact OfficeSpace Software support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ON24 Virtual Environment SAML Connection
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate ON24 Virtual Environment SAML Connection with Azure Active
Directory (Azure AD ). Integrating ON24 Virtual Environment SAML Connection with Azure AD provides you with
the following benefits:
You can control in Azure AD who has access to ON24 Virtual Environment SAML Connection.
You can enable your users to be automatically signed-in to ON24 Virtual Environment SAML Connection
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ON24 Virtual Environment SAML Connection, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ON24 Virtual Environment SAML Connection single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ON24 Virtual Environment SAML Connection supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ON24 Virtual Environment SAML Connection, select ON24 Virtual
Environment SAML Connection from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL:
Production Environment URL
SAML-VSHOW.on24.com
SAML-Gateway.on24.com
QA Environment URL
SAMLQA-VSHOW.on24.com
SAMLQA-Gateway.on24.com
SAMLQA-EliteAudience.on24.com
https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1WU2hvdy5vbjI0LmNvbSJ9/ACS.saml2
https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1HYXRld2F5Lm9uMjQuY29tIn0/ACS.saml2
https://federation.on24.com/sp/eyJ2c2lkIjoiU0FNTC1FbGl0ZUF1ZGllbmNlLm9uMjQuY29tIn0/ACS.saml2
QA Environment URL
https://qafederation.on24.com/sp/ACS.saml2
https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLVZzaG93Lm9uMjQuY29tIn0/ACS.saml2
https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUdhdGV3YXkub24yNC5jb20ifQ/ACS.saml2
https://qafederation.on24.com/sp/eyJ2c2lkIjoiU0FNTFFBLUVsaXRlQXVkaWVuY2Uub24yNC5jb20ifQ/ACS.saml2
In the Sign-on URL text box, type a URL using the following pattern:
https://vshow.on24.com/vshow/<INSTANCENAME>
NOTE
These values are not real. Update these values with the actual Relay State and Sign-on URL. Contact ON24 Virtual
Environment SAML Connection Client support team to get these values. You can also refer to the patterns shown in
the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up ON24 Virtual Environment SAML Connection section, copy the appropriate URL (s) as
per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure ON24 Virtual Environment SAML Connection Single Sign-On
To configure single sign-on on ON24 Virtual Environment SAML Connection side, you need to send the
downloaded Federation Metadata XML and appropriate copied URLs from Azure portal to ON24 Virtual
Environment SAML Connection support team. They set this setting to have the SAML SSO connection set
properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ON24 Virtual Environment SAML Connection test user
In this section, you create a user called Britta Simon in ON24 Virtual Environment SAML Connection. Work
with ON24 Virtual Environment SAML Connection support team to add the users in the ON24 Virtual
Environment SAML Connection platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ON24 Virtual Environment SAML Connection tile in the Access Panel, you should be
automatically signed in to the ON24 Virtual Environment SAML Connection for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with OneDesk
11/25/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate OneDesk with Azure Active Directory (Azure AD ). When you integrate
OneDesk with Azure AD, you can:
Control in Azure AD who has access to OneDesk.
Enable your users to be automatically signed-in to OneDesk with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
OneDesk single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
OneDesk supports SP and IDP initiated SSO
OneDesk supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: onedesk.com_<specific_tenant_string>
b. In the Reply URL text box, type a URL using the following pattern:
https://app.onedesk.com/sso/saml/SSO/alias/onedesk.com_<specific_tenant_string>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://app.onedesk.com/sso/saml/login/alias/onedesk.com_<specific_tenant_string>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
OneDesk Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up OneDesk section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up OneDesk will direct you to the OneDesk application.
From there, provide the admin credentials to sign into OneDesk. The browser extension will automatically
configure the application for you and automate steps 3-5.
3. If you want to setup OneDesk manually, open a new web browser window and sign into your OneDesk
company site as an administrator and perform the following steps:
4. Click on the Integrations tab.
5. Click on the Single Sign On, select Upload Metadata File and click on the Choose File to upload the
metadata file, which you have downloaded from the Azure portal.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the OneDesk tile in the Access Panel, you should be automatically signed in to the OneDesk for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try OneDesk with Azure AD
Tutorial: Azure Active Directory integration with
Oneteam
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Oneteam with Azure Active Directory (Azure AD ). Integrating Oneteam
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Oneteam.
You can enable your users to be automatically signed-in to Oneteam (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Oneteam, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Oneteam single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Oneteam supports SP and IDP initiated SSO
Oneteam supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Oneteam, select Oneteam from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://api.one-team.io/teams/<team name>
b. In the Reply URL text box, type a URL using the following pattern:
https://api.one-team.io/teams/<team name>/auth/saml/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<team name>.one-team.io/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Oneteam Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Oneteam section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Oneteam Single Sign-On
To configure single sign-on on Oneteam side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Oneteam support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Oneteam test user
In this section, a user called Britta Simon is created in Oneteam. Oneteam supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Oneteam, a new one is created after authentication.
NOTE
If you need to create an user manually, you can raise the support ticket with Oneteam support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Oneteam tile in the Access Panel, you should be automatically signed in to the Oneteam for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
OneTrust Privacy Management Software
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate OneTrust Privacy Management Software with Azure Active Directory
(Azure AD ). Integrating OneTrust Privacy Management Software with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to OneTrust Privacy Management Software.
You can enable your users to be automatically signed-in to OneTrust Privacy Management Software (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OneTrust Privacy Management Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OneTrust Privacy Management Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OneTrust Privacy Management Software supports SP and IDP initiated SSO
OneTrust Privacy Management Software supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OneTrust Privacy Management Software, select OneTrust Privacy
Management Software from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: https://www.onetrust.com/saml2
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.onetrust.com/auth/consumerservice
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.onetrust.com/auth/login
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact OneTrust Privacy
Management Software Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up OneTrust Privacy Management Software section, copy the appropriate URL (s) as per
your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure OneTrust Privacy Management Software Single Sign-On
To configure single sign-on on OneTrust Privacy Management Software side, you need to send the
downloaded Federation Metadata XML and appropriate copied URLs from Azure portal to OneTrust Privacy
Management Software support team. They set this setting to have the SAML SSO connection set properly on both
sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OneTrust Privacy Management Software test user
In this section, a user called Britta Simon is created in OneTrust Privacy Management Software. OneTrust Privacy
Management Software supports just-in-time user provisioning, which is enabled by default. There is no action item
for you in this section. If a user doesn't already exist in OneTrust Privacy Management Software, a new one is
created after authentication.
NOTE
If you need to create a user manually, Contact OneTrust Privacy Management Software support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Onit
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Onit with Azure Active Directory (Azure AD ). When you integrate Onit
with Azure AD, you can:
Control in Azure AD who has access to Onit.
Enable your users to be automatically signed-in to Onit with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Onit single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Onit supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<sub-domain>.onit.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<sub-domain>.onit.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Onit Client support
team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint Value and save it on your computer.
7. On the Set up Onit section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it
becomes active.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Onit tile in the Access Panel, you should be automatically signed in to the Onit for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Onit with Azure AD
Tutorial: Azure Active Directory integration with
OnTrack
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate OnTrack with Azure Active Directory (Azure AD ). Integrating OnTrack
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to OnTrack.
You can enable your users to be automatically signed-in to OnTrack (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OnTrack, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OnTrack single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OnTrack supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OnTrack, select OnTrack from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box:
For the testing environment, type the URL: https://staging.insigniagroup.com/sso
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact OnTrack Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. OnTrack application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, OnTrack application expects few more attributes to be passed back in SAML response.
In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
User-Role "42F432"
Hyperion-Code "12345"
NOTE
User-Role and Hyperion-Code attributes are mapped with Autonation User Role and Dealer Code respectively.
These values are example only, please use the correct code for your integration. You can contact Autonation support
for these values.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up OnTrack section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure OnTrack Single Sign-On
To configure single sign-on on OnTrack side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to OnTrack support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OnTrack test user
In this section, you create a user called Britta Simon in OnTrack. Work with OnTrack support team to add the users
in the OnTrack platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the OnTrack tile in the Access Panel, you should be automatically signed in to the OnTrack for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Opal
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Opal with Azure Active Directory (Azure AD ). Integrating Opal with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Opal.
You can enable your users to be automatically signed-in to Opal (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Opal, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Opal single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Opal supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Opal, select Opal from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: Opal
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.ouropal.com/auth/saml/callback
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Opal Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. Opal application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Opal application expects few more attributes to be passed back in SAML response. In
the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
firstname user.givenname
lastname user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
8. On the Set up Opal section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Opal Single Sign-On
To configure single sign-on on Opal side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Opal support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Opal test user
In this section, you create a user called Britta Simon in Opal. Work with Opal support team to add the users in the
Opal platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Opal tile in the Access Panel, you should be automatically signed in to the Opal for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with OpenAthens
10/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate OpenAthens with Azure Active Directory (Azure AD ). When you
integrate OpenAthens with Azure AD, you can:
Control in Azure AD who has access to OpenAthens.
Enable your users to be automatically signed-in to OpenAthens with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
OpenAthens single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
OpenAthens supports IDP initiated SSO
OpenAthens supports Just In Time user provisioning
4. On the Basic SAML Configuration section, upload the Service Provider metadata file, the steps for
which are mentioned later in this tutorial.
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. Once the metadata file is successfully uploaded, the Identifier value get auto populated in Basic SAML
Configuration section textbox:
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up OpenAthens section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the OpenAthens tile in the Access Panel, you should be automatically signed in to the OpenAthens
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try OpenAthens with Azure AD
Tutorial: Azure Active Directory integration with
OpsGenie
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate OpsGenie with Azure Active Directory (Azure AD ). Integrating OpsGenie
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to OpsGenie.
You can enable your users to be automatically signed-in to OpsGenie (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OpsGenie, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OpsGenie single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OpsGenie supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OpsGenie, select OpsGenie from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
6. On the Set up OpsGenie section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure OpsGenie Single Sign-On
1. Open another browser instance, and then log-in to OpsGenie as an administrator.
2. Click Settings, and then click the Single Sign On tab.
3. To enable SSO, select Enabled.
5. On the Azure Active Directory dialog page, perform the following steps:
a. In the SAML 2.0 Endpoint textbox, paste Login URLvalue which you have copied from the Azure portal.
b. In the Metadata Url: textbox, paste App Federation Metadata Url value which you have copied from
the Azure portal.
c. Click Save Changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called B. Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select B. Simon in the Users list, then click the Select button at the bottom
of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OpsGenie test user
The objective of this section is to create a user called B. Simon in OpsGenie.
1. In a web browser window, log into your OpsGenie tenant as an administrator.
2. Navigate to Users list by clicking Users in left panel.
NOTE
B. Simon gets an email with instructions for setting up their profile.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Optimizely
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Optimizely with Azure Active Directory (Azure AD ). Integrating
Optimizely with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Optimizely.
You can enable your users to be automatically signed-in to Optimizely (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Optimizely, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Optimizely single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Optimizely supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Optimizely, select Optimizely from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
urn:auth0:optimizely:contoso
NOTE
These values are not the real. You will update the value with the actual Sign-on URL and Identifier, which is explained
later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. Your Optimizely application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Optimizely application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up Optimizely section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Optimizely Single Sign-On
1. To configure single sign-on on Optimizely side, contact your Optimizely Account Manager and provide the
downloaded Certificate (Base64) and appropriate copied URLs.
2. In response to your email, Optimizely provides you with the Sign On URL (SP -initiated SSO ) and the
Identifier (Service Provider Entity ID ) values.
a. Copy the SP -initiated SSO URL provided by Optimizely, and paste into the Sign On URL textbox in
Basic SAML Configuration section on Azure portal.
b. Copy the Service Provider Entity ID provided by Optimizely, and paste into the Identifier textbox in
Basic SAML Configuration section on Azure portal.
3. In a different browser window, sign-on to your Optimizely application.
4. Click you account name in the top right corner and then Account Settings.
5. In the Account tab, check the box Enable SSO under Single Sign On in the Overview section.
6. Click Save
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Optimizely test user
In this section, you create a user called Britta Simon in Optimizely.
1. On the home page, select Collaborators tab.
2. To add new collaborator to the project, click New Collaborator.
3. Fill in the email address and assign them a role. Click Invite.
4. They receive an email invite. Using the email address, they have to log in to Optimizely.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Optimizely tile in the Access Panel, you should be automatically signed in to the Optimizely for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Oracle Cloud Infrastructure
Console with Azure Active Directory
8/9/2019 • 7 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Oracle Cloud Infrastructure Console with Azure Active Directory
(Azure AD ). When you integrate Oracle Cloud Infrastructure Console with Azure AD, you can:
Control in Azure AD who has access to Oracle Cloud Infrastructure Console.
Enable your users to be automatically signed-in to Oracle Cloud Infrastructure Console with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Oracle Cloud Infrastructure Console single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Oracle Cloud Infrastructure Console
supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
NOTE
You will get the Service Provider metadata file from the Configure Oracle Cloud Infrastructure Console Single
Sign-On section of the tutorial.
NOTE
If the Identifier and Reply URL values do not get auto polulated, then fill in the values manually according to
your requirement.
In the Sign-on URL text box, type a URL using the following pattern:
https://console.<REGIONNAME>.oraclecloud.com/
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Oracle Cloud Infrastructure
Console Client support team to get the value. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. Oracle Cloud Infrastructure Console application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes configuration. The following
screenshot shows the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Oracle Cloud Infrastructure Console application expects few more attributes to be
passed back in SAML response. In the User Attributes & Claims section on the Group Claims (Preview)
dialog, perform the following steps:
a. Click the pen next to Name identifier value.
b. Select Persistent as Choose name identifier format.
c. Click Save.
d. Click the pen next to Groups returned in claim.
e. Select Security groups from the radio list.
f. Select Source Attribute of Group ID.
g. Check Customize the name of the group claim.
h. In the Name text box, type groupName.
i. In the Namespace (optional) text box, type https://auth.oraclecloud.com/saml/claims .
j. Click Save.
8. On the Set up Oracle Cloud Infrastructure Console section, copy the appropriate URL (s) based on your
requirement.
3. Save the Service Provider metadata file by clicking the Download this document link and upload it
into the Basic SAML Configuration section of Azure portal and then click on Add Identity Provider.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Oracle Cloud Infrastructure Console test user
Oracle Cloud Infrastructure Console supports just-in-time provisioning, which is by default. There is no action item
for you in this section. A new user does not get created during an attempt to access and also no need to create the
user.
Test SSO
When you select the Oracle Cloud Infrastructure Console tile in the Access Panel, you will be redirected to the
Oracle Cloud Infrastructure Console sign in page. Select the IDENTITY PROVIDER from the drop-down menu
and click Continue as shown below to sign in. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Oracle Fusion ERP
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Oracle Fusion ERP with Azure Active Directory (Azure AD ). When you
integrate Oracle Fusion ERP with Azure AD, you can:
Control in Azure AD who has access to Oracle Fusion ERP.
Enable your users to be automatically signed-in to Oracle Fusion ERP with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Oracle Fusion ERP single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Oracle Fusion ERP supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.fa.em2.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.login.em2.oraclecloud.com:443/oam/fed
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Oracle Fusion ERP
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Oracle Fusion ERP section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Oracle Fusion ERP.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Oracle Fusion ERP.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Oracle Fusion ERP tile in the Access Panel, you should be automatically signed in to the Oracle
Fusion ERP for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Oracle Fusion ERP with Azure AD
Tutorial: Azure Active Directory integration with
OrgChart Now
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate OrgChart Now with Azure Active Directory (Azure AD ). Integrating
OrgChart Now with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to OrgChart Now.
You can enable your users to be automatically signed-in to OrgChart Now (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OrgChart Now, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OrgChart Now single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OrgChart Now supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OrgChart Now, select OrgChart Now from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://sso2.orgchartnow.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://sso2.orgchartnow.com/Shibboleth.sso/Login?entityID=
<YourEntityID>&target=https://sso2.orgchartnow.com
NOTE
<YourEntityID> is the Azure AD Identifier copied from the Set up OrgChart Now section, described later in
tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up OrgChart Now section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure OrgChart Now Single Sign-On
To configure single sign-on on OrgChart Now side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to OrgChart Now support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OrgChart Now test user
To enable Azure AD users to log in to OrgChart Now, they must be provisioned into OrgChart Now.
1. OrgChart Now supports just-in-time provisioning, which is by default enabled. A new user is created during
an attempt to access OrgChart Now if it doesn't exist yet. The just-in-time user provisioning feature will only
create a read-only user when an SSO request comes from a recognized IDP and the email in the SAML
assertion is not found in the user list. For this auto provisioning feature you need to create an access group
titled General in OrgChart Now. Please follow the below steps to create an access group:
a. Go to the Manage Groups option after clicking the gear in the top right corner of the UI.
b. Select the Add icon and name the group General then click OK.
c. Select the folder(s) you wish the general or read-only users to be able to access:
d. Lock the folders so that only Admin users can modify them. Then press OK.
2. To create Admin users and read/write users, you must manually create a user in order to get access to
their privilege level via SSO. To provision a user account, perform the following steps:
a. Log in to OrgChart Now as a Security Administrator.
b. Click on Settings on the top right corner and then navigate to Manage Users.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Origami
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Origami with Azure Active Directory (Azure AD ). Integrating Origami
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Origami.
You can enable your users to be automatically signed-in to Origami (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Origami, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Origami single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Origami supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Origami, select Origami from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Origami Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Origami section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Origami Single Sign-On
1. Log in to the Origami account with Admin rights.
2. In the menu on the top, click Admin.
3. On the Single Sign On Setup dialog page, perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Origami test user
In this section, you create a user called Britta Simon in Origami.
1. Log in to the Origami account with Admin rights.
2. In the menu on the top, click Admin.
3. On the Users and Security dialog, click Users.
a. In the User Name textbox, enter the email of user like brittasimon@contoso.com.
b. In the Password textbox, type a password.
c. In the Confirm Password textbox, type the password again.
d. In the First Name textbox, enter the first name of user like Britta.
e. In the Last Name textbox, enter the last name of user like Simon.
f. Click Save.
6. Assign User Roles and Client Access to the user.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Otsuka Shokai with Azure Active
Directory
8/9/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Otsuka Shokai with Azure Active Directory (Azure AD ). When you
integrate Otsuka Shokai with Azure AD, you can:
Control in Azure AD who has access to Otsuka Shokai.
Enable your users to be automatically signed-in to Otsuka Shokai with their Azure AD accounts.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Otsuka Shokai single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Otsuka Shokai supports IDP initiated
SSO.
4. On the Set up Single Sign-On with SAML page, the application is pre-configured and the necessary
URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the Save
button.
5. Otsuka Shokai application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes, where as nameidentifier is mapped with user.userprincipalname. Otsuka
Shokai application expects nameidentifier to be mapped with user.objectid, so you need to edit the
attribute mapping by clicking on Edit icon and change the attribute mapping.
6. In addition to above, Otsuka Shokai application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NOTE
<Application ID> is the value which you have copied from the Properties tab of Azure portal.
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
Configure Otsuka Shokai
1. When you connect to Customer's My Page from SSO app, the wizard of SSO setting starts.
2. If Otsuka ID is not registered, proceed to Otsuka-ID new registration. If you have registered Otsuka-ID,
proceed to the linkage setting.
3. Proceed to the end and when the top screen is displayed after logging in to Customer's My Page, the SSO
settings are complete.
4. The next time you connect to Customer's My Page from the SSO app, after the guidance screen opens, the
top screen is displayed after logging in to Customer's My Page.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B. Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B. Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Otsuka Shokai.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Otsuka Shokai.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Otsuka Shokai test user
New registration of SaaS account will be performed at the first access to Otsuka Shokai. In addition, we will also
associate Azure AD account and SaaS account at the time of new creation.
Test SSO
When you select the Otsuka Shokai tile in the Access Panel, you should be automatically signed in to the Otsuka
Shokai for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate OutSystems Azure AD with Azure
Active Directory
7/24/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate OutSystems Azure AD with Azure Active Directory (Azure AD ). When
you integrate OutSystems Azure AD with Azure AD, you can:
Control in Azure AD who has access to OutSystems Azure AD.
Enable your users to be automatically signed-in to OutSystems Azure AD with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
OutSystems Azure AD single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. OutSystems Azure AD supports SP
and IDP initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: http://<YOURBASEURL>/IdP
b. In the Reply URL text box, type a URL using the following pattern: https://<YOURBASEURL>/IdP/SSO.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<YOURBASEURL>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
OutSystems Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
7. On the Set up OutSystems Azure AD section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create OutSystems Azure AD test user
In this section, a user called B.Simon is created in OutSystems. OutSystems supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in OutSystems, a new one is created after authentication.
Test SSO
When you select the OutSystems Azure AD tile in the Access Panel, you should be automatically signed in to the
OutSystems Azure AD for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with OU
Campus
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate OU Campus with Azure Active Directory (Azure AD ). Integrating OU
Campus with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to OU Campus.
You can enable your users to be automatically signed-in to OU Campus (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with OU Campus, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
OU Campus single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
OU Campus supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type OU Campus, select OU Campus from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign on URL. Contact OU Campus Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up OU Campus section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure OU Campus Single Sign-On
To configure single sign-on on OU Campus side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to OU Campus support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create OU Campus test user
In this section, you create a user called Britta Simon in OU Campus. Work with OU Campus support team to add
the users in the OU Campus platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the OU Campus tile in the Access Panel, you should be automatically signed in to the OU Campus
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Overdrive
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Overdrive with Azure Active Directory (Azure AD ). Integrating Overdrive
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Overdrive.
You can enable your users to be automatically signed-in to Overdrive (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Overdrive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Overdrive single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Overdrive supports SP initiated SSO
Overdrive supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Overdrive, select Overdrive from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Overdrive Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Overdrive section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Overdrive Single Sign-On
To configure single sign-on on Overdrive side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Overdrive support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Overdrive test user
In this section, a user called Britta Simon is created in Overdrive. Overdrive supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Overdrive, a new one is created after authentication.
NOTE
You can use any other OverDrive user account creation tools or APIs provided by OverDrive to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Pacific Timesheet
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Pacific Timesheet with Azure Active Directory (Azure AD ). Integrating
Pacific Timesheet with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Pacific Timesheet.
You can enable your users to be automatically signed-in to Pacific Timesheet (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Pacific Timesheet, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Pacific Timesheet single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Pacific Timesheet supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Pacific Timesheet, select Pacific Timesheet from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<InstanceID>.pacifictimesheet.com/timesheet/home.do
b. In the Reply URL text box, type a URL using the following pattern:
https://<InstanceID>.pacifictimesheet.com/timesheet/home.do
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Pacific Timesheet
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Pacific Timesheet section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Pacific Timesheet Single Sign-On
To configure single sign-on on Pacific Timesheet side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to Pacific Timesheet support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Pacific Timesheet test user
In this section, you create a user called Britta Simon in Pacific Timesheet. Work with Pacific Timesheet support
team to add the users in the Pacific Timesheet platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Pacific Timesheet tile in the Access Panel, you should be automatically signed in to the Pacific
Timesheet for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PageDNA
7/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PageDNA with Azure Active Directory (Azure AD ).
Integrating PageDNA with Azure AD provides you with the following benefits:
In Azure AD, you can control who has access to PageDNA.
You can enable your users to be automatically signed in to PageDNA (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
For details about software as a service (SaaS ) app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory?.
Prerequisites
To configure Azure AD integration with PageDNA, you need the following items:
An Azure AD subscription. If you don't have an Azure subscription, create a free account before you begin.
A PageDNA subscription with single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment and integrate PageDNA with
Azure AD.
PageDNA supports the following features:
SP -initiated single sign-on (SSO ).
Just-in-time user provisioning.
5. In the search box, enter PageDNA. In the search results, select PageDNA, and then select Add to add the
application.
3. On the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML
Configuration pane.
https://stores.pagedna.com/<your site>
https://<your domain>
https://www.nationsprint.com/<your site>
b. In the Identifier (Entity ID ) box, enter a URL by using one of the following patterns:
https://stores.pagedna.com/<your site>/saml2ep.cgi
https://www.nationsprint.com/<your site>/saml2ep.cgi
NOTE
These values aren't real. Update these values with the actual sign-on URL and identifier. To get these values, contact
the PageDNA support team. You can also refer to the patterns shown in the Basic SAML Configuration pane in the
Azure portal.
5. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select
Download to download Certificate (Raw) from the given options and save it on your computer.
6. In the Set up PageDNA section, copy the URL or URLs that you need:
Login URL
Azure AD Identifier
Logout URL
4. Select + Add user, and then select Users and groups in the Add Assignment pane.
5. In the Users and groups pane, select Britta Simon in the Users list, and then choose Select at the bottom
of the pane.
6. If you're expecting a role value in the SAML assertion, then in the Select Role pane, select the appropriate
role for the user from the list. At the bottom of the pane, choose Select.
7. In the Add Assignment pane, select Assign.
Create a PageDNA test user
A user named Britta Simon is now created in PageDNA. You don't have to do anything to create this user.
PageDNA supports just-in-time user provisioning, which is enabled by default. If a user named Britta Simon
doesn't already exist in PageDNA, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.
When you select PageDNA in the My Apps portal, you should be automatically signed in to the PageDNA
subscription for which you set up single sign-on. For more information about the My Apps portal, see Access and
use apps on the My Apps portal.
Additional resources
List of tutorials for integrating SaaS applications with Azure Active Directory
Single sign-on to applications in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PagerDuty
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate PagerDuty with Azure Active Directory (Azure AD ). Integrating
PagerDuty with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PagerDuty.
You can enable your users to be automatically signed-in to PagerDuty (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PagerDuty, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PagerDuty single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PagerDuty supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PagerDuty, select PagerDuty from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant-name>.pagerduty.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PagerDuty Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up PagerDuty section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PagerDuty Single Sign-On
1. In a different web browser window, log into your Pagerduty company site as an administrator.
2. In the menu on the top, click Account Settings.
4. On the Enable Single Sign-on (SSO ) page, perform the following steps:
a. Open your base-64 encoded certificate downloaded from Azure portal in notepad, copy the content of it
into your clipboard, and then paste it to the X.509 Certificate textbox
b. In the Login URL textbox, paste Login URL which you have copied from Azure portal.
c. In the Logout URL textbox, paste Logout URL which you have copied from Azure portal.
d. Select Allow username/password login.
e. Select Require EXACT authentication context comparison checkbox.
f. Click Save Changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PagerDuty test user
To enable Azure AD users to log in to PagerDuty, they must be provisioned into PagerDuty.
In the case of PagerDuty, provisioning is a manual task.
NOTE
You can use any other Pagerduty user account creation tools or APIs provided by Pagerduty to provision Azure Active
Directory user accounts.
a. Type the First and Last Name of user like Britta Simon.
b. Enter Email address of user like brittasimon@contoso.com.
c. Click Add, and then click Send Invites.
NOTE
All added users will receive an invite to create a PagerDuty account.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Palo
Alto Networks - Aperture
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Palo Alto Networks - Aperture with Azure Active Directory (Azure AD ).
Integrating Palo Alto Networks - Aperture with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Palo Alto Networks - Aperture.
You can enable your users to be automatically signed-in to Palo Alto Networks - Aperture (Single Sign-On) with
their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Palo Alto Networks - Aperture, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Palo Alto Networks - Aperture single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Palo Alto Networks - Aperture supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Palo Alto Networks - Aperture, select Palo Alto Networks - Aperture from
result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.aperture.paloaltonetworks.com/d/users/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.aperture.paloaltonetworks.com/d/users/saml/auth
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.aperture.paloaltonetworks.com/d/users/saml/sign_in
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Palo
Alto Networks - Aperture Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Palo Alto Networks - Aperture section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Palo Alto Networks - Aperture Single Sign-On
1. In a different web browser window, login to Palo Alto Networks - Aperture as an Administrator.
2. On the top menu bar, click SETTINGS.
3. Navigate to APPLICATION section click Authentication form the left side of menu.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Palo Alto Networks - Aperture test user
In this section, you create a user called Britta Simon in Palo Alto Networks - Aperture. Work with Palo Alto
Networks - Aperture Client support team to add the users in the Palo Alto Networks - Aperture platform. Users
must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Palo Alto Networks - Aperture tile in the Access Panel, you should be automatically signed in to
the Palo Alto Networks - Aperture for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Palo
Alto Networks Captive Portal
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Palo Alto Networks Captive Portal with Azure Active Directory (Azure
AD ).
You get the following benefits when you integrate Palo Alto Networks Captive Portal with Azure AD:
In Azure AD, you can control who has access to Palo Alto Networks Captive Portal.
You can automatically sign in users in Palo Alto Networks Captive Portal (single sign-on) by using user Azure
AD accounts.
You can manage your accounts in one, central location, the Azure portal.
To learn more about software as a service (SaaS ) app integration with Azure AD, see Single sign-on to applications
in Azure Active Directory.
If you don't have an Azure subscription, create a free account.
Prerequisites
To integrate Azure AD with Palo Alto Networks Captive Portal, you need the following items:
An Azure Active Directory subscription. If you don't have Azure AD, you can get a one-month trial.
A Palo Alto Networks Captive Portal single sign-on (SSO )-enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Palo Alto Networks Captive Portal supports these scenarios:
IDP -initiated single sign-on
Just-in-time user provisioning
4. In the search box, enter Palo Alto Networks Captive Portal. In the search results, select Palo Alto
Networks - Captive Portal, and then select Add.
3. In the Set up Single Sign-On with SAML pane, select the pencil Edit icon.
NOTE
Update the placeholder values in this step with the actual identifier and reply URLs. To get the actual values,
contact Palo Alto Networks Captive Portal Client support team.
5. In the SAML Signing Certificate section, next to Federation Metadata XML, select Download. Save the
downloaded file on your computer.
3. In the menu, select SAML Identity Provider, and then select Import.
4. In the SAML Identity Provider Server Profile Import dialog box, complete the following steps:
4. Select Add user. Then, in the Add assignment pane, select Users and groups.
5. In the Users and groups pane, in the Users list, select Britta Simon. Select Select.
6. To add a role value to the SAML assertion, in the Select role pane, select the relevant role for the user.
Select Select.
7. In the Add assignment pane, select Assign.
Create a Palo Alto Networks Captive Portal test user
Next, create a user named Britta Simon in Palo Alto Networks Captive Portal. Palo Alto Networks Captive Portal
supports just-in-time user provisioning, which is enabled by default. You don't need to complete any tasks in this
section. If a user doesn't already exist in Palo Alto Networks Captive Portal, a new one is created after
authentication.
NOTE
If you want to create a user manually, contact the Palo Alto Networks Captive Portal Client support team.
Additional resources
To learn more, see these articles:
Tutorials about integrating SaaS apps with Azure Active Directory
Single sign-on to applications in Azure Active Directory
Conditional Access in Azure Active Directory
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Palo Alto Networks - GlobalProtect
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Palo Alto Networks - GlobalProtect with Azure Active Directory (Azure
AD ). When you integrate Palo Alto Networks - GlobalProtect with Azure AD, you can:
Control in Azure AD who has access to Palo Alto Networks - GlobalProtect.
Enable your users to be automatically signed-in to Palo Alto Networks - GlobalProtect with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Palo Alto Networks - GlobalProtect single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Palo Alto Networks - GlobalProtect supports SP initiated SSO
Palo Alto Networks - GlobalProtect supports Just In Time user provisioning
Configure and test Azure AD single sign-on for Palo Alto Networks -
GlobalProtect
Configure and test Azure AD SSO with Palo Alto Networks - GlobalProtect using a test user called B.Simon. For
SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Palo Alto
Networks - GlobalProtect.
To configure and test Azure AD SSO with Palo Alto Networks - GlobalProtect, complete the following building
blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Palo Alto Networks - GlobalProtect SSO - to configure the single sign-on settings on application
side.
a. Create Palo Alto Networks - GlobalProtect test user - to have a counterpart of B.Simon in Palo Alto
Networks - GlobalProtect that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern: https://<Customer Firewall URL>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<Customer Firewall URL>/SAML20/SP
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Palo Alto Networks
- GlobalProtect Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Palo Alto Networks - GlobalProtect section, copy the appropriate URL (s) based on your
requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Select SAML Identity Provider from the left navigation bar and click "Import" to import the metadata file.
4. Perform following actions on the Import window
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Palo Alto Networks - GlobalProtect tile in the Access Panel, you should be automatically signed
in to the Palo Alto Networks - GlobalProtect for which you set up SSO. For more information about the Access
Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Palo Alto Networks - GlobalProtect with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with PandaDoc
10/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate PandaDoc with Azure Active Directory (Azure AD ). When you integrate
PandaDoc with Azure AD, you can:
Control in Azure AD who has access to PandaDoc.
Enable your users to be automatically signed-in to PandaDoc with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
PandaDoc single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
PandaDoc supports SP and IDP initiated SSO
PandaDoc supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.pandadoc.com/sso-login/
6. PandaDoc application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes
7. In addition to above, PandaDoc application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirement.
NAME NAMESPACE
FirstName user.givenname
LastName user.surname
8. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. On the Set up PandaDoc section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the PandaDoc tile in the Access Panel, you should be automatically signed in to the PandaDoc for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try PandaDoc with Azure AD
Tutorial: Azure Active Directory integration with
Panopto
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Panopto with Azure Active Directory (Azure AD ). Integrating Panopto
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Panopto.
You can enable your users to be automatically signed-in to Panopto (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Panopto, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Panopto single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Panopto supports SP initiated SSO
Panopto supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Panopto, select Panopto from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Panopto Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Panopto section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Panopto Single Sign-On
1. In a different web browser window, log in to your Panopto company site as an administrator.
2. In the toolbar on the left, click System, and then click Identity Providers.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Panopto test user
In this section, a user called Britta Simon is created in Panopto. Panopto supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Panopto,
a new one is created after authentication.
NOTE
You can use any other Panopto user account creation tools or APIs provided by Panopto to provision Azure AD user
accounts.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Panopto tile in the Access Panel, you should be automatically signed in to the Panopto for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Panorama9
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Panorama9 with Azure Active Directory (Azure AD ). Integrating
Panorama9 with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Panorama9.
You can enable your users to be automatically signed-in to Panorama9 (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Panorama9, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Panorama9 single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Panorama9 supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Panorama9, select Panorama9 from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://www.panorama9.com/saml20/<tenant-name>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Panorama9 Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
7. On the Set up Panorama9 section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Panorama9 Single Sign-On
1. In a different web browser window, sign in to your Panorama9 company site as an administrator.
2. In the toolbar on the top, click Manage, and then click Extensions.
a. In Identity provider URL textbox, paste the value of Login URL, which you have copied from Azure
portal.
b. In Certificate fingerprint textbox, paste the Thumbprint value of certificate, which you have copied
from Azure portal.
5. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Panorama9 test user
In order to enable Azure AD users to sign in to Panorama9, they must be provisioned into Panorama9.
In the case of Panorama9, provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Sign in to your Panorama9 company site as an administrator.
2. In the menu on the top, click Manage, and then click Users.
4. Go to the User data section, type the email address of a valid Azure Active Directory user you want to
provision into the Email textbox.
5. Come to the Users section, Click Save.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Pantheon
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Pantheon with Azure Active Directory (Azure AD ). Integrating Pantheon
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Pantheon.
You can enable your users to be automatically signed-in to Pantheon (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Pantheon, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Pantheon single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Pantheon supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Pantheon, select Pantheon from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: urn:auth0:pantheon:<orgname>-SSO
b. In the Reply URL text box, type a URL using the following pattern:
https://pantheon.auth0.com/login/callback?connection=<orgname>-SSO
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Pantheon Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. Pantheon application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. Pantheon application
expects nameidentifier to be mapped with user.mail, so you need to edit the attribute mapping by clicking
on Edit icon and change the attribute mapping.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Pantheon section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Pantheon Single Sign-On
To configure single sign-on on Pantheon side, you need to send the downloaded Certificate and appropriate
copied URLs to Pantheon support team.
NOTE
You also need to provide the Email Domain(s) information and Date Time when you want to enable this connection. You can
find more details about it from here
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Pantheon test user
In this section, you create a user called Britta Simon in Pantheon. Please follow the below steps to add the user in
Pantheon.
NOTE
For SSO to work user needs to be created first in Pantheon.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PatentSQUARE
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PatentSQUARE with Azure Active Directory (Azure AD ). Integrating
PatentSQUARE with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PatentSQUARE.
You can enable your users to be automatically signed-in to PatentSQUARE (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PatentSQUARE, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PatentSQUARE single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PatentSQUARE supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PatentSQUARE, select PatentSQUARE from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companysubdomain>.pat-dss.com:443/patlics
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PatentSQUARE
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up PatentSQUARE section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PatentSQUARE Single Sign-On
To configure single sign-on on PatentSQUARE side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to PatentSQUARE support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PatentSQUARE test user
In this section, you create a user called Britta Simon in PatentSQUARE. Work with PatentSQUARE support team to
add the users in the PatentSQUARE platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the PatentSQUARE tile in the Access Panel, you should be automatically signed in to the
PatentSQUARE for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Pavaso Digital Close
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Pavaso Digital Close with Azure Active Directory (Azure AD ). Integrating
Pavaso Digital Close with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Pavaso Digital Close.
You can enable your users to be automatically signed-in to Pavaso Digital Close (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Pavaso Digital Close, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Pavaso Digital Close single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Pavaso Digital Close supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Pavaso Digital Close, select Pavaso Digital Close from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.pavaso.com/AuthServices
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.pavaso.com/AuthServices/Acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<SUBDOMAIN>.pavaso.com .
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Pavaso
Digital Close Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Pavaso Digital Close section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Pavaso Digital Close single sign-on
To configure single sign-on on Pavaso Digital Close side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to Pavaso Digital Close support team. They set
this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Pavaso Digital Close test user
In this section, you create a user called Britta Simon in Pavaso Digital Close. Work with Pavaso Digital Close
support team to add the users in the Pavaso Digital Close platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Pavaso Digital Close tile in the Access Panel, you should be automatically signed in to the
Pavaso Digital Close for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Paylocity
10/27/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Paylocity with Azure Active Directory (Azure AD ). When you integrate
Paylocity with Azure AD, you can:
Control in Azure AD who has access to Paylocity.
Enable your users to be automatically signed-in to Paylocity with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Paylocity single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Paylocity supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://access.paylocity.com/
6. Click Save.
7. Paylocity application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
8. In addition to above, Paylocity application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated, but you have to update these attributes
with the real values.
PartnerID <"PartnerID">
PaylocityUser <"PaylocityUser">
PaylocityEntity <"PaylocityEntity">
9. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
10. On the Set up Paylocity section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Paylocity tile in the Access Panel, you should be automatically signed in to the Paylocity for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Paylocity with Azure AD
Tutorial: Azure Active Directory integration with
Peakon
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Peakon with Azure Active Directory (Azure AD ). Integrating Peakon with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Peakon.
You can enable your users to be automatically signed-in to Peakon (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Peakon, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Peakon single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Peakon supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Peakon, select Peakon from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://app.peakon.com/saml/<companyid>/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://app.peakon.com/saml/<companyid>/assert
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL which is explained later in the
tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
7. On the Set up Peakon section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Peakon Single Sign-On
1. In a different web browser window, sign in to Peakon as an Administrator.
2. In the menu bar on the left side of the page, click Configuration, then navigate to Integrations.
a. In the SSO Login URL textbox, paste the value of Login URL, which you have copied from the Azure
portal.
b. In the SSO Logout URL textbox, paste the value of Logout URL, which you have copied from the Azure
portal.
c. Click Choose file to upload the certificate that you have downloaded from the Azure portal, into the
Certificate box.
d. Click the icon to copy the Entity ID and paste in Identifier textbox in Basic SAML Configuration
section on Azure portal.
e. Click the icon to copy the Reply URL (ACS ) and paste in Reply URL textbox in Basic SAML
Configuration section on Azure portal.
f. Click Save
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Peakon test user
For enabling Azure AD users to sign in to Peakon, they must be provisioned into Peakon.
In the case of Peakon, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Peakon company site as an administrator.
2. In the menu bar on the left side of the page, click Configuration, then navigate to Employees.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Pega
Systems
10/7/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Pega Systems with Azure Active Directory (Azure AD ).
This integration provides these benefits:
You can use Azure AD to control who has access to Pega Systems.
You can enable your users to be automatically signed-in to Pega Systems (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you start.
Prerequisites
To configure Azure AD integration with Pega Systems, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can sign up for a one-month trial.
A Pega Systems subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Pega Systems supports SP -initiated and IdP -initiated SSO.
4. In the search box, enter Pega Systems. Select Pega Systems in the search results, and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, if you want to configure the application in IdP -initiated
mode, complete the following steps.
a. In the Identifier box, enter a URL in this pattern:
https://<customername>.pegacloud.io:443/prweb/sp/<instanceID>
5. If you want to configure the application in SP -initiated mode, select Set additional URLs and complete the
following steps.
NOTE
The values provided here are placeholders. You need to use the actual identifier, reply URL, sign on URL, and relay
state URL. You can get the identifier and reply URL values from a Pega application, as explained later in this tutorial.
To get the relay state value, contact the Pega Systems support team. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
6. The Pega Systems application needs the SAML assertions to be in a specific format. To get them in the
correct format, you need to add custom attribute mappings to your SAML token attributes configuration.
The following screenshot shows the default attributes. Select the Edit icon to open the User Attributes
dialog box:
7. In addition to the attributes shown in the previous screenshot, the Pega Systems application requires a few
more attributes to be passed back in the SAML response. In the User claims section of the User Attributes
dialog box, complete the following steps to add these SAML token attributes:
uid
cn
mail
accessgroup
organization
orgdivision
orgunit
workgroup
Phone
NOTE
These values are specific to your organization. Provide the appropriate values.
a. Select Add new claim to open the Manage user claims dialog box:
a. In the Name box, enter the attribute name shown for that row.
b. Leave the Namespace box empty.
c. For the Source, select Attribute.
d. In the Source attribute list, select the attribute value shown for that row.
e. Select Ok.
f. Select Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Federation Metadata XML, per your requirements, and save the certificate on
your computer:
9. In the Set up Pega Systems section, copy the appropriate URLs, based on your requirements.
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Pega Systems single sign-on
1. To configure single sign-on on the Pega Systems side, sign in to the Pega Portal with an admin account in
another browser window.
2. Select Create > SysAdmin > Authentication Service:
3. Complete the following steps on the Create Authentication Service screen.
5. Complete the following steps in the Service Provider (SP ) settings section.
a. Copy the Entity Identification value and paste it into the Identifier box in the Basic SAML
Configuration section in the Azure portal.
b. Copy the Assertion Consumer Service (ACS ) location value and paste it into the Reply URL box
in the Basic SAML Configuration section in the Azure portal.
c. Select Disable request signing.
6. Select Save.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create a Pega Systems test user
Next, you need to create a user named Britta Simon in Pega Systems. Work with the Pega Systems support team to
create users.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Pega Systems tile in the Access Panel, you should be automatically signed in to the Pega
Systems instance for which you set up SSO. For more information, see Access and use apps on the My Apps
portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with People
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate People with Azure Active Directory (Azure AD ). When you integrate
People with Azure AD, you can:
Control in Azure AD who has access to People.
Enable your users to be automatically signed-in to People with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
People single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
People supports SP initiated SSO
People Mobile application can now be configured with Azure AD for enabling SSO. In this tutorial, you
configure and test Azure AD SSO in a test environment.
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<company name>.peoplehr.net
c. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.peoplehr.net/Pages/Saml/ConsumeAzureAD.aspx
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact People Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up People section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Setup People will direct you to the People application. From
there, provide the admin credentials to sign into People. The browser extension will automatically configure
the application for you and automate steps 3-6.
3. If you want to setup People manually, open a new web browser window and sign into your People company
site as an administrator and perform the following steps:
4. In the menu on the left side, click Settings.
5. Click Company.
6. On the Upload 'Single Sign On' SAML meta-data file, click Browse to upload the downloaded
metadata file.
Create People test user
In this section, you create a user called B.Simon in People. Work with People Client support team to add the users
in the People platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the People tile in the Access Panel, you should be automatically signed in to the People for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
3. Finally after successful sign in, the application homepage will be displayed shown below:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try People with Azure AD
Tutorial: Azure Active Directory integration with
Peoplecart
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Peoplecart with Azure Active Directory (Azure AD ). Integrating
Peoplecart with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Peoplecart.
You can enable your users to be automatically signed-in to Peoplecart (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Peoplecart, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Peoplecart single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Peoplecart supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Peoplecart, select Peoplecart from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenantname>.peoplecart.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Peoplecart Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Peoplecart section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Peoplecart Single Sign-On
To configure single sign-on on Peoplecart side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Peoplecart support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Peoplecart test user
In this section, you create a user called Britta Simon in Peoplecart. Work with Peoplecart support team to add the
users in the Peoplecart platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Peoplecart tile in the Access Panel, you should be automatically signed in to the Peoplecart for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Perception United States (Non-UltiPro)
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Perception United States (Non-UltiPro) with Azure Active Directory
(Azure AD ). Integrating Perception United States (Non-UltiPro) with Azure AD provides you with the following
benefits:
You can control in Azure AD who has access to Perception United States (Non-UltiPro).
You can enable your users to be automatically signed-in to Perception United States (Non-UltiPro) (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Perception United States (Non-UltiPro), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Perception United States (Non-UltiPro) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Perception United States (Non-UltiPro) supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Perception United States (Non-UltiPro), select Perception United States
(Non-UltiPro) from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: https://perception.kanjoya.com/sp
b. In the Reply URL text box, type a URL using the following pattern:
https://perception.kanjoya.com/sso?idp=<entity_id>
c. The Perception United States (Non-UltiPro) application requires the Azure AD Identifier value as
<entity_id>, which you will get from the Set up Perception United States (Non-UltiPro) section, to be
uri encoded. To get the uri encoded value, use the following link: http://www.url-encode-decode.com/.
d. After getting the uri encoded value combine it with the Reply URL as mentioned below -
https://perception.kanjoya.com/sso?idp=<URI encooded entity_id>
6. On the Set up Perception United States (Non-UltiPro) section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Perception United States (Non-UltiPro ) Single Sign-On
1. In another browser window, sign on to your Perception United States (Non-UltiPro) company site as an
administrator.
2. In the main toolbar, click Account Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Perception United States (Non-UltiPro ) test user
In this section, you create a user called Britta Simon in Perception United States (Non-UltiPro). Work with
Perception United States (Non-UltiPro) support team to add the users in the Perception United States (Non-
UltiPro) platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Perception United States (Non-UltiPro) tile in the Access Panel, you should be automatically
signed in to the Perception United States (Non-UltiPro) for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Perceptyx with Azure Active
Directory
6/13/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Perceptyx with Azure Active Directory (Azure AD ). When you integrate
Perceptyx with Azure AD, you can:
Control in Azure AD who has access to Perceptyx.
Enable your users to be automatically signed-in to Perceptyx with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Perceptyx single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Perceptyx supports IDP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<SubDomain>.perceptyx.com/<SurveyId>/index.cgi/saml-login?o=B
b. In the Reply URL text box, type a URL using the following pattern:
https://<SubDomain>.perceptyx.com/<SurveyId>/index.cgi/saml-login?o=P
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Perceptyx Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Perceptyx test user
In this section, you create a user called B.Simon in Perceptyx. Work with Perceptyx support team to add the users in
the Perceptyx platform. Users must be created and activated before you use single sign-on.
Test SSO
When you select the Perceptyx tile in the Access Panel, you should be automatically signed in to the Perceptyx for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Percolate
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Percolate with Azure Active Directory (Azure AD ).
This integration provides these benefits:
You can use Azure AD to control who has access to Percolate.
You can enable your users to be automatically signed in to Percolate (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you start.
Prerequisites
To configure Azure AD integration with Percolate, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
A Percolate subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Percolate supports SP -initiated and IdP -initiated SSO.
4. In the search box, enter Percolate. Select Percolate in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, you don't need to take any action to configure the
application in IdP -initiated mode. The app is already integrated with Azure.
5. If you want to configure the application in SP -initiated mode, select Set additional URLs and, in the Sign
on URL box, enter https://percolate.com/app/login:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Copy icon to copy the App Federation Metadata Url. Save this URL.
7. In the Set up Percolate section, copy the appropriate URLs, based on your requirements.
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Percolate single sign-on
1. In a new web browser window, sign in to Percolate as an admin.
2. On the left side of the home page, select Settings:
3. In the left pane, select SSO under Organization:
a. In the Login URL box, paste the Login URL value that you copied from the Azure portal.
b. In the Entity ID box, paste the Azure AD Identifier value that you copied from the Azure portal.
c. In Notepad, open the base-64 encoded certificate that you downloaded from the Azure portal. Copy
its content and paste it into the x509 certificates box.
d. In the Email attribute box, enter emailaddress.
e. The Identity provider metadata URL box is an optional field. If you copied an App Federation
Metadata Url from the Azure portal, you can paste it into this box.
f. In the Should AuthNRequests be signed? list, select No.
g. In the Enable SSO auto-provisioning list, select No.
h. Select Save.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
2. Select New user at the top of the screen:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create a Percolate test user
To enable Azure AD users to sign in to Percolate, you need to add them to Percolate. You need to add them
manually.
To create a user account, take these steps:
1. Sign in to Percolate as an admin.
2. In the left pane, select Users under Organization. Select New users:
a. In the Email box, enter the email address of the user. For example, brittasimon@contoso.com.
b. In the Full name box, enter the name of the user. For example, Brittasimon.
c. Select Create users.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Percolate tile in the Access Panel, you should be automatically signed in to the Percolate
instance for which you set up SSO. For more information, see Access and use apps on the My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PerformanceCentre
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PerformanceCentre with Azure Active Directory (Azure AD ). Integrating
PerformanceCentre with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PerformanceCentre.
You can enable your users to be automatically signed-in to PerformanceCentre (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PerformanceCentre, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PerformanceCentre single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PerformanceCentre supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PerformanceCentre, select PerformanceCentre from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
http://<companyname>.performancecentre.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PerformanceCentre
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up PerformanceCentre section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PerformanceCentre Single Sign-On
1. Sign-on to your PerformanceCentre company site as administrator.
2. In the tab on the left side, click Configure.
3. In the tab on the left side, click Miscellaneous, and then click Single Sign On.
5. Open your downloaded metadata file in notepad, copy the content, paste it into the Identity Provider
Metadata textbox, and then click Save.
6. Verify that the values for the Entity Base URL and Entity ID URL are correct.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PerformanceCentre test user
The objective of this section is to create a user called Britta Simon in PerformanceCentre.
To create a user called Britta Simon in PerformanceCentre, perform the following steps:
1. Sign on to your PerformanceCentre company site as administrator.
2. In the menu on the left, click Interrelate, and then click Create Participant.
3. On the Interrelate - Create Participant dialog, perform the following steps:
a. Type the required attributes for Britta Simon into related textboxes.
IMPORTANT
Britta's User Name attribute in PerformanceCentre must be the same as the User Name in Azure AD.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Periscope Data
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Periscope Data with Azure Active Directory (Azure AD ). Integrating
Periscope Data with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Periscope Data.
You can enable your users to be automatically signed-in to Periscope Data (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Periscope Data, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Periscope Data single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Periscope Data supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Periscope Data, select Periscope Data from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://app.periscopedata.com/
https://app.periscopedata.com/app/<SITENAME>
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://app.periscopedata.com/<SITENAME>/sso
NOTE
The Sign on URL value is not real. Update the values with the actual Sign on URL. Contact Periscope Data Client
support team to get this value and the Identifier value you will get from the Configure Periscope Data Single
Sign-On section which is explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Periscope Data test user
To enable Azure AD users to log in to Periscope Data, they must be provisioned into Periscope Data. In Periscope
Data, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to Periscope Data as an Administrator.
2. Click on the Settings icon on the left bottom of the menu and navigate to Permissions.
3. Click on the ADD USER and perform the following steps:
a. In First Name text box, enter the first name of user like Britta.
b. In Last Name text box, enter the last name of user like Simon.
c. In Email text box, enter the email of user like brittasimon@contoso.com.
d. Click ADD.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Periscope Data tile in the Access Panel, you should be automatically signed in to the Periscope
Data for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Phraseanet
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Phraseanet with Azure Active Directory (Azure AD ). Integrating
Phraseanet with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Phraseanet.
You can enable your users to be automatically signed-in to Phraseanet (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Phraseanet, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Phraseanet single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Phraseanet supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Phraseanet, select Phraseanet from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Phraseanet Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Phraseanet section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Phraseanet Single Sign-On
To configure single sign-on on Phraseanet side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Phraseanet support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Phraseanet test user
In this section, you create a user called Britta Simon in Phraseanet. Work with Phraseanet support team to add the
users in the Phraseanet platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Phraseanet tile in the Access Panel, you should be automatically signed in to the Phraseanet for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Picturepark
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Picturepark with Azure Active Directory (Azure AD ). Integrating
Picturepark with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Picturepark.
You can enable your users to be automatically signed-in to Picturepark (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Picturepark, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Picturepark single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Picturepark supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Picturepark, select Picturepark from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.current-picturepark.com
https://<companyname>.picturepark.com
https://<companyname>.next-picturepark.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Picturepark Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the Thumbprint and save it on your computer.
7. On the Set up Picturepark section, copy the appropriate URL (s) as per your requirement. For Login URL,
use the value with the following pattern: https://login.microsoftonline.com/_my_directory_id_/wsfed
NOTE
my_directory_id is the tenant id of Azure AD subscription.
a. Azure AD Identifier
b. Logout URL
Configure Picturepark Single Sign-On
1. In a different web browser window, sign into your Picturepark company site as an administrator.
2. In the toolbar on the top, click Administrative tools, and then click Management Console.
a. Click Add.
b. Type a name for your configuration.
c. Select Set as default.
d. In Issuer URI textbox, paste the value of Login URL which you have copied from Azure portal.
e. In Trusted Issuer Thumb Print textbox, paste the value of Thumbprint which you have copied from
SAML Signing Certificate section.
5. Click JoinDefaultUsersGroup.
6. To set the Emailaddress attribute in the Claim textbox, type
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and click Save.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Picturepark test user
In order to enable Azure AD users to sign into Picturepark, they must be provisioned into Picturepark. In the case
of Picturepark, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Picturepark tenant.
2. In the toolbar on the top, click Administrative tools, and then click Users.
4. On the Create User dialog, perform the following steps of a valid Azure Active Directory User you want to
provision:
a. In the Email Address textbox, type the email address of the user BrittaSimon@contoso.com .
b. In the Password and Confirm Password textboxes, type the password of BrittaSimon.
c. In the First Name textbox, type the First Name of the user Britta.
d. In the Last Name textbox, type the Last Name of the user Simon.
e. In the Company textbox, type the Company name of the user.
f. In the Country textbox, select the Country/Region of the user.
g. In the ZIP textbox, type the ZIP code of the city.
h. In the City textbox, type the City name of the user.
i. Select a Language.
j. Click Create.
NOTE
You can use any other Picturepark user account creation tools or APIs provided by Picturepark to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Pingboard
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Pingboard with Azure Active Directory (Azure AD ). Integrating
Pingboard with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Pingboard.
You can enable your users to be automatically signed-in to Pingboard (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Pingboard, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Pingboard single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Pingboard supports SP and IDP initiated SSO
Pingboard supports Automated user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Pingboard, select Pingboard from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: http://app.pingboard.com/sp
b. In the Reply URL text box, type a URL using the following pattern:
https://<entity-id>.pingboard.com/auth/saml/consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<sub-domain>.pingboard.com/sign_in
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact Pingboard Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Pingboard section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Pingboard Single Sign-On
1. To configure SSO on Pingboard side, open a new browser window and sign in to your Pingboard Account.
You must be a Pingboard admin to set up single sign on.
2. From the top menu,, select Apps > Integrations
3. On the Integrations page, find the "Azure Active Directory" tile, and click it.
6. The file is validated, and if everything is correct, single sign-on will now be enabled.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Pingboard test user
The objective of this section is to create a user called Britta Simon in Pingboard. Pingboard supports automatic
user provisioning, which is by default enabled. You can find more details here on how to configure automatic user
provisioning.
If you need to create user manually, perform following steps:
1. Sign in to your Pingboard company site as an administrator.
2. Click “Add Employee” button on Directory page.
3. On the “Add Employee” dialog page, perform the following steps:
a. In the Full Name textbox, type the full name of user like Britta Simon.
b. In the Email textbox, type the email address of user like **brittasimon@contoso.com**.
c. In the Job Title textbox, type the job title of Britta Simon.
d. In the Location dropdown, select the location of Britta Simon.
e. Click Add.
4. A confirmation screen comes up to confirm the addition of user.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Tutorial: Azure Active Directory integration with
PlanGrid
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PlanGrid with Azure Active Directory (Azure AD ). Integrating PlanGrid
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PlanGrid.
You can enable your users to be automatically signed-in to PlanGrid (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PlanGrid, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PlanGrid single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PlanGrid supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PlanGrid, select PlanGrid from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://io.plangrid.com/sessions/saml/metadata
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up PlanGrid section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PlanGrid Single Sign-On
To configure single sign-on on PlanGrid side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to PlanGrid support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PlanGrid test user
In this section, you create a user called Britta Simon in PlanGrid. Work with PlanGrid support team to add the
users in the PlanGrid platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the PlanGrid tile in the Access Panel, you should be automatically signed in to the PlanGrid for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PlanMyLeave
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PlanMyLeave with Azure Active Directory (Azure AD ). Integrating
PlanMyLeave with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PlanMyLeave.
You can enable your users to be automatically signed-in to PlanMyLeave (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PlanMyLeave, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PlanMyLeave single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PlanMyLeave supports SP initiated SSO
PlanMyLeave supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PlanMyLeave, select PlanMyLeave from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company-name>.planmyleave.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PlanMyLeave Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up PlanMyLeave section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PlanMyLeave Single Sign-On
1. In a different web browser window, log into your PlanMyLeave tenant as an administrator.
2. Go to System Setup. Then on the Security Management section click Company SAML settings .
a. In the Login URL textbox, paste Login URL which you have copied from Azure portal.
b. Open your downloaded metadata, copy X509Certificate value and then paste it to the Certificate
textbox.
c. Set "Is Enable" to "Yes".
d. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PlanMyLeave test user
In this section, a user called Britta Simon is created in PlanMyLeave. PlanMyLeave supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in PlanMyLeave, a new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact PlanMyLeave support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Pluralsight
8/29/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Pluralsight with Azure Active Directory (Azure AD ). When you
integrate Pluralsight with Azure AD, you can:
Control in Azure AD who has access to Pluralsight.
Enable your users to be automatically signed-in to Pluralsight with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Pluralsight single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Pluralsight supports SP initiated SSO
Pluralsight supports just-in-time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<instancename>.pluralsight.com/sso/<companyname>
b. In the Identifier box, type a URL using the following pattern: www.pluralsight.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<instancename>.pluralsight.com/sp/ACS.saml2
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact Pluralsight Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Pluralsight section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Pluralsight tile in the Access Panel, you should be automatically signed in to the Pluralsight for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Pluralsight with Azure AD
Tutorial: Azure Active Directory integration with
PolicyStat
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate PolicyStat with Azure Active Directory (Azure AD ). Integrating PolicyStat
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PolicyStat.
You can enable your users to be automatically signed-in to PolicyStat (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PolicyStat, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PolicyStat single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PolicyStat supports SP initiated SSO
PolicyStat supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PolicyStat, select PolicyStat from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.policystat.com/saml2/metadata/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PolicyStat Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. Your PolicyStat application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, PolicyStat application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
uid ExtractMailPrefix([mail])
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Transformation.
e. From the Transformation list, type the attribute value shown for that row.
f. From the Parameter 1 list, type the attribute value shown for that row.
g. Click Save.
8. On the Set up PolicyStat section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PolicyStat Single Sign-On
1. In a different web browser window, log into your PolicyStat company site as an administrator.
2. Click the Admin tab, and then click Single Sign-On Configuration in left navigation pane.
4. Click Configure Attributes, and then, in the Configure Attributes section, perform the following steps:
a. In the Username Attribute textbox, type uid.
b. In the First Name Attribute textbox, type firstname of user Britta.
c. In the Last Name Attribute textbox, type lastname of user Simon.
d. In the Email Attribute textbox, type emailaddress of user BrittaSimon@contoso.com .
e. Click Save Changes.
5. Click Your IDP Metadata, and then, in the Your IDP Metadata section, perform the following steps:
a. Open your downloaded metadata file, copy the content, and then paste it into the Your Identity Provider
Metadata textbox.
b. Click Save Changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PolicyStat test user
In this section, a user called Britta Simon is created in PolicyStat. PolicyStat supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
PolicyStat, a new one is created after authentication.
NOTE
You can use any other PolicyStat user account creation tools or APIs provided by PolicyStat to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
PostBeyond
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate PostBeyond with Azure Active Directory (Azure AD ). Integrating
PostBeyond with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to PostBeyond.
You can enable your users to be automatically signed-in to PostBeyond (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with PostBeyond, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
PostBeyond single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
PostBeyond supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type PostBeyond, select PostBeyond from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.postbeyond.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact PostBeyond Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up PostBeyond section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure PostBeyond Single Sign-On
To configure single sign-on on PostBeyond side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to PostBeyond support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create PostBeyond test user
In this section, you create a user called Britta Simon in PostBeyond. Work with PostBeyond support team to add
the users in the PostBeyond platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the PostBeyond tile in the Access Panel, you should be automatically signed in to the PostBeyond
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Powerschool Performance Matters
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Powerschool Performance Matters with Azure Active Directory (Azure
AD ). Integrating Powerschool Performance Matters with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Powerschool Performance Matters.
You can enable your users to be automatically signed-in to Powerschool Performance Matters (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Powerschool Performance Matters, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Powerschool Performance Matters single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Powerschool Performance Matters supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Powerschool Performance Matters, select Powerschool Performance Matters
from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://ola.performancematters.com/ola/?clientcode=<Client Code>
https://unify.performancematters.com/?idp=<IDP>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Powerschool Performance Matters Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Powerschool Performance Matters section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Powerschool Performance Matters Single Sign-On
To configure single sign-on on Powerschool Performance Matters side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to Powerschool Performance
Matters support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Powerschool Performance Matters test user
In this section, you create a user called Britta Simon in Powerschool Performance Matters. Work with Powerschool
Performance Matters support team to add the users in the Powerschool Performance Matters platform. Users must
be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Powerschool Performance Matters tile in the Access Panel, you should be automatically signed
in to the Powerschool Performance Matters for which you set up SSO. For more information about the Access
Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Predictix Assortment Planning
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Predictix Assortment Planning with Azure Active Directory (Azure AD ).
This integration provides these benefits:
You can use Azure AD to control who has access to Predictix Assortment Planning.
You can enable your users to be automatically signed in to Predictix Assortment Planning (single sign-on) with
their Azure AD accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you start.
Prerequisites
To configure Azure AD integration with Predictix Assortment Planning, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
A Predictix Assortment Planning subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Predictix Assortment Planning supports SP -initiated SSO.
4. In the search box, enter Predictix Assortment Planning. Select Predictix Assortment Planning in the
search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, complete the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<sub-domain>.ap.predictix.com/sso/request
https://<sub-domain>.dev.ap.predictix.com/
https://<sub-domain>.ap.predictix.com
https://<sub-domain>.dev.ap.predictix.com
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. Contact the Predictix
Assortment Planning support team to get the values. You can also refer to the patterns shown in the Basic SAML
Configuration dialog box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer:
6. In the Set up Predictix Assortment Planning section, copy the appropriate URLs, based on your
requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Predictix Assortment Planning single sign-on
To configure single sign-on on the Predictix Assortment Planning side, you need to send the certificate that you
downloaded and the URLs that you copied from the Azure portal to the Predictix Assortment Planning support
team. This team ensures the SAML SSO connection is set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create a Predictix Assortment Planning test user
Next, you need to create a user named Britta Simon in Predictix Assortment Planning. Work with the Predictix
Assortment Planning support team to add users. Users need to be created and activated before you use single
sign-on.
NOTE
The Azure AD account holder receives an email and selects a link to confirm the account before it becomes active.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Predictix Assortment Planning tile in the Access Panel, you should be automatically signed in
to the Predictix Assortment Planning instance for which you set up SSO. For more information, see Access and use
apps on the My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Predictix Ordering
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Predictix Ordering with Azure Active Directory (Azure AD ). This
integration provides these benefits:
You can use Azure AD to control who has access to Predictix Ordering.
You can enable your users to be automatically signed in to Predictix Ordering (single sign-on) with their Azure
AD accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you start.
Prerequisites
To configure Azure AD integration with Predictix Ordering, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
A Predictix Ordering subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Predictix Ordering supports SP -initiated SSO.
4. In the search box, enter Predictix Ordering. Select Predictix Ordering in the search results and then
select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, complete the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<companyname-pricing>.ordering.predictix.com/sso/request
https://<companyname-pricing>.dev.ordering.predictix.com
https://<companyname-pricing>.ordering.predictix.com
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. Contact the Predictix Ordering
support team to get the values. You can also refer to the patterns shown in the Basic SAML Configuration dialog
box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer:
6. In the Set up Predictix Ordering section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Predictix Ordering single sign-on
To configure single sign-on on the Predictix Ordering side, you need to send the certificate that you downloaded
and the URLs that you copied from the Azure portal to the Predictix Ordering support team. This team ensures the
SAML SSO connection is set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create a Predictix Ordering test user
Next, you need to create a user named Britta Simon in Predictix Ordering. Work with the Predictix Ordering
support team to add users. Users need to be created and activated before you use single sign-on.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Predictix Ordering tile in the Access Panel, you should be automatically signed in to the
Predictix Ordering instance for which you set up SSO. For more information, see Access and use apps on the My
Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Predictix Price Reporting
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Predictix Price Reporting with Azure Active Directory (Azure AD ).
This integration provides these benefits:
You can use Azure AD to control who has access to Predictix Price Reporting.
You can enable your users to be automatically signed in to Predictix Price Reporting (single sign-on) with their
Azure AD accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you start.
Prerequisites
To configure Azure AD integration with Predictix Price Reporting, you need:
An Azure AD subscription. If you don't have an Azure AD environment, you can sign up for a one-month trial
subscription.
A Predictix Price Reporting subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Predictix Price Reporting supports SP -initiated SSO.
4. In the search box, enter Predictix Price Reporting. Select Predictix Price Reporting in the search results
and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, complete the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<companyname-pricing>.predictix.com/sso/request
https://<companyname-pricing>.predictix.com
https://<companyname-pricing>.dev.predictix.com
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. Contact the Predictix Price
Reporting support team to get the values. You can also refer to the patterns shown in the Basic SAML
Configuration dialog box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer:
6. In the Set up Predictix Price Reporting section, copy the appropriate URLs, based on your requirements.
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Predictix Price Reporting single sign-on
To configure single sign-on on the Predictix Price Reporting side, you need to send the certificate that you
downloaded and the URLs that you copied from the Azure portal to the Predictix Price Reporting support team.
This team ensures the SAML SSO connection is set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Create a Predictix Price Reporting test user
Next, you need to create a user named Britta Simon in Predictix Price Reporting. Work with the Predictix Price
Reporting support team to add users. Users need to be created and activated before you use single sign-on.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Predictix Price Reporting tile in the Access Panel, you should be automatically signed in to the
Predictix Price Reporting instance for which you set up SSO. For more information, see Access and use apps on the
My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Printix
2/12/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Printix with Azure Active Directory (Azure AD ).
Integrating Printix with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Printix
You can enable your users to automatically get signed-on to Printix (Single Sign-On) with their Azure AD
accounts
You can manage your accounts in one central location - the Azure portal
If you want to know more details about SaaS app integration with Azure AD, see what is application access and
single sign-on with Azure Active Directory.
Prerequisites
To configure Azure AD integration with Printix, you need the following items:
An Azure AD subscription
A Printix single sign-on enabled subscription
NOTE
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
Do not use your production environment, unless it is necessary.
If you don't have an Azure AD trial environment, you can get a one-month trial here.
Scenario description
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial
consists of two main building blocks:
1. Adding Printix from the gallery
2. Configuring and testing Azure AD single sign-on
3. To add new application, click New application button on the top of dialog.
5. In the results panel, select Printix, and then click Add button to add the application.
2. On the Single sign-on dialog, select Mode as SAML -based Sign-on to enable single sign-on.
3. On the Printix Domain and URLs section, perform the following steps:
In the Sign-on URL textbox, type a URL using the following pattern: https://<subdomain>.printix.net
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Printix Client support team to get the
value.
4. On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your
computer.
TIP
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After
adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and
access the embedded documentation through the Configuration section at the bottom. You can read more about the
embedded documentation feature here: Azure AD embedded documentation
2. To display the list of users, go to Users and groups and click All users.
3. To open the User dialog, click Add on the top of the dialog.
NOTE
If you need to create a user manually, you need to contact the Printix support team.
4. Click Add button. Then select Users and groups on Add Assignment dialog.
5. On Users and groups dialog, select Britta Simon in the Users list.
6. Click Select button on Users and groups dialog.
7. Click Assign button on Add Assignment dialog.
Testing single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Printix tile in the Access Panel, you should get automatically signed-on to your Printix
application.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Prisma Cloud
9/18/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Prisma Cloud with Azure Active Directory (Azure AD ). When you
integrate Prisma Cloud with Azure AD, you can:
Control in Azure AD who has access to Prisma Cloud.
Enable your users to be automatically signed-in to Prisma Cloud with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Prisma Cloud single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Prisma Cloud supports IDP initiated SSO
Prisma Cloud supports Just In Time user provisioning
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://app2.prismacloud.io/customer/<CUSTOMERID>
b. The Reply URL values are fixed and already pre-populated in Azure portal. You need to select the
appropriate URL according to your requirement.
NOTE
The Identifier value is not real. Update the value with the actual Identifier. Contact Prisma Cloud Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Prisma Cloud section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Prisma Cloud.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Prisma Cloud.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Prisma Cloud tile in the Access Panel, you should be automatically signed in to the Prisma
Cloud for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Prisma Cloud with Azure AD
Tutorial: Azure Active Directory integration with
Procore SSO
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Procore SSO with Azure Active Directory (Azure AD ). Integrating
Procore SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Procore SSO.
You can enable your users to be automatically signed-in to Procore SSO (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Procore SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Procore SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Procore SSO supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Procore SSO, select Procore SSO from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Procore SSO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Procore SSO Single Sign-On
1. To configure single sign-on on Procore SSO side, sign in to your procore company site as an administrator.
2. From the toolbox drop down, click on Admin to open the SSO settings page.
a. In the Single Sign On Issuer URL text box, paste the value of Azure AD Identifier which you have
copied from the Azure portal.
b. In the SAML Sign On Target URL box, paste the value of Login URL which you have copied from the
Azure portal.
c. Now open the Federation Metadata XML downloaded above from the Azure portal and copy the
certificate in the tag named X509Certificate. Paste the copied value into the Single Sign On x509
Certificate box.
4. Click on Save Changes.
5. After these settings, you needs to send the domain name (e.g contoso.com ) through which you are
logging into Procore to the Procore Support team and they will activate federated SSO for that domain.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Procore SSO test user
Please follow the below steps to create a Procore test user on Procore SSO side.
1. Sign in to your procore company site as an administrator.
2. From the toolbox drop down, click on Directory to open the company directory page.
3. Click on Add a Person option to open the form and enter perform following options -
a. In the First Name textbox, type user's first name like Britta.
b. In the Last name textbox, type user's last name like Simon.
c. In the Email Address textbox, type user's email address like BrittaSimon@contoso.com.
d. Select Permission Template as Apply Permission Template Later.
e. Click Create.
4. Check and update the details for the newly added contact.
5. Click on Save and Send Invitation (if an invite through mail is required) or Save (Save directly) to
complete the user registration.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate productboard with Azure Active
Directory
7/23/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate productboard with Azure Active Directory (Azure AD ). When you
integrate productboard with Azure AD, you can:
Control in Azure AD who has access to productboard.
Enable your users to be automatically signed-in to productboard with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
productboard single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
productboard supports SP and IDP initiated SSO
productboard supports Just In Time user provisioning
4. In the Basic SAML Configuration section, if you want to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://<projectname>.productboard.com/users/auth/saml/callback
5. Click Set additional URLs and perform the following step if you want to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<projectname>.productboard.com/
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact productboard
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click the copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create productboard test user
In this section, a user called B.Simon is created in productboard. productboard supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in productboard, a new one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the productboard tile in the Access Panel, you should be automatically signed in to the
productboard for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Integrate Projectplace with Azure Active
Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Projectplace with Azure Active Directory (Azure AD ). When you
integrate Projectplace with Azure AD, you can:
Control in Azure AD who has access to Projectplace.
Enable your users to be automatically signed-in to Projectplace with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
Users can be provisioned in Projectplace automatically.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Projectplace single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Projectplace supports SP and IDP
initiated SSO and supports Just In Time user provisioning.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user
needs to save the configuration by clicking the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://service.projectplace.com
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click copy
icon to copy the App Federation Metadata Url, as per your requirement and save it in Notepad.
7. On the Set up Projectplace section, copy the appropriate URL (s) based on your requirement.
Configure Projectplace
To configure single sign-on on the Projectplace side, you need to send the copied App Federation Metadata
Url from the Azure portal to the Projectplace support team. This team ensures the SAML SSO connection is set
properly on both sides.
NOTE
The single sign-on configuration has to be performed by the Projectplace support team. You'll get a notification as soon as
the configuration is complete.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B. Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Projectplace test user
NOTE
You can skip this step if you have provisioning enabled in Projectplace. You can ask the Projectplace support team to enable
provisoning, once done users will be created in Projectplace during the first login.
To enable Azure AD users to sign in to Projectplace, you need to add them to Projectplace. You need to add them
manually.
To create a user account, take these steps:
1. Sign in to your Projectplace company site as an admin.
2. Go to People, and then select Members:
NOTE
You can also use any other user-account creation tool or API provided by Projectplace to add Azure AD user accounts.
Test SSO
When you select the Projectplace tile in the Access Panel, you should be automatically signed in to the Projectplace
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Promapp
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Promapp with Azure Active Directory (Azure AD ). This integration
provides these benefits:
You can use Azure AD to control who has access to Promapp.
You can enable your users to be automatically signed in to Promapp (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Promapp, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can sign up for a one-month trial.
A Promapp subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Promapp supports SP -initiated and IdP -initiated SSO.
Promapp supports just-in-time user provisioning.
4. In the search box, enter Promapp. Select Promapp in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, if you want to configure the application in IdP -initiated
mode, complete the following steps.
a. In the Identifier box, enter a URL in this pattern:
https://go.promapp.com/TENANTNAME/
https://au.promapp.com/TENANTNAME/
https://us.promapp.com/TENANTNAME/
https://eu.promapp.com/TENANTNAME/
https://ca.promapp.com/TENANTNAME/
NOTE
Azure AD integration with Promapp is currently configured only for service-initiated authentication. (That is,
going to a Promapp URL initiates the authentication process.) But the Reply URL field is a required field.
5. If you want to configure the application in SP -initiated mode, select Set additional URLs. In the Sign on
URL box, enter a URL in this pattern:
https://<DOMAINNAME>.promapp.com/TENANTNAME/saml/authenticate
NOTE
These values are placeholders. You need to use the actual identifier, reply URL, and sign-on URL. Contact the
Promapp support team to get the values. You can also refer to the patterns shown in the Basic SAML
Configuration dialog box in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer:
7. In the Set up Promapp section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Promapp single sign-on
1. Sign in to your Promapp company site as an admin.
2. In the menu at the top of the window, select Admin:
3. Select Configure:
4. In the Security dialog box, take the following steps.
a. Paste the Login URL that you copied from the Azure portal into the SSO -Login URL box.
b. In the SSO - Single Sign-on Mode list, select Optional. Select Save.
NOTE
Optional mode is for testing only. After you're happy with the configuration, select Required in the SSO -
Single Sign-on Mode list to force all users to authenticate with Azure AD.
c. In Notepad, open the certificate that you downloaded in the previous section. Copy the contents of
the certificate without the first line (-----BEGIN CERTIFICATE -----) or the last line (-----END
CERTIFICATE -----). Paste the certificate content into the SSO -x.509 Certificate box, and then select
Save.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
2. Select New user at the top of the screen:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the screen.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select Assign.
Just-in-time user provisioning
Promapp supports just-in-time user provisioning. This feature is enabled by default. If a user doesn't already exist
in Promapp, a new one is created after authentication.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Promapp tile in the Access Panel, you should be automatically signed in to the Promapp
instance for which you set up SSO. For more information about the Access Panel, see Access and use apps on the
My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ProMaster (by Inlogik)
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ProMaster (by Inlogik) with Azure Active Directory (Azure AD ).
Integrating ProMaster (by Inlogik) with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ProMaster (by Inlogik).
You can enable your users to be automatically signed-in to ProMaster (by Inlogik) (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ProMaster (by Inlogik), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ProMaster (by Inlogik) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ProMaster (by Inlogik) supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ProMaster (by Inlogik), select ProMaster (by Inlogik) from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://secure.inlogik.com/<COMPANYNAME>
https://<CUSTOMDOMAIN>/SAMLBASE
b. In the Reply URL text box, type a URL using the following pattern:
https://secure.inlogik.com/<COMPANYNAME>/saml/acs
https://<CUSTOMDOMAIN>/SAMLBASE/saml/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://secure.inlogik.com/<COMPANYNAME>/saml/acs
https://<CUSTOMDOMAIN>/SAMLBASE/saml/acs
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
ProMaster (by Inlogik) Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ProMaster (by Inlogik) test user
In this section, you create a user called Britta Simon in ProMaster (by Inlogik). Work with ProMaster (by Inlogik)
support team to add the users in the ProMaster (by Inlogik) platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ProMaster (by Inlogik) tile in the Access Panel, you should be automatically signed in to the
ProMaster (by Inlogik) for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate ProNovos Ops Manager with
Azure Active Directory
9/3/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ProNovos Ops Manager with Azure Active Directory (Azure AD ).
When you integrate ProNovos Ops Manager with Azure AD, you can:
Control in Azure AD who has access to ProNovos Ops Manager.
Enable your users to be automatically signed-in to ProNovos Ops Manager with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ProNovos Ops Manager single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ProNovos Ops Manager supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://gly.smartsubz.com/saml2/acs
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
7. On the Set up ProNovos Ops Manager section, copy the appropriate URL (s) based on your requirement.
Configure ProNovos Ops Manager SSO
To configure single sign-on on ProNovos Ops Manager side, you need to send the downloaded Certificate
(Raw) and appropriate copied URLs from Azure portal to ProNovos Ops Manager support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ProNovos Ops Manager.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select ProNovos Ops Manager.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create ProNovos Ops Manager test user
In this section, you create a user called B.Simon in ProNovos Ops Manager. Work with ProNovos Ops Manager
support team to add the users in the ProNovos Ops Manager platform. Users must be created and activated
before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ProNovos Ops Manager tile in the Access Panel, you should be automatically signed in to the
ProNovos Ops Manager for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Proofpoint on Demand
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Proofpoint on Demand with Azure Active Directory (Azure AD ).
Integrating Proofpoint on Demand with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Proofpoint on Demand.
You can enable your users to be automatically signed-in to Proofpoint on Demand (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Proofpoint on Demand, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Proofpoint on Demand single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Proofpoint on Demand supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Proofpoint on Demand, select Proofpoint on Demand from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<hostname>.pphosted.com/ppssamlsp
c. In the Reply URL text box, type a URL using the following pattern:
https://<hostname>.pphosted.com:portnumber/v1/samlauth/samlconsumer
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Proofpoint on Demand Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Proofpoint on Demand section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Proofpoint on Demand Single Sign-On
To configure single sign-on on Proofpoint on Demand side, you need to send the downloaded Certificate
(Base64) and appropriate copied URLs from Azure portal to Proofpoint on Demand support team. They set this
setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Proofpoint on Demand test user
In this section, you create a user called Britta Simon in Proofpoint on Demand. Work with Proofpoint on Demand
Client support team to add users in the Proofpoint on Demand platform.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Proofpoint on Demand tile in the Access Panel, you should be automatically signed in to the
Proofpoint on Demand for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Proxyclick
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Proxyclick with Azure Active Directory (Azure AD ). This integration
provides these benefits:
You can use Azure AD to control who has access to Proxyclick.
You can enable your users to be automatically signed in to Proxyclick (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Proxyclick, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can sign up for a one-month trial.
A Proxyclick subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
Proxyclick supports SP -initiated and IdP -initiated SSO.
4. In the search box, enter Proxyclick. Select Proxyclick in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, if you want to configure the application in IdP -initiated
mode, take the following steps.
a. In the Identifier box, enter a URL in this pattern:
https://saml.proxyclick.com/init/<companyId>
5. If you want to configure the application in SP -initiated mode, select Set additional URLs. In the Sign on
URL box, enter a URL in this pattern:
https://saml.proxyclick.com/init/<companyId>
NOTE
These values are placeholders. You need to use the actual identifier, reply URL, and sign-on URL. Steps for getting
these values are described later in this tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Certificate (Base64), per your requirements, and save the certificate on your
computer:
7. In the Set up Proxyclick section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure Proxyclick single sign-on
1. In a new web browser window, sign in to your Proxyclick company site as an admin.
2. Select Account & Settings:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the window.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the window.
7. In the Add Assignment dialog box, select Assign.
Create a Proxyclick test user
To enable Azure AD users to sign in to Proxyclick, you need to add them to Proxyclick. You need to add them
manually.
To create a user account, take these steps:
1. Sign in to your Proxyclick company site as an admin.
2. Select Colleagues at the top of the window:
a. In the Email box, enter the email address of the user. In this case, brittasimon@contoso.com.
b. In the First Name box, enter the first name of the user. In this case, Britta.
c. In the Last Name box, enter the last name of the user. In this case, Simon.
d. Select Add User.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the Proxyclick tile in the Access Panel, you should be automatically signed in to the Proxyclick
instance for which you set up SSO. For more information about the Access Panel, see Access and use apps on the
My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with PureCloud by Genesys
10/31/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate PureCloud by Genesys with Azure Active Directory (Azure AD ). After
you do that, you can:
Use Azure AD to control which users can access PureCloud by Genesys.
Enable your users to be automatically signed-in to PureCloud by Genesys with their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have one, you can get a free account.
A PureCloud by Genesys single sign-on (SSO )–enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
PureCloud by Genesys supports SP and IDP –initiated SSO.
NOTE
Because the ID for this application is a fixed-string value, only one instance can be configured in one tenant.
4. In the Basic SAML Configuration section, if you want to configure the application in IDP -initiated mode,
enter the values for the following fields:
a. In the Identifier box, enter a URL that corresponds to your region:
https://login.mypurecloud.com/saml
https://login.mypurecloud.de/saml
https://login.mypurecloud.jp/saml
https://login.mypurecloud.ie/saml
https://login.mypurecloud.au/saml
b. In the Reply URL box, enter a URL that corresponds to your region:
https://login.mypurecloud.com/saml
https://login.mypurecloud.de/saml
https://login.mypurecloud.jp/saml
https://login.mypurecloud.ie/saml
https://login.mypurecloud.com.au/saml
5. Select Set additional URLs and take the following step if you want to configure the application in SP
initiated mode:
In the Sign-on URL box, enter a URL that corresponds to your region:
https://login.mypurecloud.com
https://login.mypurecloud.de
https://login.mypurecloud.jp
https://login.mypurecloud.ie
https://login.mypurecloud.com.au
6. PureCloud by Genesys application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes:
7. Additionally, PureCloud by Genesys application expects a few more attributes to be passed back in the
SAML response, as shown in the following table. These attributes are also pre-populated, but you can
review them as needed.
Email user.userprinicipalname
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
9. In the Set up PureCloud by Genesys section, copy the appropriate URL (or URLs), based on your
requirements.
5. In the Users and groups dialog box, select B.Simon from the Users list, and then choose the Select button
at the bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user from the list, and then choose the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select the Assign button.
3. Switch to the ADFS/Azure AD (Premium ) tab, and then follow these steps:
a. Select Browse to upload the base-64 encoded certificate that you downloaded from the Azure portal into
the ADFS Certificate.
b. In the ADFS Issuer URI box, paste the value of Azure AD Identifier that you copied from the Azure
portal.
c. In the Target URI box, paste the value of Login URL that you copied from the Azure portal.
d. For the Relying Party Identifier value, go to the Azure portal, and then on the PureCloud by Genesys
application integration page, select the Properties tab and copy the Application ID value. Paste it into the
Relying Party Identifier box.
e. Select Save.
Create PureCloud by Genesys test user
To enable Azure AD users to sign in to PureCloud by Genesys, they must be provisioned into PureCloud by
Genesys. In PureCloud by Genesys, provisioning is a manual task.
To provision a user account, follow these steps:
1. Log in to PureCloud by Genesys as an administrator.
2. Select Admin at the top and go to People under People & Permissions.
4. In the Add People to the Organization dialog box, follow these steps:
a. In the Full Name box, enter the name of a user. For example: B.simon.
b. In the Email box, enter the email of the user. For example: b.simon@contoso.com.
c. Select Create.
Test SSO
In this section, you test your Azure AD single sign-on configuration by using the Access Panel.
When you select the PureCloud by Genesys tile in the Access Panel, you should be automatically signed in to the
PureCloud by Genesys account that you set up SSO for. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of tutorials about how to integrate SaaS apps with Azure AD
What is application access and single sign-on with Azure AD?
What is conditional access in Azure AD?
Try PureCloud by Genesys with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with PurelyHR
10/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate PurelyHR with Azure Active Directory (Azure AD ). When you integrate
PurelyHR with Azure AD, you can:
Control in Azure AD who has access to PurelyHR.
Enable your users to be automatically signed-in to PurelyHR with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
PurelyHR single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
PurelyHR supports SP and IDP initiated SSO
PurelyHR supports Just In Time user provisioning
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
In the Reply URL text box, type a URL using the following pattern:
https://<companyID>.purelyhr.com/sso-consume
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<companyID>.purelyhr.com/sso-initiate
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact PurelyHR Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up PurelyHR section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up PurelyHR will direct you to the PurelyHR
application. From there, provide the admin credentials to sign into PurelyHR. The browser extension will
automatically configure the application for you and automate steps 3-5.
3. If you want to set up PurelyHR manually, open a new web browser window and sign in to your PurelyHR
company site as an administrator and perform the following steps:
4. Open the Dashboard from the options in the toolbar and click SSO Settings.
5. Paste the values in the boxes as described below -
a. Open the Certificate(Bas64) downloaded from the Azure portal in notepad and copy the certificate
value. Paste the copied value into the X.509 Certificate box.
b. In the Idp Issuer URL box, paste the Azure AD Identifier copied from the Azure portal.
c. In the Idp Endpoint URL box, paste the Login URL copied from the Azure portal.
d. Check the Auto-Create Users checkbox to enable automatic user provisioning in PurelyHR.
e. Click Save Changes to save the settings.
Create PurelyHR test user
This step is usually not required as the application supports just in time user provisioning. If the automatic user
provisioning is not enabled then manual user creation can be done as described below.
Sign into your Velpic SAML company site as an administrator and perform following steps:
1. Click on Manage tab and go to Users section, then click on New button to add users.
2. On the “Create New User” dialog page, perform the following steps.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the PurelyHR tile in the Access Panel, you should be automatically signed in to the PurelyHR for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try PurelyHR with Azure AD
Tutorial: Integrate Qlik Sense Enterprise with Azure
Active Directory
10/30/2019 • 9 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Qlik Sense Enterprise with Azure Active Directory (Azure AD ). When
you integrate Qlik Sense Enterprise with Azure AD, you can:
Control in Azure AD who has access to Qlik Sense Enterprise.
Enable your users to be automatically signed-in to Qlik Sense Enterprise with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Qlik Sense Enterprise single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Qlik Sense Enterprise supports SP
initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign-on URL textbox, type a URL using the following pattern:
https://<Fully Qualified Domain Name>:443{/virtualproxyprefix}/hub
c. In the Reply URL textbox, type a URL using the following pattern:
https://<Fully Qualified Domain Name>:443{/virtualproxyprefix}/samlauthn/
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier, and Reply URL, Which are
explained later in this tutorial or contact Qlik Sense Enterprise Client support team to get these values. The default
port for the URLs is 443 but you can customize it per your Organization need.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML from the given options as per your requirement and save it on your computer.
Configure Qlik Sense Enterprise SSO
1. Prepare the Federation Metadata XML file so that you can upload that to Qlik Sense server.
NOTE
Before uploading the IdP metadata to the Qlik Sense server, the file needs to be edited to remove information to
ensure proper operation between Azure AD and Qlik Sense server.
a. Open the FederationMetaData.xml file, which you have downloaded from Azure portal in a text editor.
b. Search for the value RoleDescriptor. There are four entries (two pairs of opening and closing element
tags).
c. Delete the RoleDescriptor tags and all information in between from the file.
d. Save the file and keep it nearby for use later in this document.
2. Navigate to the Qlik Sense Qlik Management Console (QMC ) as a user who can create virtual proxy
configurations.
3. In the QMC, click on the Virtual Proxies menu item.
5. The Virtual proxy edit screen appears. On the right side of the screen is a menu for making configuration
options visible.
6. With the Identification menu option checked, enter the identifying information for the Azure virtual proxy
configuration.
a. The Description field is a friendly name for the virtual proxy configuration. Enter a value for a
description.
b. The Prefix field identifies the virtual proxy endpoint for connecting to Qlik Sense with Azure AD Single
Sign-On. Enter a unique prefix name for this virtual proxy.
c. Session inactivity timeout (minutes) is the timeout for connections through this virtual proxy.
d. The Session cookie header name is the cookie name storing the session identifier for the Qlik Sense
session a user receives after successful authentication. This name must be unique.
7. Click on the Authentication menu option to make it visible. The Authentication screen appears.
a. The Anonymous access mode drop down determines if anonymous users may access Qlik Sense
through the virtual proxy. The default option is No anonymous user.
b. The Authentication method drop-down determines the authentication scheme the virtual proxy will
use. Select SAML from the drop-down list. More options appear as a result.
c. In the SAML host URI field, input the hostname users enter to access Qlik Sense through this SAML
virtual proxy. The hostname is the uri of the Qlik Sense server.
d. In the SAML entity ID, enter the same value entered for the SAML host URI field.
e. The SAML IdP metadata is the file edited earlier in the Edit Federation Metadata from Azure AD
Configuration section. Before uploading the IdP metadata, the file needs to be edited to remove
information to ensure proper operation between Azure AD and Qlik Sense server. Please refer to the
instructions above if the file has yet to be edited. If the file has been edited click on the Browse button
and select the edited metadata file to upload it to the virtual proxy configuration.
f. Enter the attribute name or schema reference for the SAML attribute representing the UserID Azure AD
sends to the Qlik Sense server. Schema reference information is available in the Azure app screens post
configuration. To use the name attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .
g. Enter the value for the user directory that will be attached to users when they authenticate to Qlik Sense
server through Azure AD. Hardcoded values must be surrounded by square brackets []. To use an attribute
sent in the Azure AD SAML assertion, enter the name of the attribute in this text box without square
brackets.
h. The SAML signing algorithm sets the service provider (in this case Qlik Sense server) certificate signing
for the virtual proxy configuration. If Qlik Sense server uses a trusted certificate generated using Microsoft
Enhanced RSA and AES Cryptographic Provider, change the SAML signing algorithm to SHA -256.
i. The SAML attribute mapping section allows for additional attributes like groups to be sent to Qlik Sense
for use in security rules.
8. Click on the LOAD BALANCING menu option to make it visible. The Load Balancing screen appears.
9. Click on the Add new server node button, select engine node or nodes Qlik Sense will send sessions to for
load balancing purposes, and click the Add button.
10. Click on the Advanced menu option to make it visible. The Advanced screen appears.
The Host allow list identifies hostnames that are accepted when connecting to the Qlik Sense server. Enter
the hostname users will specify when connecting to Qlik Sense server. The hostname is the same
value as the SAML host uri without the https://.
11. Click the Apply button.
12. Click OK to accept the warning message that states proxies linked to the virtual proxy will be restarted.
13. On the right side of the screen, the Associated items menu appears. Click on the Proxies menu option.
14. The proxy screen appears. Click the Link button at the bottom to link a proxy to the virtual proxy.
15. Select the proxy node that will support this virtual proxy connection and click the Link button. After linking,
the proxy will be listed under associated proxies.
16. After about five to ten seconds, the Refresh QMC message will appear. Click the Refresh QMC button.
17. When the QMC refreshes, click on the Virtual proxies menu item. The new SAML virtual proxy entry is
listed in the table on the screen. Single click on the virtual proxy entry.
18. At the bottom of the screen, the Download SP metadata button will activate. Click the Download SP
metadata button to save the metadata to a file.
19. Open the sp metadata file. Observe the entityID entry and the AssertionConsumerService entry. These
values are equivalent to the Identifier, Sign on URL and the Reply URL in the Azure AD application
configuration. Paste these values in the Qlik Sense Enterprise Domain and URLs section in the Azure AD
application configuration if they are not matching, then you should replace them in the Azure AD App
configuration wizard.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Qlik Sense Enterprise test user
In this section, you create a user called Britta Simon in Qlik Sense Enterprise. Work with Qlik Sense Enterprise
support team to add the users in the Qlik Sense Enterprise platform. Users must be created and activated before
you use single sign-on.
Test SSO
When you select the Qlik Sense Enterprise tile in the Access Panel, you should be automatically signed in to the
Qlik Sense Enterprise for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Qmarkets Idea & Innovation
Management
11/26/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Qmarkets Idea & Innovation Management with Azure Active Directory
(Azure AD ). When you integrate Qmarkets Idea & Innovation Management with Azure AD, you can:
Control in Azure AD who has access to Qmarkets Idea & Innovation Management.
Enable your users to be automatically signed-in to Qmarkets Idea & Innovation Management with their Azure
AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Qmarkets Idea & Innovation Management single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Qmarkets Idea & Innovation Management supports SP and IDP initiated SSO
Qmarkets Idea & Innovation Management supports Just In Time user provisioning
Configure and test Azure AD single sign-on for Qmarkets Idea &
Innovation Management
Configure and test Azure AD SSO with Qmarkets Idea & Innovation Management using a test user called
B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related
user in Qmarkets Idea & Innovation Management.
To configure and test Azure AD SSO with Qmarkets Idea & Innovation Management, complete the following
building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Qmarkets Idea & Innovation Management SSO - to configure the single sign-on settings on
application side.
a. Create Qmarkets Idea & Innovation Management test user - to have a counterpart of B.Simon in
Qmarkets Idea & Innovation Management that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<app_url>/sso/saml2/metadata/qmarkets_sp_<endpoint_id>
b. In the Reply URL text box, type a URL using the following pattern:
https://<app_url>/sso/saml2/acs/qmarkets_sp_<endpoint_id>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<app_url>/sso/saml2/endpoint/qmarkets_sp_<endpoint_id>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Qmarkets Idea & Innovation Management Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Qmarkets Idea & Innovation Management tile in the Access Panel, you should be automatically
signed in to the Qmarkets Idea & Innovation Management for which you set up SSO. For more information about
the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Qmarkets Idea & Innovation Management with Azure AD
Tutorial: Azure Active Directory integration with
QPrism
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate QPrism with Azure Active Directory (Azure AD ). Integrating QPrism
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to QPrism.
You can enable your users to be automatically signed-in to QPrism (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with QPrism, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
QPrism single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
QPrism supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type QPrism, select QPrism from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<customer domain>.qmyzone.com/metadata.php
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact QPrism Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create QPrism test user
In this section, you create a user called Britta Simon in QPrism. Work with QPrism support team to add the users
in the QPrism platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the QPrism tile in the Access Panel, you should be automatically signed in to the QPrism for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Qualtrics
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Qualtrics with Azure Active Directory (Azure AD ). Integrating Qualtrics
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Qualtrics.
You can enable your users to be automatically signed-in to Qualtrics (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Qualtrics, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Qualtrics single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Qualtrics supports SP initiated SSO
Qualtrics supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Qualtrics, select Qualtrics from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.qualtrics.com/WRSAML/simplesaml/www/module.php/saml/sp/metadata.php/default-sp
https://<companyname>.co1.qualtrics.com/WRSAML/simplesaml/www/module.php/saml/sp/metadata.php/default-sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Qualtrics Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Qualtrics section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Qualtrics Single Sign-On
To configure single sign-on on Qualtrics side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Qualtrics support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Qualtrics test user
In this section, a user called Britta Simon is created in Qualtrics. Qualtrics supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Qualtrics, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Qualtrics tile in the Access Panel, you should be automatically signed in to the Qualtrics for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Quantum Workplace
6/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Quantum Workplace with Azure Active Directory (Azure AD ). Integrating
Quantum Workplace with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Quantum Workplace.
You can enable your users to be automatically signed-in to Quantum Workplace (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Quantum Workplace, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Quantum Workplace single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Quantum Workplace supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Quantum Workplace, select Quantum Workplace from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Quantum Workplace test user
In this section, you create a user called Britta Simon in Quantum Workplace. Work with Quantum Workplace
support team to add the users in the Quantum Workplace platform. Users must be created and activated before
you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Quantum Workplace tile in the Access Panel, you should be automatically signed in to the
Quantum Workplace for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Questetra BPM Suite
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Questetra BPM Suite with Azure Active Directory (Azure AD ).
Integrating Questetra BPM Suite with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Questetra BPM Suite.
You can enable your users to be automatically signed-in to Questetra BPM Suite (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Questetra BPM Suite, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Questetra BPM Suite single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Questetra BPM Suite supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Questetra BPM Suite, select Questetra BPM Suite from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.questetra.net/
NOTE
These values are not real. Update these values with the actual Sign-On URL and Identifier. You can get these values
from SP Information section on your Questetra BPM Suite company site, which is explained later in the tutorial or
contact Questetra BPM Suite Client support team. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Questetra BPM Suite section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Questetra BPM Suite Single Sign-On
1. In a different web browser window, Sign in to your Questetra BPM Suite company site as an
administrator.
2. In the menu on the top, click System Settings.
4. On your Questetra BPM Suite company site, in the SP Information section, perform the following steps:
a. Copy the ACS URL, and then paste it into the Sign On URL textbox in the Basic SAML Configuration
section from Azure portal.
b. Copy the Entity ID, and then paste it into the Identifier textbox in the Basic SAML Configuration
section from Azure portal.
5. On your Questetra BPM Suite company site, perform the following steps:
a. Select Enable Single Sign-On.
b. In Entity ID textbox, paste the value of Azure AD Identifier which you have copied from Azure portal.
c. In Sign-in page URL textbox, paste the value of Login URL which you have copied from Azure portal.
d. In Sign-out page URL textbox, paste the value of Logout URL which you have copied from Azure
portal.
e. In the NameID format textbox, type urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress .
f. Open your Base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of it
into your clipboard, and then paste it into the Validation certificate textbox.
g. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Questetra BPM Suite test user
The objective of this section is to create a user called Britta Simon in Questetra BPM Suite.
To create a user called Britta Simon in Questetra BPM Suite, perform the following steps:
1. Sign in to your Questetra BPM Suite company site as an administrator.
2. Go to System Settings > User List > New User.
3. On the New User dialog, perform the following steps:
a. In the Name textbox, type name of the user britta.simon@contoso.com.
b. In the Email textbox, type email of the user britta.simon@contoso.com.
c. In the Password textbox, type a password of the user.
d. Click Add new user.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Questetra BPM Suite tile in the Access Panel, you should be automatically signed in to the
Questetra BPM Suite for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
QuickHelp
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate QuickHelp with Azure Active Directory (Azure AD ). Integrating
QuickHelp with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to QuickHelp.
You can enable your users to be automatically signed-in to QuickHelp (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with QuickHelp, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
QuickHelp single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
QuickHelp supports SP initiated SSO
QuickHelp supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type QuickHelp, select QuickHelp from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact your organization’s
QuickHelp administrator or your BrainStorm Client Success Manager to get the value. You can also refer to the
patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up QuickHelp section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure QuickHelp Single Sign-On
1. Sign in to your QuickHelp company site as administrator.
2. In the menu on the top, click Admin.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create QuickHelp test user
In this section, a user called Britta Simon is created in QuickHelp. QuickHelp supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in QuickHelp, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the QuickHelp tile in the Access Panel, you should be automatically signed in to the QuickHelp for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Qumu Cloud
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Qumu Cloud with Azure Active Directory (Azure AD ). Integrating Qumu
Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Qumu Cloud.
You can enable your users to be automatically signed-in to Qumu Cloud (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Qumu Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Qumu Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Qumu Cloud supports SP and IDP initiated SSO
Qumu Cloud supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Qumu Cloud, select Qumu Cloud from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.qumucloud.com/saml/SSO
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.qumucloud.com/saml/SSO
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<subdomain>.qumucloud.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Qumu
Cloud Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Qumu Cloud application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, Qumu Cloud application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
NAME SOURCE ATTRIBUTE
urn:oid:2.5.4.42 user.givenname
urn:oid:2.5.4.4 user.surname
urn:oid:0.9.2342.19200300.100.1.3 user.mail
urn:oid:0.9.2342.19200300.100.1.1 user.userprincipalname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up Qumu Cloud section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Qumu Cloud Single Sign-On
To configure single sign-on on Qumu Cloud side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Qumu Cloud support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Qumu Cloud test user
In this section, a user called Britta Simon is created in Qumu Cloud. Qumu Cloud supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Qumu Cloud, a new one is created after authentication.
NOTE
If you need to create a user manually, contact Qumu Cloud Client support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Qumu Cloud tile in the Access Panel, you should be automatically signed in to the Qumu Cloud
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Rackspace SSO
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Rackspace SSO with Azure Active Directory (Azure AD ). Integrating
Rackspace SSO with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Rackspace SSO.
You can enable your users to be automatically signed-in to Rackspace SSO (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Rackspace SSO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Rackspace SSO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Rackspace SSO supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Rackspace SSO, select Rackspace SSO from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, Upload the Service Provider metadata file which you can
download from the URL and perform the following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. Once the metadata file is successfully uploaded, the necessary urls get auto populated automatically.
d. In the Sign-on URL text box, type a URL: https://login.rackspace.com/federate/
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
This file will be uploaded to Rackspace to populate required Identity Federation configuration settings.
Configure Rackspace SSO Single Sign-On
To configure single sign-on on Rackspace SSO side:
1. See the documentation at Add an Identity Provider to the Control Panel
2. It will lead you through the steps to:
a. Create a new Identity Provider
b. Specify an email domain that users will use to identify your company when signing in.
c. Upload the Federation Metadata XML previously downloaded from the Azure control panel.
This will correctly configure the basic SSO settings needed for Azure and Rackspace to connect.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Set up Attribute Mapping in the Rackspace control panel
Rackspace uses an Attribute Mapping Policy to assign Rackspace roles and groups to your single sign-on users.
The Attribute Mapping Policy translates Azure AD SAML claims into the user configuration fields Rackspace
requires. More documentation can be found in the Rackspace Attribute Mapping Basics documentation. Some
considerations:
If you want to assign varying levels of Rackspace access using Azure AD groups, you will need to enable the
Groups claim in the Azure Rackspace SSO Single Sign-on settings. The Attribute Mapping Policy will
then be used to match those groups to desired Rackspace roles and groups:
By default, Azure AD sends the UID of Azure AD Groups in the SAML claim, versus the name of the Group.
However, if you are synchronizing your on-premises Active Directory to Azure AD, you have the option to
send the actual names of the groups:
The following example Attribute Mapping Policy demonstrates:
1. Setting the Rackspace user's name to the user.name SAML claim. Any claim can be used, but it is most
common to set this to a field containing the user's email address.
2. Setting the Rackspace roles admin and billing:admin on a user by matching an Azure AD Group, by either
Group Name or Group UID. A substitution of "{0}" in the roles field is used, and will be replaced by the
results of the remote rule expressions.
3. Using the "{D}" default substitution to let Rackspace retrieve additional SAML fields by looking for standard
and well-known SAML claims in the SAML exchange.
---
mapping:
rules:
- local:
user:
domain: "{D}"
name: "{At(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)}"
email: "{D}"
roles:
- "{0}"
expire: "{D}"
remote:
- path: |
(
if (mapping:get-
attributes('http://schemas.microsoft.com/ws/2008/06/identity/claims/groups')='7269f9a2-aabb-9393-8e6d-
282e0f945985') then ('admin', 'billing:admin') else (),
if (mapping:get-
attributes('http://schemas.microsoft.com/ws/2008/06/identity/claims/groups')='MyAzureGroup') then ('admin',
'billing:admin') else ()
)
multiValue: true
version: RAX-1
TIP
Ensure that you use a text editor that validates YAML syntax when editing your policy file.
See the Rackspace Attribute Mapping Basics documentation for more examples.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Rackspace SSO tile in the Access Panel, you should be automatically signed in to the Rackspace
SSO for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
You can also use the Validate button in the Rackspace SSO Single sign-on settings:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Rally
Software
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Rally Software with Azure Active Directory (Azure AD ). Integrating Rally
Software with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Rally Software.
You can enable your users to be automatically signed-in to Rally Software (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Rally Software, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Rally Software single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Rally Software supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Rally Software, select Rally Software from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenant-name>.rally.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Rally Software
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Rally Software section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Rally Software Single Sign-On
1. Sign in to your Rally Software tenant.
2. In the toolbar on the top, click Setup, and then select Subscription.
3. Click the Action button. Select Edit Subscription at the top right side of the toolbar.
4. On the Subscription dialog page, perform the following steps, and then click Save & Close:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Rally Software test user
For Azure AD users to be able to sign in, they must be provisioned to the Rally Software application using their
Azure Active Directory user names.
To configure user provisioning, perform the following steps:
1. Sign in to your Rally Software tenant.
2. Go to Setup > USERS, and then click + Add New.
3. Type the name in the New User textbox, and then click Add with Details.
4. In the Create User section, perform the following steps:
a. In the User Name textbox, type the name of user like Brittsimon.
b. In E -mail Address textbox, enter the email of user like brittasimon@contoso.com.
c. In First Name text box, enter the first name of user like Britta.
d. In Last Name text box, enter the last name of user like Simon.
e. Click Save & Close.
NOTE
You can use any other Rally Software user account creation tools or APIs provided by Rally Software to provision
Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Real
Links
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Real Links with Azure Active Directory (Azure AD ). Integrating Real
Links with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Real Links.
You can enable your users to be automatically signed-in to Real Links (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Real Links, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Real Links single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Real Links supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Real Links, select Real Links from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
urn:amazon:cognito:sp:<SUBDOMAIN>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Real Links Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Real Links test user
In this section, you create a user called Britta Simon in Real Links. Work with Real Links support team to add the
users in the Real Links platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Real Links tile in the Access Panel, you should be automatically signed in to the Real Links for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Recognize
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Recognize with Azure Active Directory (Azure AD ). Integrating
Recognize with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Recognize.
You can enable your users to be automatically signed-in to Recognize (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Recognize, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Recognize single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Recognize supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Recognize, select Recognize from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
NOTE
You will get the Service Provider metadata file from the Configure Recognize Single Sign-On section of the
tutorial.
c. After the metadata file is successfully uploaded, the Identifier value get auto populated in Basic SAML
Configuration section.
In the Sign on URL text box, type a URL using the following pattern:
https://recognizeapp.com/<your-domain>/saml/sso
NOTE
If the Identifier value do not get auto populated, you will get the Identifier value by opening the Service Provider
Metadata URL from the SSO Settings section that is explained later in the Configure Recognize Single Sign-On
section of the tutorial. The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact
Recognize Client support team to get the value. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Recognize section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Recognize Single Sign-On
1. In a different web browser window, sign in to your Recognize tenant as an administrator.
2. On the upper right corner, click Menu. Go to Company Admin.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Recognize test user
In order to enable Azure AD users to log into Recognize, they must be provisioned into Recognize. In the case of
Recognize, provisioning is a manual task.
This app doesn't support SCIM provisioning but has an alternate user sync that provisions users.
To provision a user account, perform the following steps:
1. Sign into your Recognize company site as an administrator.
2. On the upper right corner, click Menu. Go to Company Admin.
3. On the left navigation pane, click Settings.
4. Perform the following steps on User Sync section.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
2 minutes to read
Tutorial: Azure Active Directory integration with
RedVector
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate RedVector with Azure Active Directory (Azure AD ). Integrating
RedVector with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to RedVector.
You can enable your users to be automatically signed-in to RedVector (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with RedVector, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
RedVector single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
RedVector supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type RedVector, select RedVector from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<Companyname>.redvector.com/saml2
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact RedVector Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up RedVector section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure RedVector Single Sign-On
To configure single sign-on on RedVector side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to RedVector support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create RedVector test user
In this section, you create a user called Britta Simon in RedVector. Work with RedVector support team to add the
users in the RedVector platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the RedVector tile in the Access Panel, you should be automatically signed in to the RedVector for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Reflektive
7/22/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Reflektive with Azure Active Directory (Azure AD ). Integrating Reflektive
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Reflektive.
You can enable your users to be automatically signed-in to Reflektive (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Reflektive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Reflektive single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Reflektive supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Reflektive, select Reflektive from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, use one of the below URL as per confirmation from the reflective support team:
reflektive.com
https://www.reflektive.com/saml/metadata
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
For SP mode you need to get the email id registered with Reflektive support team. When you enter your ID in the
Email textbox then the single sign-on option will be enabled. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Reflektive section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Reflektive Single Sign-On
To configure single sign-on on Reflektive side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to Reflektive support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Reflektive test user
In this section, you create a user called Britta Simon in Reflektive. Work with Reflektive support team to add the
users in the Reflektive platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Reflektive tile in the Access Panel, you should be automatically signed in to the Reflektive for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with RENRAKU
9/18/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate RENRAKU with Azure Active Directory (Azure AD ). When you
integrate RENRAKU with Azure AD, you can:
Control in Azure AD who has access to RENRAKU.
Enable your users to be automatically signed-in to RENRAKU with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
RENRAKU single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
RENRAKU supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<CUSTOMURL>/front/login?sso
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://<CUSTOMURL>/front
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact RENRAKU Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
6. On the Set up RENRAKU section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to RENRAKU.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select RENRAKU.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the RENRAKU tile in the Access Panel, you should be automatically signed in to the RENRAKU for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try RENRAKU with Azure AD
Tutorial: Integrate Replicon with Azure Active
Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Replicon with Azure Active Directory (Azure AD ). When you integrate
Replicon with Azure AD, you can:
Control in Azure AD who has access to Replicon.
Enable your users to be automatically signed-in to Replicon with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Replicon single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Replicon supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://global.replicon.com/!/saml2/<client name>/sp-sso/post
c. In the Reply URL text box, type a URL using the following pattern:
https://global.replicon.com/!/saml2/<client name>/sso/post
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Replicon Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Click the edit/pen icon for SAML Signing Certificate to edit the settings.
a. To display the EnableSAML Authentication2 dialog, append the following to your URL, after your
company key: /services/SecurityService1.svc/help/test/EnableSAMLAuthentication2
The following shows the schema of the complete URL:
https://na2.replicon.com/\
<YourCompanyKey\>/services/SecurityService1.svc/help/test/EnableSAMLAuthentication2
b. Click the + to expand the v20Configuration section.
c. Click the + to expand the metaDataConfiguration section.
d. Select SHA256 for xmlSignatureAlgorithm
e. Click Choose File, to select your identity provider metadata XML file, and click Submit.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Replicon.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Replicon.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Replicon test user
The objective of this section is to create a user called B.Simon in Replicon.
If you need to create user manually, perform following steps:
1. In a web browser window, sign into your Replicon company site as an administrator.
2. Go to Administration > Users.
3. Click +Add User.
a. In the Login Name textbox, type the Azure AD email address of the Azure AD user you want to provision
like B.Simon@contoso.com .
NOTE
Login Name needs to match the user's email address in Azure AD
Test SSO
When you select the Replicon tile in the Access Panel, you should be automatically signed in to the Replicon for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Reviewsnap
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Reviewsnap with Azure Active Directory (Azure AD ). Integrating
Reviewsnap with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Reviewsnap.
You can enable your users to be automatically signed-in to Reviewsnap (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Reviewsnap, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Reviewsnap single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Reviewsnap supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Reviewsnap, select Reviewsnap from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: https://app.reviewsnap.com
b. In the Reply URL text box, type a URL using the following pattern:
https://app.reviewsnap.com/auth/saml/callback?namespace=<CUSTOMER_NAMESPACE>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
The Reply URL value is not real. Update the value with the actual Reply URL. Contact Reviewsnap Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Reviewsnap section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Reviewsnap Single Sign-On
To configure single sign-on on Reviewsnap side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Reviewsnap support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Reviewsnap test user
In this section, you create a user called Britta Simon in Reviewsnap. Work with Reviewsnap support team to add
the users in the Reviewsnap platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Reviewsnap tile in the Access Panel, you should be automatically signed in to the Reviewsnap
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Reward Gateway
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Reward Gateway with Azure Active Directory (Azure AD ). Integrating
Reward Gateway with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Reward Gateway.
You can enable your users to be automatically signed-in to Reward Gateway (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Reward Gateway, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Reward Gateway single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Reward Gateway supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Reward Gateway, select Reward Gateway from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<companyname>.rewardgateway.com
https://<companyname>.rewardgateway.co.uk/
https://<companyname>.rewardgateway.co.nz/
https://<companyname>.rewardgateway.com.au/
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.rewardgateway.com/Authentication/EndLogin?idp=<Unique Id>
https://<companyname>.rewardgateway.co.uk/Authentication/EndLogin?idp=<Unique Id>
https://<companyname>.rewardgateway.co.nz/Authentication/EndLogin?idp=<Unique Id>
https://<companyname>.rewardgateway.com.au/Authentication/EndLogin?idp=<Unique Id>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. To get these values start
setting up an Integration on the Reward Manager Portal. Details can be found on
https://success.rewardgateway.com/hc/en-us/articles/360038650573-Microsoft-Azure-for-Authentication
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Reward Gateway section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Reward Gateway Single Sign-On
To configure single sign-on on Reward Gateway side, start setting up an Integration on the Reward Manager
Portal. Use the downloaded metadata to obtain your Signing Certificate and upload that during the configuration.
Details can be found on https://success.rewardgateway.com/hc/en-us/articles/360038650573-Microsoft-Azure-
for-Authentication
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Reward Gateway test user
In this section, you create a user called Britta Simon in Reward Gateway. Work with Reward Gateway support team
to add the users in the Reward Gateway platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Reward Gateway tile in the Access Panel, you should be automatically signed in to the Reward
Gateway for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
RFPIO
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate RFPIO with Azure Active Directory (Azure AD ). Integrating RFPIO with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to RFPIO.
You can enable your users to be automatically signed-in to RFPIO (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with RFPIO, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
RFPIO single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
RFPIO supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type RFPIO, select RFPIO from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
a. In the Identifier text box, type a URL using the following pattern: https://www.rfpio.com
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://www.app.rfpio.com
NOTE
These values are not real. Update these values with the actual Identifier and Sign-on URL. Contact RFPIO Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up RFPIO section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure RFPIO Single Sign-On
1. In a different web browser window, sign in to the RFPIO website as an administrator.
2. Click on the bottom left corner dropdown.
3. Click on the Organization Settings.
4. Click on the FEATURES & INTEGRATION.
a. Copy the content of the Downloaded Metadata XML and paste it into the identity configuration
field.
NOTE
To copy the content of downloaded Federation Metadata XML Use Notepad++ or proper XML Editor.
b. Click Validate.
c. After Clicking Validate, Flip SAML (Enabled) to on.
d. Click Submit.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create RFPIO test user
1. Sign in to your RFPIO company site as an administrator.
2. Click on the bottom left corner dropdown.
3. Click on the Organization Settings.
4. Click TEAM MEMBERS.
a. Enter Email address in the Enter one email per line field.
b. Please select Role according your requirements.
c. Click ADD MEMBERS.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it
becomes active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
RightAnswers
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate RightAnswers with Azure Active Directory (Azure AD ). Integrating
RightAnswers with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to RightAnswers.
You can enable your users to be automatically signed-in to RightAnswers (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with RightAnswers, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
RightAnswers single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
RightAnswers supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type RightAnswers, select RightAnswers from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.rightanswers.com:<identifier>/portal
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact RightAnswers
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up RightAnswers section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure RightAnswers Single Sign-On
To configure single sign-on on RightAnswers side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to RightAnswers support team. They set this setting to have
the SAML SSO connection set properly on both sides.
NOTE
Your RightAnswers support team has to do the actual SSO configuration. You will get a notification when SSO has been
enabled for your subscription.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create RightAnswers test user
To enable Azure AD users to sign in to RightAnswers, they must be provisioned into RightAnswers. When
RightAnswers, provisioning is an automated task so there is no action item for you.
Users are automatically created if necessary during the first single sign-on attempt.
NOTE
You can use any other RightAnswers user account creation tools or APIs provided by RightAnswers to provision Azure AD
user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Rightscale
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Rightscale with Azure Active Directory (Azure AD ). Integrating
Rightscale with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Rightscale.
You can enable your users to be automatically signed-in to Rightscale (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Rightscale, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Rightscale single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Rightscale supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Rightscale, select Rightscale from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Rightscale section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Rightscale Single Sign-On
1. To get SSO configured for your application, you need to sign-on to your RightScale tenant as an
administrator.
2. In the menu on the top, click the Settings tab and select Single Sign-On.
3. Click the new button to add Your SAML Identity Providers.
5. Select Allow RightScale-initiated SSO using a discovery hint and input your domain name in the
below textbox.
6. Paste the value of Login URL which you have copied from Azure portal into SAML SSO Endpoint in
RightScale.
7. Paste the value of Azure AD Identifier which you have copied from Azure portal into SAML EntityID in
RightScale.
8. Click Browser button to upload the certificate which you downloaded from Azure portal.
9. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Rightscale test user
In this section, you create a user called Britta Simon in Rightscale. Work with Rightscale Client support team to add
the users in the Rightscale platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Rightscale tile in the Access Panel, you should be automatically signed in to the Rightscale for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate RingCentral with Azure Active
Directory
10/28/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate RingCentral with Azure Active Directory (Azure AD ). When you
integrate RingCentral with Azure AD, you can:
Control in Azure AD who has access to RingCentral.
Enable your users to be automatically signed-in to RingCentral with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
RingCentral single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
RingCentral supports IDP initiated SSO
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto
populated in Basic SAML Configuration section.
NOTE
You get the Service Provider metadata file on the RingCentral SSO Configuration page which is explained later in
the tutorial.
5. If you don't have Service Provider metadata file, enter the values for the following fields:
a. In the Identifier textbox, type a URL:
https://sso.ringcentral.com
https://ssoeuro.ringcentral.com
https://sso.ringcentral.com/sp/ACS.saml2
https://ssoeuro.ringcentral.com/sp/ACS.saml2
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up RingCentral will direct you to the RingCentral
application. From there, provide the admin credentials to sign into RingCentral. The browser extension will
automatically configure the application for you and automate steps 3-7.
3. If you want to setup RingCentral manually, open a new web browser window and sign into your
RingCentral company site as an administrator and perform the following steps:
4. On the top, click on Tools.
d. Click Save.
e. From Step 2 click Download to download the Service Provider metadata file and upload it in Basic
SAML Configuration section to auto-populate the Identifier and Reply URL values in Azure portal.
f. On the same page, navigate to Enable SSO section and perform the following steps:
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Try RingCentral with Azure AD
Tutorial: Azure Active Directory integration with
Riskware
10/7/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Riskware with Azure Active Directory (Azure AD ). Integrating Riskware
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Riskware.
You can enable your users to be automatically signed-in to Riskware (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Riskware, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Riskware single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Riskware supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Riskware, select Riskware from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
UAT https://riskcloud.net/uat?ccode=<COMPANYCODE>
PROD https://riskcloud.net/prod?ccode=<COMPANYCODE>
DEMO https://riskcloud.net/demo?ccode=<COMPANYCODE>
UAT https://riskcloud.net/uat
PROD https://riskcloud.net/prod
DEMO https://riskcloud.net/demo
NOTE
The Sign on URL value is not real. Update the value with the actual Sign-On URL. Contact Riskware Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Riskware section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Riskware Single Sign-On
1. In a different web browser window, sign in to your Riskware company site as an administrator.
2. On the top right, click Maintenance to open the maintenance page.
NOTE
Contact Riskware Client support team to get these values
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Riskware test user
To enable Azure AD users to sign in to Riskware, they must be provisioned into Riskware. In Riskware,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to Riskware as a Security Administrator.
2. On the top right, click Maintenance to open the maintenance page.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Riva
11/14/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Riva with Azure Active Directory (Azure AD ). When you integrate Riva
with Azure AD, you can:
Control in Azure AD who has access to Riva.
Enable your users to be automatically signed-in to Riva with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Riva single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Riva supports IDP initiated SSO
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Riva section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Riva tile in the Access Panel, you should be automatically signed in to the Riva for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Riva with Azure AD
Tutorial: Integrate Robin with Azure Active Directory
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Robin with Azure Active Directory (Azure AD ). When you integrate
Robin with Azure AD, you can:
Control in Azure AD who has access to Robin.
Enable your users to be automatically signed-in to Robin with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Robin single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Robin supports SP and IDP initiated SSO
Robin supports Just In Time user provisioning
4. On the Basic SAML Configuration section, the application is pre-configured in IDP initiated mode and
the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by
clicking the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://dashboard.robinpowered.com/
6. Robin application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes.
7. In addition to above, Robin application expects few more attributes to be passed back in SAML response
which are shown below. These attributes are also pre populated but you can review them as per your
requirements.
Email user.userprincipalname
FirstName user.givenname
LastName user.surname
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
9. On the Set up Robin section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Robin with Azure AD
Tutorial: Azure Active Directory integration with
RStudio Connect
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate RStudio Connect with Azure Active Directory (Azure AD ). Integrating
RStudio Connect with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to RStudio Connect.
You can enable your users to be automatically signed-in to RStudio Connect (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with RStudio Connect, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
RStudio Connect. There is a 45 day free evaluation.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
RStudio Connect supports SP and IDP initiated SSO
RStudio Connect supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type RStudio Connect, select RStudio Connect from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps, replacing <example.com> with your RStudio Connect Server Address and port:
a. In the Identifier text box, type a URL using the following pattern: https://<example.com>/__login__/saml
b. In the Reply URL text box, type a URL using the following pattern:
https://<example.com>/__login__/saml/acs
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<example.com>/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. They are
determined from the RStudio Connect Server Address ( https://example.com in the examples above). Contact the
RStudio Connect support team if you have trouble. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Your RStudio Connect application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes, where as nameidentifier is mapped with user.userprincipalname.
RStudio Connect application expects nameidentifier to be mapped with user.mail, so you need to edit the
attribute mapping by clicking on Edit icon and change the attribute mapping.
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure RStudio Connect Single Sign-On
To configure single sign-on on for RStudio Connect, you need to use the App Federation Metadata Url and
Server Address used above. This is done in the RStudio Connect configuration file at
/etc/rstudio-connect.rstudio-connect.gcfg .
[Server]
SenderEmail =
[Http]
Listen = :3939
[Authentication]
Provider = saml
[SAML]
Logging = true
; Important! The URL where your IdP hosts the SAML metadata or the path to a local copy of it placed in the
RStudio Connect server.
IdPMetaData =
IdPAttributeProfile = azure
SSOInitiated = IdPAndSP
Store your Server Address in the Server.Address value, and the App Federation Metadata Url in the
SAML.IdPMetaData value.
If you have trouble with configuration, you can read the RStudio Connect Admin Guide or email the RStudio
support team for help.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create RStudio Connect test user
In this section, a user called Britta Simon is created in RStudio Connect. RStudio Connect supports just-in-time
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in RStudio Connect, a new one is created when you attempt to access RStudio Connect.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the RStudio Connect tile in the Access Panel, you should be automatically signed in to the RStudio
Connect for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
RolePoint
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate RolePoint with Azure Active Directory (Azure AD ). This integration
provides these benefits:
You can use Azure AD to control who has access to RolePoint.
You can enable your users to be automatically signed in to RolePoint (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
To learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure Active
Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with RolePoint, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
A RolePoint subscription with single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
RolePoint supports SP -initiated SSO.
4. In the search box, enter RolePoint. Select RolePoint in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, take the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<subdomain>.rolepoint.com/login
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. We suggest that you use a
unique string value in the identifier. Contact the RolePoint support team to get these values. You can also refer to the
patterns shown in the Basic SAML Configuration dialog box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Federation Metadata XML, per your requirements, and save the file on your
computer.
6. In the Set up RolePoint section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure RolePoint single sign-on
To set up single sign-on on the RolePoint side, you need to work with the RolePoint support team. Send this team
the Federation Metadata XML file and the URLs that you got from the Azure portal. They'll configure RolePoint to
ensure the SAML SSO connection is set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, select Azure Active Directory in the left pane, select Users, and then select All users:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the window.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the window.
7. In the Add Assignment dialog box, select Assign.
Create a RolePoint test user
Next, you need to create a user named Britta Simon in RolePoint. Work with the RolePoint support team to add
users to RolePoint. Users need to be created and activated before you can use single sign-on.
Test single sign-on
Now you need to test your Azure AD single sign-on configuration by using the Access Panel.
When you select the RolePoint tile in the Access Panel, you should be automatically signed in to the RolePoint
instance for which you set up SSO. For more information about the Access Panel, see Access and use apps on the
My Apps portal.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Rollbar
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Rollbar with Azure Active Directory (Azure AD ). Integrating Rollbar with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Rollbar.
You can enable your users to be automatically signed-in to Rollbar (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Rollbar, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Rollbar single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Rollbar supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Rollbar, select Rollbar from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type the URL: https://saml.rollbar.com
b. In the Reply URL text box, type a URL using the following pattern:
https://rollbar.com/<accountname>/saml/sso/azure/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://rollbar.com/<accountname>/saml/login/azure/
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Rollbar Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Rollbar section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Rollbar Single Sign-On
1. In a different web browser window, sign in to your Rollbar company site as an administrator.
2. Click on the Profile Settings on the right top corner and then click Account Name settings.
NOTE
In order to complete the following step, you must first add yourself as a user to the Rollbar app in Azure.
a. If you want to require all users to authenticate via Azure, then click log in via your identity provider to
re-authenticate via Azure.
b. Once you're returned to the screen, select the Require login via SAML Identity Provider checkbox.
b. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Rollbar test user
To enable Azure AD users to sign in to Rollbar, they must be provisioned into Rollbar. In the case of Rollbar,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Rollbar company site as an administrator.
2. Click on the Profile Settings on the right top corner and then click Account Name settings.
3. Click Users.
6. User receives an invitation and after accepting it they are created in the system.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Rollbar tile in the Access Panel, you should be automatically signed in to the Rollbar for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate RunMyProcess with Azure Active
Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate RunMyProcess with Azure Active Directory (Azure AD ). When you
integrate RunMyProcess with Azure AD, you can:
Control in Azure AD who has access to RunMyProcess.
Enable your users to be automatically signed-in to RunMyProcess with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
RunMyProcess single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
RunMyProcess supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://live.runmyprocess.com/live/<tenant id>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact RunMyProcess Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up RunMyProcess section, copy the appropriate URL (s) based on your requirement.
Configure RunMyProcess SSO
1. In a different web browser window, sign-on to your RunMyProcess tenant as an administrator.
2. In left navigation panel, click Account and select Configuration.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create RunMyProcess test user
In order to enable Azure AD users to sign in to RunMyProcess, they must be provisioned into RunMyProcess. In
the case of RunMyProcess, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your RunMyProcess company site as an administrator.
2. Click Account and select Users in left navigation panel, then click New User.
a. Type the Name and E -mail of a valid Azure AD account you want to provision into the related textboxes.
b. Select an IDE language, Language, and Profile.
c. Select Send account creation e-mail to me.
d. Click Save.
NOTE
You can use any other RunMyProcess user account creation tools or APIs provided by RunMyProcess to provision
Azure Active Directory user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the RunMyProcess tile in the Access Panel, you should be automatically signed in to the
RunMyProcess for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Integrate SafeConnect with Azure Active
Directory
8/8/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SafeConnect with Azure Active Directory (Azure AD ). When you
integrate SafeConnect with Azure AD, you can:
Control in Azure AD who has access to SafeConnect.
Enable your users to be automatically signed-in to SafeConnect with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SafeConnect single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SafeConnect supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://portal.myweblogon.com:8443/saml/login
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
6. On the Set up SafeConnect section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create SafeConnect test user
In this section, you create a user called Britta Simon in SafeConnect. Work with SafeConnect support team to add
the users in the SafeConnect platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SafeConnect tile in the Access Panel, you should be automatically signed in to the SafeConnect
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Integrate SafetyNet with Azure Active
Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SafetyNet with Azure Active Directory (Azure AD ). When you integrate
SafetyNet with Azure AD, you can:
Control in Azure AD who has access to SafetyNet.
Enable your users to be automatically signed-in to SafetyNet with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SafetyNet single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SafetyNet supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.predictivesolutions.com/sp
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.predictivesolutions.com/CRMApp/saml/SSO
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.predictivesolutions.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
SafetyNet Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
Configure SafetyNet SSO
To configure single sign-on on SafetyNet side, you need to send the App Federation Metadata Url to SafetyNet
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SafetyNet.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select SafetyNet.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create SafetyNet test user
In this section, you create a user called Britta Simon in SafetyNet. Work with SafetyNet support team to add the
users in the SafetyNet platform. Users must be created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SafetyNet tile in the Access Panel, you should be automatically signed in to the SafetyNet for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory Single sign-on (SSO)
integration with Salesforce
10/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Salesforce with Azure Active Directory (Azure AD ). When you
integrate Salesforce with Azure AD, you can:
Control in Azure AD who has access to Salesforce.
Enable your users to be automatically signed-in to Salesforce with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Salesforce single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Salesforce supports SP initiated SSO
Salesforce supports Just In Time user provisioning
Salesforce supports Automated user provisioning
Salesforce Mobile application can now be configured with Azure AD for enabling SSO. In this tutorial, you
configure and test Azure AD SSO in a test environment.
b. In the Identifier textbox, type the value using the following pattern:
Enterprise account: https://<subdomain>.my.salesforce.com
NOTE
These values are not real. Update these values with the actual Sign-on URL and Identifier. Contact Salesforce Client
support team to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Salesforce section, copy the appropriate URL (s) as per your requirement.
NOTE
Salesforce user attributes are case sensitive for SAML validation.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Scroll down to the SETTINGS in the navigation pane, click Identity to expand the related section. Then
click Single Sign-On Settings.
4. On the Single Sign-On Settings page, click the Edit button.
NOTE
If you are unable to enable Single Sign-On settings for your Salesforce account, you may need to contact Salesforce
Client support team.
6. To configure your SAML single sign-on settings, click New from Metadata File.
7. Click Choose File to upload the metadata XML file which you have downloaded from the Azure portal and
click Create.
8. On the SAML Single Sign-On Settings page, fields populate automatically and click save.
9. On the left navigation pane in Salesforce, click Company Settings to expand the related section, and then
click My Domain.
10. Scroll down to the Authentication Configuration section, and click the Edit button.
11. In the Authentication Configuration section, Check the AzureSSO as Authentication Service of your
SAML SSO configuration, and then click Save.
NOTE
If more than one authentication service is selected, users are prompted to select which authentication service they
like to sign in with while initiating single sign-on to your Salesforce environment. If you don’t want it to happen, then
you should leave all other authentication services unchecked.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Salesforce tile in the Access Panel, you should be automatically signed in to the Salesforce for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
2. In the Custom Domain textbox, enter your registered custom domain name and click Continue.
3. Enter your Azure AD credentials to sign in into the Salesforce application and click Next.
4. On the Allow Access page as shown below, click Allow to give access to the Salesforce application.
5. Finally after successful sign in, the application homepage will be displayed.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Try Salesforce with Azure AD
Tutorial: Azure Active Directory integration with
Salesforce Sandbox
6/13/2019 • 8 minutes to read • Edit Online
In this tutorial, you learn how to integrate Salesforce Sandbox with Azure Active Directory (Azure AD ).
Sandboxes give you the ability to create multiple copies of your organization in separate environments for a variety
of purposes, such as development, testing, and training, without compromising the data and applications in your
Salesforce production organization. For more details, see Sandbox Overview.
Integrating Salesforce Sandbox with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Salesforce Sandbox.
You can enable your users to be automatically signed-in to Salesforce Sandbox (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Salesforce Sandbox, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Salesforce Sandbox single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Salesforce Sandbox supports SP and IDP initiated SSO
Salesforce Sandbox supports Just In Time user provisioning
Salesforce Sandbox supports Automated user provisioning
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Salesforce Sandbox, select Salesforce Sandbox from result panel then click Add
button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file and wish to
configure in IDP initiated mode perform the following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
NOTE
You will get the service provider metadata file from the Salesforce Sandbox admin portal which is explained later in
the tutorial.
c. After the metadata file is successfully uploaded, the Reply URL value will get auto populated in Reply
URL textbox.
NOTE
If the Reply URL value do not get auto polulated, then fill in the value manually according to your requirement.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Metadata XML from the given options as per your requirement and save it on
your computer.
6. On the Set up Salesforce Sandbox section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Salesforce Sandbox Single Sign-On
1. Open a new tab in your browser and sign in to your Salesforce Sandbox administrator account.
2. Click on the Setup under settings icon on the top right corner of the page.
3. Scroll down to the SETTINGS in the left navigation pane, click Identity to expand the related section. Then
click Single Sign-On Settings.
6. To configure your SAML single sign-on settings, click New from Metadata File.
7. Click Choose File to upload the metadata XML file which you have downloaded from the Azure portal and
click Create.
8. On the SAML Single Sign-On Settings page, fields populate automatically and click save.
9. On the Single Sign-On Settings page, click the Download Metadata button to download the service
provider metadata file. Use this file in the Basic SAML Configuration section in the Azure portal for
configuring the necessary URLs as explained above.
10. If you wish to configure the application in SP initiated mode, following are the prerequisites for that:
a. You should have a verified domain.
b. You need to configure and enable your domain on Salesforce Sandbox, steps for this are explained later in
this tutorial.
c. In the Azure portal, on the Basic SAML Configuration section, click Set additional URLs and perform
the following step:
In the Sign-on URL textbox, type the value using the following pattern:
https://<instancename>--Sandbox.<entityid>.my.salesforce.com
NOTE
This value should be copied from the Salesforce Sandbox portal once you have enabled the domain.
11. On the SAML Signing Certificate section, click Federation Metadata XML and then save the xml file on
your computer.
12. Open a new tab in your browser and sign in to your Salesforce Sandbox administrator account.
13. Click on the Setup under settings icon on the top right corner of the page.
14. Scroll down to the SETTINGS in the left navigation pane, click Identity to expand the related section. Then
click Single Sign-On Settings.
15. On the Single Sign-On Settings page, click the Edit button.
17. To configure your SAML single sign-on settings, click New from Metadata File.
18. Click Choose File to upload the metadata XML file and click Create.
19. On the SAML Single Sign-On Settings page, fields populate automatically, type the name of the
configuration (for example: SPSSOWAAD_Test), in the Name textbox and click save.
20. To enable your domain on Salesforce Sandbox, perform the following steps:
NOTE
Before enabling the domain you need to create the same on Salesforce Sandbox. For more information, see Defining
Your Domain Name. Once the domain is created, please make sure that it's configured correctly.
21. On the left navigation pane in Salesforce Sandbox, click Company Settings to expand the related section,
and then click My Domain.
22. In the Authentication Configuration section, click Edit.
23. In the Authentication Configuration section, as Authentication Service, select the name of the SAML
Single Sign-On Setting which you have set during SSO configuration in Salesforce Sandbox and click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Salesforce Sandbox test user
In this section, a user called Britta Simon is created in Salesforce Sandbox. Salesforce Sandbox supports just-in-
time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in Salesforce Sandbox, a new one is created when you attempt to access Salesforce Sandbox.
Salesforce Sandbox also supports automatic user provisioning, you can find more details here on how to configure
automatic user provisioning.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Salesforce Sandbox tile in the Access Panel, you should be automatically signed in to the
Salesforce Sandbox for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Configure User Provisioning
Tutorial: Azure Active Directory integration with
Samanage
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Samanage with Azure Active Directory (Azure AD ). Integrating
Samanage with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Samanage.
You can enable your users to be automatically signed-in to Samanage (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Samanage, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Samanage single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Samanage supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Samanage, select Samanage from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<Company Name>.samanage.com
NOTE
These values are not real. Update these values with the actual Sign-on URL and Identifier, which is explained later in
the tutorial. For more details contact Samanage Client support team. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Samanage section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Samanage Single Sign-On
1. In a different web browser window, log into your Samanage company site as an administrator.
2. Click Dashboard and select Setup in left navigation pane.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Samanage test user
To enable Azure AD users to log in to Samanage, they must be provisioned into Samanage.
In the case of Samanage, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log into your Samanage company site as an administrator.
2. Click Dashboard and select Setup in left navigation pan.
5. Type the Name and the Email Address of an Azure Active Directory account you want to provision and
click Create user.
NOTE
The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it
becomes active. You can use any other Samanage user account creation tools or APIs provided by Samanage to
provision Azure Active Directory user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SAML 1.1 Token enabled LOB App
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAML 1.1 Token enabled LOB App with Azure Active Directory (Azure
AD ). Integrating SAML 1.1 Token enabled LOB App with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SAML 1.1 Token enabled LOB App.
You can enable your users to be automatically signed-in to SAML 1.1 Token enabled LOB App (Single Sign-On)
with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAML 1.1 Token enabled LOB App, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SAML 1.1 Token enabled LOB App single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAML 1.1 Token enabled LOB App supports SP initiated SSO
Adding SAML 1.1 Token enabled LOB App from the gallery
To configure the integration of SAML 1.1 Token enabled LOB App into Azure AD, you need to add SAML 1.1 Token
enabled LOB App from the gallery to your list of managed SaaS apps.
To add SAML 1.1 Token enabled LOB App from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAML 1.1 Token enabled LOB App, select SAML 1.1 Token enabled LOB App
from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: https://your-app-url
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SAML 1.1 Token
enabled LOB App Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SAML 1.1 Token enabled LOB App section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure SAML 1.1 Token enabled LOB App Single Sign-On
To configure single sign-on on SAML 1.1 Token enabled LOB App side, you need to send the downloaded
Certificate (Base64) and appropriate copied URLs from Azure portal to SAML 1.1 Token enabled LOB App
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. In the applications list, type and select SAML 1.1 Token enabled LOB App.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAML 1.1 Token enabled LOB App test user
In this section, you create a user called Britta Simon in SAML 1.1 Token enabled LOB App. Work with SAML 1.1
Token enabled LOB App support team to add the users in the SAML 1.1 Token enabled LOB App platform. Users
must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML 1.1 Token enabled LOB App tile in the Access Panel, you should be automatically signed
in to the SAML 1.1 Token enabled LOB App for which you set up SSO. For more information about the Access
Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SAML SSO for Bamboo by resolution GmbH
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAML SSO for Bamboo by resolution GmbH with Azure Active
Directory (Azure AD ). Integrating SAML SSO for Bamboo by resolution GmbH with Azure AD provides you with
the following benefits:
You can control in Azure AD who has access to SAML SSO for Bamboo by resolution GmbH.
You can enable your users to be automatically signed-in to SAML SSO for Bamboo by resolution GmbH
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAML SSO for Bamboo by resolution GmbH, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SAML SSO for Bamboo by resolution GmbH single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAML SSO for Bamboo by resolution GmbH supports SP and IDP initiated SSO
SAML SSO for Bamboo by resolution GmbH supports Just In Time user provisioning
Adding SAML SSO for Bamboo by resolution GmbH from the gallery
To configure the integration of SAML SSO for Bamboo by resolution GmbH into Azure AD, you need to add
SAML SSO for Bamboo by resolution GmbH from the gallery to your list of managed SaaS apps.
To add SAML SSO for Bamboo by resolution GmbH from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAML SSO for Bamboo by resolution GmbH, select SAML SSO for Bamboo by
resolution GmbH from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact SAML
SSO for Bamboo by resolution GmbH Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up SAML SSO for Bamboo by resolution GmbH section, copy the appropriate URL (s) as per
your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SAML SSO for Bamboo by resolution GmbH Single Sign-On
1. Sign-on to your SAML SSO for Bamboo by resolution GmbH company site as administrator.
2. On the right side of the main toolbar, click Settings > Add-ons.
5. On the Choose your SAML Identity Provider Page, perform the following steps:
a. Select Idp Type as AZURE AD.
b. In the Name textbox, type the name.
c. In the Description textbox, type the description.
d. Click Next.
6. On the Identity provider configuration page click Next.
7. On the Import SAML Idp Metadata Page, click Load File to upload the METADATA XML file which you
have downloaded from Azure portal.
8. Click Next.
9. Click Save settings.
2. In the applications list, select SAML SSO for Bamboo by resolution GmbH.
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAML SSO for Bamboo by resolution GmbH test user
The objective of this section is to create a user called Britta Simon in SAML SSO for Bamboo by resolution GmbH.
SAML SSO for Bamboo by resolution GmbH supports just-in-time provisioning and also users can be created
manually, contact SAML SSO for Bamboo by resolution GmbH Client support team as per your requirement.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML SSO for Bamboo by resolution GmbH tile in the Access Panel, you should be
automatically signed in to the SAML SSO for Bamboo by resolution GmbH for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SAML SSO for Bitbucket by resolution GmbH
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAML SSO for Bitbucket by resolution GmbH with Azure Active
Directory (Azure AD ). Integrating SAML SSO for Bitbucket by resolution GmbH with Azure AD provides you with
the following benefits:
You can control in Azure AD who has access to SAML SSO for Bitbucket by resolution GmbH.
You can enable your users to be automatically signed-in to SAML SSO for Bitbucket by resolution GmbH
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAML SSO for Bitbucket by resolution GmbH, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SAML SSO for Bitbucket by resolution GmbH single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAML SSO for Bitbucket by resolution GmbH supports SP and IDP initiated SSO
SAML SSO for Bitbucket by resolution GmbH supports Just In Time user provisioning
Adding SAML SSO for Bitbucket by resolution GmbH from the gallery
To configure the integration of SAML SSO for Bitbucket by resolution GmbH into Azure AD, you need to add
SAML SSO for Bitbucket by resolution GmbH from the gallery to your list of managed SaaS apps.
To add SAML SSO for Bitbucket by resolution GmbH from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAML SSO for Bitbucket by resolution GmbH, select SAML SSO for Bitbucket
by resolution GmbH from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, perform the following steps if you wish to configure the
application in IDP initiated mode:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact SAML
SSO for Bitbucket by resolution GmbH Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
5. On the Choose your SAML Identity Provider Page, perform the following steps:
8. Click Next.
9. Click Save settings.
2. In the applications list, type and select SAML SSO for Bitbucket by resolution GmbH.
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAML SSO for Bitbucket by resolution GmbH test user
The objective of this section is to create a user called Britta Simon in SAML SSO for Bitbucket by resolution
GmbH. SAML SSO for Bitbucket by resolution GmbH supports just-in-time provisioning and also users can be
created manually, contact SAML SSO for Bitbucket by resolution GmbH Client support team as per your
requirement.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML SSO for Bitbucket by resolution GmbH tile in the Access Panel, you should be
automatically signed in to the SAML SSO for Bitbucket by resolution GmbH for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SAML SSO for Confluence by resolution GmbH
10/30/2019 • 8 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAML SSO for Confluence by resolution GmbH with Azure Active
Directory (Azure AD ). Integrating SAML SSO for Confluence by resolution GmbH with Azure AD provides you
with the following benefits:
You can control in Azure AD who has access to SAML SSO for Confluence by resolution GmbH.
You can enable your users to be automatically signed-in to SAML SSO for Confluence by resolution GmbH
(Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAML SSO for Confluence by resolution GmbH, you need the following
items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SAML SSO for Confluence by resolution GmbH single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAML SSO for Confluence by resolution GmbH supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAML SSO for Confluence by resolution GmbH, select SAML SSO for
Confluence by resolution GmbH from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section perform the following steps, if you wish to configure the
application in IDP Initiated mode:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact SAML
SSO for Confluence by resolution GmbH Client support team to get these values. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
3. You are redirected to Administrator Access page. Enter the password and click Confirm button.
5. Search SAML Single Sign On (SSO ) for Confluence and click Install button to install the new SAML
plugin.
6. The plugin installation will start. Click Close.
7. Click Manage.
8. Click Configure to configure the new plugin.
9. This new plugin can also be found under USERS & SECURITY tab.
10. On SAML SingleSignOn Plugin Configuration page, click Add new IdP button to configure the
settings of Identity Provider.
11. On Choose your SAML Identity Provider page, perform the following steps:
a. Set Azure AD as the IdP type.
b. Add Name of the Identity Provider (e.g Azure AD ).
c. Add Description of the Identity Provider (e.g Azure AD ).
d. Click Next.
12. On Identity provider configuration page, click Next button.
13. On Import SAML IdP Metadata page, perform the following steps:
a. Click Load File button and pick Metadata XML file you downloaded in Step 5.
b. Click Import button.
c. Wait briefly until import succeeds.
d. Click Next button.
14. On User ID attribute and transformation page, click Next button.
15. On User creation and update page, click Save & Next to save settings.
16. On Test your settings page, click Skip test & configure manually to skip the user test for now. This will
be performed in the next section and requires some settings in Azure portal.
17. In the appearing dialog reading Skipping the test means..., click OK.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAML SSO for Confluence by resolution GmbH test user
To enable Azure AD users to log in to SAML SSO for Confluence by resolution GmbH, they must be provisioned
into SAML SSO for Confluence by resolution GmbH.
In SAML SSO for Confluence by resolution GmbH, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to your SAML SSO for Confluence by resolution GmbH company site as an administrator.
2. Hover on cog and click the User management.
3. Under Users section, click Add users tab. On the “Add a User” dialog page, perform the following steps:
a. In the Username textbox, type the email of user like Britta Simon.
b. In the Full Name textbox, type the full name of user like Britta Simon.
c. In the Email textbox, type the email address of user like Brittasimon@contoso.com.
d. In the Password textbox, type the password for Britta Simon.
e. Click Confirm Password reenter the password.
f. Click Add button.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML SSO for Confluence by resolution GmbH tile in the Access Panel, you should be
automatically signed in to the SAML SSO for Confluence by resolution GmbH for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SAML SSO for Jira by resolution GmbH
10/30/2019 • 9 minutes to read • Edit Online
In this tutorial, you learn how to set up SAML SSO for Jira by resolution GmbH with Azure Active Directory (Azure
AD ). Integrating SAML SSO for Jira by resolution GmbH with Azure AD provides you with the following benefits:
You can control in Azure AD who can sign in to Jira with the SAML SSO plugin by resolution GmbH.
You can enable your users to be automatically signed-in to Jira with their Azure AD accounts by using SAML
SSO for Jira by resolution GmbH (Single Sign-On).
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration and SAML SSO for Jira by resolution GmbH, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a one-month trial here
SAML SSO for Jira by resolution GmbH single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAML SSO for Jira by resolution GmbH supports SP and IDP initiated SSO
4. In the search box, type SAML SSO for Jira by resolution GmbH, select SAML SSO for Jira by
resolution GmbH from the result panel, and then click the Add button to add the application. You can also
change the name of the enterprise app.
Configure and test single sign-on with the SAML SSO plugin and Azure
AD
In this section, you will test and configure single sign-on to Jira for an Azure AD user. This will be done for a test
user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the related
user in SAML SSO for Jira by resolution GmbH needs to be established.
To configure and test single sign-on, you need to complete the following steps:
1. Configure the Azure AD enterprise application for single sign-on - Configure the Azure AD enterprise
application for the single sign-on
2. Configure the SAML SSO plugin of your Jira instance - Configure the Single Sign-On settings on
application side.
3. Create an Azure AD test user - Create a test user in Azure AD.
4. Assign the Azure AD test user - Enabling the test user to use the single sign-on the Azure side.
5. Create the test user in Jira - Create a counterpart test user in Jira for the Azure AD test user.
6. Test single sign-on - Verify whether the configuration works.
Configure the Azure AD enterprise application for single sign-on
In this section, you set up the single sign-on in the Azure portal.
To configure the single sign-on with SAML SSO for Jira by resolution GmbH, perform the following steps:
1. In the Azure portal, in the just created SAML SSO for Jira by resolution GmbH enterprise application,
select Single sign-on in the left panel.
2. For Select a Single sign-on method, select the SAML mode to enable single sign-on.
3. Afterwards, click the Edit icon to open the Basic SAML Configuration dialog.
4. In the Basic SAML Configuration section, if you wish to configure the application in the IDP initiated
mode, then perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
b. In the Reply URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
c. Click Set additional URLs and perform the following step, if you wish to configure the application in the
SP initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
NOTE
For the Identifier, Reply URL and Sign-on URL, substitute <server-base-url> with the base URL of your Jira instance.
You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal. If you have a
problem, contact us at SAML SSO for Jira by resolution GmbH Client support team.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, download the
Federation Metadata XML and save it to your computer.
3. If you are redirected to Administrator Access page, enter the Password and click the Confirm button.
4. Jira normally redirects you to the Atlassian marketplace. If not, click on Find new apps in the left panel.
Search for SAML Single Sign On (SSO ) for JIRA and click the Install button to install the SAML plugin.
5. The plugin installation will start. When it's done, click the Close button.
8. In the SAML SingleSignOn Plugin Configuration wizard, click Add new IdP to configure Azure AD as a
new Identity Provider.
9. On the Choose your SAML Identity Provider page, perform the following steps:
a. Set Azure AD as the IdP type.
b. Add the Name of the Identity Provider (e.g Azure AD ).
c. Add an (optional) Description of the Identity Provider (e.g Azure AD ).
d. Click Next.
10. On the Identity provider configuration page, click Next.
11. On Import SAML IdP Metadata page, perform the following steps:
a. Click the Select Metadata XML File button and pick the Federation Metadata XML file you
downloaded before.
b. Click the Import button.
c. Wait briefly until the import succeeds.
d. Click the Next button.
12. On User ID attribute and transformation page, click the Next button.
13. On the User creation and update page, click Save & Next to save the settings.
14. On the Test your settings page, click Skip test & configure manually to skip the user test for now. This
will be performed in the next section and requires some settings in the Azure portal.
2. In the applications list, search for the enterprise application you've created in the beginning of this tutorial. If
you are following the steps of the tutorial, it's called SAML SSO for Jira by resolution GmbH. If you've
given it a another name, search for that name.
3. In the left panel, click Users and groups.
4. Select Add user, and then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, and then click the Select button at
the bottom of the screen.
6. If you're expecting any role value in the SAML assertion, then in the Select Role dialog, select the
appropriate role for the user from the list, and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create the test user also in Jira
To enable Azure AD users to sign in to SAML SSO for Jira by resolution GmbH, they must be provisioned into
SAML SSO for Jira by resolution GmbH. For the case of this tutorial, you have to do the provisioning by hand.
However, there are also other provisioning models available for the SAML SSO plugin by resolution, for example
Just In Time provisioning. Refer to their documentation at SAML SSO by resolution GmbH. If you have a
question about it, contact support at resolution support.
To manually provision a user account, perform the following steps:
1. Sign in to Jira instance as an administrator.
2. Hover over the cog and select User management.
3. If you are redirected to the Administrator Access page, then enter the Password and click the Confirm
button.
5. On the “Create new user” dialog page, perform the following steps. You have to create the user exactly like
in Azure AD:
a. In the Email address textbox, type the email address of the user: BrittaSimon@contoso.com.
b. In the Full Name textbox, type full name of the user: Britta Simon.
c. In the Username textbox, type the email address of the user: BrittaSimon@contoso.com.
d. In the Password textbox, enter the password of the user.
e. Click Create user to finish the user creation.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML SSO for Jira by resolution GmbH tile in the Access Panel, you should be automatically
signed in to the SAML SSO for Jira by resolution GmbH for which you set up SSO. For more information about
the Access Panel, see Introduction to the Access Panel.
You can also test single sign-on, if you navigate to https://<server-base-url>/plugins/servlet/samlsso. Substitute
<server-base-url> with the base URL of your Jira instance.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Azure AD SAML Toolkit
9/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Azure AD SAML Toolkit with Azure Active Directory (Azure AD ). When
you integrate Azure AD SAML Toolkit with Azure AD, you can:
Control in Azure AD who has access to Azure AD SAML Toolkit.
Enable your users to be automatically signed-in to Azure AD SAML Toolkit with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Azure AD SAML Toolkit single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Azure AD SAML Toolkit supports SP initiated SSO
Configure and test Azure AD single sign-on for Azure AD SAML Toolkit
Configure and test Azure AD SSO with Azure AD SAML Toolkit using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in Azure AD SAML
Toolkit.
To configure and test Azure AD SSO with Azure AD SAML Toolkit, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Azure AD SAML Toolkit SSO - to configure the single sign-on settings on application side.
a. Create Azure AD SAML Toolkit test user - to have a counterpart of B.Simon in Azure AD SAML
Toolkit that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign on URL text box, type a URL: https://samltoolkit.azurewebsites.net/
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
6. On the Set up Azure AD SAML Toolkit section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Azure AD SAML Toolkit.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Azure AD SAML Toolkit.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Click Create.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Azure AD SAML Toolkit tile in the Access Panel, you should be automatically signed in to the
Azure AD SAML Toolkit for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Azure AD SAML Toolkit with Azure AD
Tutorial: Integrate Sansan with Azure Active Directory
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Sansan with Azure Active Directory (Azure AD ). When you integrate
Sansan with Azure AD, you can:
Control in Azure AD who has access to Sansan.
Enable your users to be automatically signed-in to Sansan with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Sansan single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Sansan supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign-on URL text box, type any one of the URL using the following pattern:
ENVIRONMENT URL
b. In the Identifier (Entity ID ) text box, you can set-up multiple identifier values and select any one of
them as per the environments.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Sansan Client support team to get the
value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Sansan section, copy the appropriate URL (s) based on your requirement.
Configure Sansan
To configure single sign-on on Sansan side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Sansan Client support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called Britta Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter Britta Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
BrittaSimon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to Sansan.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Sansan.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Sansan test user
In this section, you create a user called Britta Simon in Sansan. Sansan application needs the user to be provisioned
in the application before doing SSO.
NOTE
If you need to create a user manually or batch of users, you need to contact the Sansan support team.
Test SSO
When you select the Sansan tile in the Access Panel, you should be automatically signed in to the Sansan for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with SAP
Business ByDesign
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAP Business ByDesign with Azure Active Directory (Azure AD ).
Integrating SAP Business ByDesign with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SAP Business ByDesign.
You can enable your users to be automatically signed-in to SAP Business ByDesign (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAP Business ByDesign, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SAP Business ByDesign single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAP Business ByDesign supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAP Business ByDesign, select SAP Business ByDesign from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<servername>.sapbydesign.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SAP Business
ByDesign Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. SAP Business ByDesign application expects the SAML assertions in a specific format. Configure the
following claims for this application. You can manage the values of these attributes from the User
Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click
Edit button to open User Attributes dialog.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SAP Business ByDesign Single Sign-On
1. Sign on to your SAP Business ByDesign portal with administrator rights.
2. Navigate to Application and User Management Common Task and click the Identity Provider tab.
3. Click New Identity Provider and select the metadata XML file that you have downloaded from the Azure
portal. By importing the metadata, the system automatically uploads the required signature certificate and
encryption certificate.
4. To include the Assertion Consumer Service URL into the SAML request, select Include Assertion
Consumer Service URL.
5. Click Activate Single Sign-On.
6. Save your changes.
7. Click the My System tab.
8. In the Azure AD Sign On URL textbox, paste Login URL value, which you have copied from the Azure
portal.
9. Specify whether the employee can manually choose between logging on with user ID and password or SSO
by selecting Manual Identity Provider Selection.
10. In the SSO URL section, specify the URL that should be used by the employee to signon to the system. In
the URL Sent to Employee dropdown list, you can choose between the following options:
Non-SSO URL
The system sends only the normal system URL to the employee. The employee cannot signon using SSO,
and must use password or certificate instead.
SSO URL
The system sends only the SSO URL to the employee. The employee can signon using SSO. Authentication
request is redirected through the IdP.
Automatic Selection
If SSO is not active, the system sends the normal system URL to the employee. If SSO is active, the system
checks whether the employee has a password. If a password is available, both SSO URL and Non-SSO URL
are sent to the employee. However, if the employee has no password, only the SSO URL is sent to the
employee.
11. Save your changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAP Business ByDesign test user
In this section, you create a user called Britta Simon in SAP Business ByDesign. Please work with SAP Business
ByDesign Client support team to add the users in the SAP Business ByDesign platform.
NOTE
Please make sure that NameID value should match with the username field in the SAP Business ByDesign platform.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate SAP Analytics Cloud with Azure
Active Directory
7/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SAP Analytics Cloud with Azure Active Directory (Azure AD ). When
you integrate SAP Analytics Cloud with Azure AD, you can:
Control in Azure AD who has access to SAP Analytics Cloud.
Enable your users to be automatically signed-in to SAP Analytics Cloud with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SAP Analytics Cloud single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SAP Analytics Cloud supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<sub-domain>.sapanalytics.cloud/
https://<sub-domain>.sapbusinessobjects.cloud/
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
<sub-domain>.sapbusinessobjects.cloud
<sub-domain>.sapanalytics.cloud
NOTE
The values in these URLs are for demonstration only. Update the values with the actual sign-on URL and identifier
URL. To get the sign-on URL, contact the SAP Analytics Cloud Client support team. You can get the identifier URL by
downloading the SAP Analytics Cloud metadata from the admin console. This is explained later in the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up SAP Analytics Cloud section, copy the appropriate URL (s) based on your requirement.
5. To download the service provider metadata (Step 1), select Download. In the metadata file, find and copy
the entityID value. In the Azure portal, on the Basic SAML Configuration dialog, paste the value in the
Identifier box.
6. To upload the service provider metadata (Step 2) in the file that you downloaded from the Azure portal,
under Upload Identity Provider metadata, select Upload.
7. In the User Attribute list, select the user attribute (Step 3) that you want to use for your implementation.
This user attribute maps to the identity provider. To enter a custom attribute on the user's page, use the
Custom SAML Mapping option. Or, you can select either Email or USER ID as the user attribute. In our
example, we selected Email because we mapped the user identifier claim with the userprincipalname
attribute in the User Attributes & Claims section in the Azure portal. This provides a unique user email,
which is sent to the SAP Analytics Cloud application in every successful SAML response.
8. To verify the account with the identity provider (Step 4), in the Login Credential (Email) box, enter the
user's email address. Then, select Verify Account. The system adds sign-in credentials to the user account.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create SAP Analytics Cloud test user
Azure AD users must be provisioned in SAP Analytics Cloud before they can sign in to SAP Analytics Cloud. In
SAP Analytics Cloud, provisioning is a manual task.
To provision a user account:
1. Sign in to your SAP Analytics Cloud company site as an administrator.
2. Select Menu > Security > Users.
3. On the Users page, to add new user details, select +.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SAP Cloud for Customer
10/10/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SAP Cloud for Customer with Azure Active Directory (Azure AD ).
When you integrate SAP Cloud for Customer with Azure AD, you can:
Control in Azure AD who has access to SAP Cloud for Customer.
Enable your users to be automatically signed-in to SAP Cloud for Customer with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SAP Cloud for Customer single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SAP Cloud for Customer supports SP initiated SSO
Configure and test Azure AD single sign-on for SAP Cloud for
Customer
Configure and test Azure AD SSO with SAP Cloud for Customer using a test user called B.Simon. For SSO to
work, you need to establish a link relationship between an Azure AD user and the related user in SAP Cloud for
Customer.
To configure and test Azure AD SSO with SAP Cloud for Customer, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure SAP Cloud for Customer SSO - to configure the single sign-on settings on application side.
a. Create SAP Cloud for Customer test user - to have a counterpart of B.Simon in SAP Cloud for
Customer that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<server name>.crm.ondemand.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<server name>.crm.ondemand.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SAP Cloud for
Customer Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. SAP Cloud for Customer application expects the SAML assertions in a specific format, which requires you
to add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In the User Attributes section on the User Attributes & Claims dialog, perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. In the First Name text box, enter the name of user like B.
b. In the Last Name text box, enter the name of user like Simon.
c. In E -Mail text box, enter the email of user like B.Simon@contoso.com .
d. In the Login Name text box, enter the name of user like B.Simon.
e. Select User Type as per your requirement.
f. Select Account Activation option as per your requirement.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAP Cloud for Customer tile in the Access Panel, you should be automatically signed in to the
SAP Cloud for Customer for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SAP Cloud for Customer with Azure AD
Tutorial: Azure Active Directory integration with SAP
Cloud Platform
10/30/2019 • 8 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAP Cloud Platform with Azure Active Directory (Azure AD ). Integrating
SAP Cloud Platform with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SAP Cloud Platform.
You can enable your users to be automatically signed-in to SAP Cloud Platform (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAP Cloud Platform, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SAP Cloud Platform single sign-on enabled subscription
After completing this tutorial, the Azure AD users you have assigned to SAP Cloud Platform will be able to single
sign into the application using the Introduction to the Access Panel.
IMPORTANT
You need to deploy your own application or subscribe to an application on your SAP Cloud Platform account to test single
sign on. In this tutorial, an application is deployed in the account.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAP Cloud Platform supports SP initiated SSO
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAP Cloud Platform, select SAP Cloud Platform from result panel then click Add
button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This is the URL in your SAP Cloud Platform application that requires the user to authenticate.
https://<subdomain>.hanatrial.ondemand.com/<instancename>
https://<subdomain>.hana.ondemand.com/<instancename>
b. In the Identifier textbox you will provide your SAP Cloud Platform's type a URL using one of the
following patterns:
https://hanatrial.ondemand.com/<instancename>
https://hana.ondemand.com/<instancename>
https://us1.hana.ondemand.com/<instancename>
https://ap1.hana.ondemand.com/<instancename>
c. In the Reply URL textbox, type a URL using the following pattern:
https://<subdomain>.hanatrial.ondemand.com/<instancename>
https://<subdomain>.hana.ondemand.com/<instancename>
https://<subdomain>.us1.hana.ondemand.com/<instancename>
https://<subdomain>.dispatcher.us1.hana.ondemand.com/<instancename>
https://<subdomain>.ap1.hana.ondemand.com/<instancename>
https://<subdomain>.dispatcher.ap1.hana.ondemand.com/<instancename>
https://<subdomain>.dispatcher.hana.ondemand.com/<instancename>
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier, and Reply URL. Contact SAP
Cloud Platform Client support team to get Sign-On URL and Identifier. Reply URL you can get from trust
management section which is explained later in the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
a. Click Edit.
b. As Configuration Type, select Custom.
c. As Local Provider Name, leave the default value. Copy this value and paste it into the Identifier field in
the Azure AD configuration for SAP Cloud Platform.
d. To generate a Signing Key and a Signing Certificate key pair, click Generate Key Pair.
e. As Principal Propagation, select Disabled.
f. As Force Authentication, select Disabled.
g. Click Save.
4. After saving the Local Service Provider settings, perform the following to obtain the Reply URL:
a. Download the SAP Cloud Platform metadata file by clicking Get Metadata.
b. Open the downloaded SAP Cloud Platform metadata XML file, and then locate the
ns3:AssertionConsumerService tag.
c. Copy the value of the Location attribute, and then paste it into the Reply URL field in the Azure AD
configuration for SAP Cloud Platform.
5. Click the Trusted Identity Provider tab, and then click Add Trusted Identity Provider.
NOTE
To manage the list of trusted identity providers, you need to have chosen the Custom configuration type in the Local
Service Provider section. For Default configuration type, you have a non-editable and implicit trust to the SAP ID
Service. For None, you don't have any trust settings.
6. Click the General tab, and then click Browse to upload the downloaded metadata file.
NOTE
After uploading the metadata file, the values for Single Sign-on URL, Single Logout URL, and Signing Certificate
are populated automatically.
firstname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
lastname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
NOTE
The configuration of the Attributes depends on how the application(s) on SCP are developed, that is, which
attribute(s) they expect in the SAML response and under which name (Principal Attribute) they access this attribute in
the code.
b. The Default Attribute in the screenshot is just for illustration purposes. It is not required to make the
scenario work.
c. The names and values for Principal Attribute shown in the screenshot depend on how the application is
developed. It is possible that your application requires different mappings.
Assertion-based groups
As an optional step, you can configure assertion-based groups for your Azure Active Directory Identity Provider.
Using groups on SAP Cloud Platform allows you to dynamically assign one or more users to one or more roles in
your SAP Cloud Platform applications, determined by values of attributes in the SAML 2.0 assertion.
For example, if the assertion contains the attribute "contract=temporary", you may want all affected users to be
added to the group "TEMPORARY". The group "TEMPORARY" may contain one or more roles from one or more
applications deployed in your SAP Cloud Platform account.
Use assertion-based groups when you want to simultaneously assign many users to one or more roles of
applications in your SAP Cloud Platform account. If you want to assign only a single or small number of users to
specific roles, we recommend assigning them directly in the “Authorizations” tab of the SAP Cloud Platform
cockpit.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAP Cloud Platform test user
In order to enable Azure AD users to log in to SAP Cloud Platform, you must assign roles in the SAP Cloud
Platform to them.
To assign a role to a user, perform the following steps:
1. Log in to your SAP Cloud Platform cockpit.
2. Perform the following:
a. Click Authorization.
b. Click the Users tab.
c. In the User textbox, type the user’s email address.
d. Click Assign to assign the user to a role.
e. Click Save.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAP Cloud Platform tile in the Access Panel, you should be automatically signed in to the SAP
Cloud Platform for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with SAP
Cloud Platform Identity Authentication
10/30/2019 • 9 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAP Cloud Platform Identity Authentication with Azure Active Directory
(Azure AD ). Integrating SAP Cloud Platform Identity Authentication with Azure AD provides you with the
following benefits:
You can control in Azure AD who has access to SAP Cloud Platform Identity Authentication.
You can enable your users to be automatically signed-in to SAP Cloud Platform Identity Authentication (Single
Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAP Cloud Platform Identity Authentication, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SAP Cloud Platform Identity Authentication single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAP Cloud Platform Identity Authentication supports SP and IDP initiated SSO
Before you dive into the technical details, it's vital to understand the concepts you're going to look at. The SAP
Cloud Platform Identity Authentication and Active Directory Federation Services enable you to implement SSO
across applications or services that are protected by Azure AD (as an IdP ) with SAP applications and services that
are protected by SAP Cloud Platform Identity Authentication.
Currently, SAP Cloud Platform Identity Authentication acts as a Proxy Identity Provider to SAP applications. Azure
Active Directory in turn acts as the leading Identity Provider in this setup.
The following diagram illustrates this relationship:
With this setup, your SAP Cloud Platform Identity Authentication tenant is configured as a trusted application in
Azure Active Directory.
All SAP applications and services that you want to protect this way are subsequently configured in the SAP Cloud
Platform Identity Authentication management console.
Therefore, the authorization for granting access to SAP applications and services needs to take place in SAP Cloud
Platform Identity Authentication (as opposed to Azure Active Directory).
By configuring SAP Cloud Platform Identity Authentication as an application through the Azure Active Directory
Marketplace, you don't need to configure individual claims or SAML assertions.
NOTE
Currently only Web SSO has been tested by both parties. The flows that are necessary for App-to-API or API-to-API
communication should work but have not been tested yet. They will be tested during subsequent activities.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAP Cloud Platform Identity Authentication, select SAP Cloud Platform
Identity Authentication from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure in IDP intiated mode perform the
following steps:
a. In the Identifier text box, type a URL using the following pattern: <IAS-tenant-id>.accounts.ondemand.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<IAS-tenant-id>.accounts.ondemand.com/saml2/idp/acs/<IAS-tenant-id>.accounts.ondemand.com
NOTE
These values are not real. Update these values with the actual identifier and Reply URL. Contact the SAP Cloud
Platform Identity Authentication Client support team to get these values. If you don't understand Identifier value,
read the SAP Cloud Platform Identity Authentication documentation about Tenant SAML 2.0 configuration.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: {YOUR BUSINESS APPLICATION URL}
NOTE
This value is not real. Update this value with the actual sign-on URL. Please use your specific business application
Sign-on URL. Contact the SAP Cloud Platform Identity Authentication Client support team if you have any doubt.
6. SAP Cloud Platform Identity Authentication application expects the SAML assertions in a specific format.
Configure the following claims for this application. You can manage the values of these attributes from the
User Attributes section on application integration page. On the Set up Single Sign-On with SAML page,
click Edit button to open User Attributes dialog.
7. If your SAP application expects an attribute such as firstName, add the firstName attribute in the User
Claims section on the User Attributes dialog, configure SAML token attribute as shown in the image
above and perform the following steps:
a. Click Add new claim to open the Manage user claims dialog.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure SAP Cloud Platform Identity Authentication Single Sign-On
1. To get SSO configured for your application, go to the SAP Cloud Platform Identity Authentication
administration console. The URL has the following pattern:
https://<tenant-id>.accounts.ondemand.com/admin . Then read the documentation about SAP Cloud Platform
Identity Authentication at Integration with Microsoft Azure AD.
2. In the Azure portal, select the Save button.
3. Continue with the following only if you want to add and enable SSO for another SAP application. Repeat
the steps under the section Adding SAP Cloud Platform Identity Authentication from the gallery.
4. In the Azure portal, on the SAP Cloud Platform Identity Authentication application integration page,
select Linked Sign-on.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAP Cloud Platform Identity Authentication test user
You don't need to create a user in SAP Cloud Platform Identity Authentication. Users who are in the Azure AD user
store can use the SSO functionality.
SAP Cloud Platform Identity Authentication supports the Identity Federation option. This option allows the
application to check whether users who are authenticated by the corporate identity provider exist in the user store
of SAP Cloud Platform Identity Authentication.
The Identity Federation option is disabled by default. If Identity Federation is enabled, only the users that are
imported in SAP Cloud Platform Identity Authentication can access the application.
For more information about how to enable or disable Identity Federation with SAP Cloud Platform Identity
Authentication, see "Enable Identity Federation with SAP Cloud Platform Identity Authentication" in Configure
Identity Federation with the User Store of SAP Cloud Platform Identity Authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAP Cloud Platform Identity Authentication tile in the Access Panel, you should be
automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up SSO. For more
information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SAP Fiori
9/6/2019 • 8 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SAP Fiori with Azure Active Directory (Azure AD ). When you integrate
SAP Fiori with Azure AD, you can:
Control in Azure AD who has access to SAP Fiori.
Enable your users to be automatically signed-in to SAP Fiori with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SAP Fiori single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SAP Fiori supports SP initiated SSO
NOTE
For SAP Fiori initiated iFrame Authentication, we recommend using the IsPassive parameter in the SAML AuthnRequest for
silent authentication. For more details of the IsPassive parameter refer to Azure AD SAML single sign-on information
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0 login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 0 http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
NOTE
Adjust the parameters based on your organization requirements. The preceding parameters are given only as
an example.
b. If necessary, adjust parameters in the instance (default) profile of the SAP system and restart the SAP
system.
c. Double-click the relevant client to enable an HTTP security session.
d. Activate the following SICF services:
/sap/public/bc/sec/saml2
/sap/public/bc/sec/cdc_ext_service
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace)
4. Go to transaction code SAML2 in Business Client for SAP system [T01/122]. The configuration UI opens in
a new browser window. In this example, we use Business Client for SAP system 122.
5. Enter your username and password, and then select Log on.
6. In the Provider Name box, replace T01122 with http://T01122, and then select Save.
NOTE
By default, the provider name is in the format <sid><client>. Azure AD expects the name in the format
<protocol>://<name>. We recommend that you maintain the provider name as https://<sid><client> so you can
configure multiple SAP Fiori ABAP engines in Azure AD.
7. Select Local Provider tab > Metadata.
8. In the SAML 2.0 Metadata dialog box, download the generated metadata XML file and save it on your
computer.
9. In the Azure portal, on the SAP Fiori application integration page, find the Manage section and select
single sign-on.
10. On the Select a single sign-on method page, select SAML.
11. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to
edit the settings.
12. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
a. Click Upload metadata file.
b. Click on folder logo to select the metadata file and click Upload.
c. When the metadata file is successfully uploaded, the Identifier and Reply URL values are automatically
populated in the Basic SAML Configuration pane. In the Sign on URL box, enter a URL that has the
following pattern: https:\//\<your company instance of SAP Fiori\> .
NOTE
A few customers report errors related to incorrectly configured Reply URL values. If you see this error, you can use
the following PowerShell script to set the correct Reply URL for your instance:
You can set the ServicePrincipal object ID yourself before running the script, or you can pass it here.
13. The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following
claims for this application. To manage these attribute values, in the Set up Single Sign-On with SAML
pane, select Edit.
14. In the User Attributes & Claims pane, configure the SAML token attributes as shown in the preceding
image. Then, complete the following steps:
a. Select Edit to open the Manage user claims pane.
b. In the Transformation list, select ExtractMailPrefix().
c. In the Parameter 1 list, select user.userprinicipalname.
d. Select Save.
15. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
16. On the Set up SAP Fiori section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Select Add, and then select Upload Metadata File from the context menu.
4. Upload the metadata file that you downloaded in the Azure portal. Select Next.
5. On the next page, in the Alias box, enter the alias name. For example, aadsts. Select Next.
6. Make sure that the value in the Digest Algorithm box is SHA -256. Select Next.
7. Under Single Sign-On Endpoints, select HTTP POST, and then select Next.
8. Under Single Logout Endpoints, select HTTP Redirect, and then select Next.
13. In the Supported NameID Formats dialog box, select Unspecified. Select OK.
The values for User ID Source and User ID Mapping Mode determine the link between the SAP user and
the Azure AD claim.
Scenario 1: SAP user to Azure AD user mapping
a. In SAP, under Details of NameID Format "Unspecified", note the details:
b. In the Azure portal, under User Attributes & Claims, note the required claims from Azure AD.
Scenario 2: Select the SAP user ID based on the configured email address in SU01. In this case, the email
ID should be configured in SU01 for each user who requires SSO.
a. In SAP, under Details of NameID Format "Unspecified", note the details:
b. In the Azure portal, under User Attributes & Claims, note the required claims from Azure AD.
14. Select Save, and then select Enable to enable the identity provider.
15. Select OK when prompted.
Test SSO
1. After the identity provider Azure AD is activated in SAP Fiori, try to access one of the following URLs to test
single sign-on (you shouldn't be prompted for a username and password):
https://<sapurl>/sap/bc/bsp/sap/it00/default.htm
https://<sapurl>/sap/bc/bsp/sap/it00/default.htm
NOTE
Replace sapurl with the actual SAP host name.
2. The test URL should take you to the following test application page in SAP. If the page opens, Azure AD
single sign-on is successfully set up.
3. If you are prompted for a username and password, enable trace to help diagnose the issue. Use the
following URL for the trace: https://<sapurl>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=122&sap-
language=EN#.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SAP Fiori with Azure AD
Tutorial: Azure Active Directory integration with SAP
HANA
10/30/2019 • 8 minutes to read • Edit Online
In this tutorial, you learn how to integrate SAP HANA with Azure Active Directory (Azure AD ). Integrating SAP
HANA with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SAP HANA.
You can enable your users to be automatically signed-in to SAP HANA (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SAP HANA, you need the following items:
An Azure AD subscription
A SAP HANA subscription that's single sign-on (SSO ) enabled
A HANA instance that's running on any public IaaS, on-premises, Azure VM, or SAP large instances in Azure
The XSA Administration web interface, as well as HANA Studio installed on the HANA instance
NOTE
We do not recommend using a production environment of SAP HANA to test the steps in this tutorial. Test the integration
first in the development or staging environment of the application, and then use the production environment.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SAP HANA supports IDP initiated SSO
SAP HANA supports just-in-time user provisioning
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SAP HANA, select SAP HANA from result panel then click Add button to add the
application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type the following: HA100
b. In the Reply URL text box, type a URL using the following pattern:
https://<Customer-SAP-instance-url>/sap/hana/xs/saml/login.xscfunc
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact SAP HANA Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. SAP HANA application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User attributes section on the User Attributes & Claims dialog, perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
b. From the Transformation list, select ExtractMailPrefix().
c. From the Parameter 1 list, select user.mail.
d. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
2. In the XSA Web Interface, go to SAML Identity Provider. From there, select the + button on the bottom of
the screen to display the Add Identity Provider Info pane. Then take the following steps:
a. In the Add Identity Provider Info pane, paste the contents of the Metadata XML (which you
downloaded from the Azure portal) into the Metadata box.
b. If the contents of the XML document are valid, the parsing process extracts the information that's
required for the Subject, Entity ID, and Issuer fields in the General data screen area. It also extracts the
information that's necessary for the URL fields in the Destination screen area, for example, the Base URL
and SingleSignOn URL (*) fields.
c. In the Name box of the General Data screen area, enter a name for the new SAML SSO identity
provider.
NOTE
The name of the SAML IDP is mandatory and must be unique. It appears in the list of available SAML IDPs that is
displayed when you select SAML as the authentication method for SAP HANA XS applications to use. For example,
you can do this in the Authentication screen area of the XS Artifact Administration tool.
3. Select Save to save the details of the SAML identity provider and to add the new SAML IDP to the list of
known SAML IDPs.
4. In HANA Studio, within the system properties of the Configuration tab, filter the settings by saml. Then
adjust the assertion_timeout from 10 sec to 120 sec.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SAP HANA test user
To enable Azure AD users to sign in to SAP HANA, you must provision them in SAP HANA. SAP HANA supports
just-in-time provisioning, which is by enabled by default.
If you need to create a user manually, take the following steps:
NOTE
You can change the external authentication that the user uses. They can authenticate with an external system such as
Kerberos. For detailed information about external identities, contact your domain administrator.
1. Open the SAP HANA Studio as an administrator, and then enable the DB -User for SAML SSO.
2. Select the invisible check box to the left of SAML, and then select the Configure link.
3. Select Add to add the SAML IDP. Select the appropriate SAML IDP, and then select OK.
4. Add the External Identity (in this case, BrittaSimon) or choose Any. Then select OK.
NOTE
If the Any check box is not selected, then the user name in HANA needs to exactly match the name of the user in the
UPN before the domain suffix. (For example, BrittaSimon@contoso.com becomes BrittaSimon in HANA.)
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory Single sign-on (SSO)
integration with SAP NetWeaver
9/18/2019 • 11 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SAP NetWeaver with Azure Active Directory (Azure AD ). When you
integrate SAP NetWeaver with Azure AD, you can:
Control in Azure AD who has access to SAP NetWeaver.
Enable your users to be automatically signed-in to SAP NetWeaver with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SAP NetWeaver single sign-on (SSO ) enabled subscription.
SAP NetWeaver V7.20 required atleast
Scenario description
SAP NetWeaver supports both SAML (SP initiated SSO ) and OAuth. In this tutorial, you configure and test
Azure AD SSO in a test environment.
NOTE
Configure the application either in SAML or in OAuth as per your organizational requirement.
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0 login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 0 http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
NOTE
Adjust above parameters as per your organization requirements, Above parameters are given here as indication only.
b. If necessary adjust parameters, in the instance/default profile of SAP system and restart SAP system.
c. Double-click on relevant client to enable HTTP security session.
d. Activate below SICF services:
/sap/public/bc/sec/saml2
/sap/public/bc/sec/cdc_ext_service
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace)
4. Go to Transaction code SAML2 in business client of SAP system [T01/122]. It will open a user interface in a
browser. In this example, we assumed 122 as SAP business client.
5. Provide your username and password to enter in user interface and click Edit.
6. Replace Provider Name from T01122 to http://T01122 and click on Save.
NOTE
By default provider name come as <sid><client> format but Azure AD expects name in the format of
<protocol>://<name> , recommending to maintain provider name as https://<sid><client> to allow multiple
SAP NetWeaver ABAP engines to configure in Azure AD.
7. Generating Service Provider Metadata:- Once we are done with configuring the Local Provider and
Trusted Providers settings on SAML 2.0 User Interface, the next step would be to generate the service
provider’s metadata file (which would contain all the settings, authentication contexts and other
configurations in SAP ). Once this file is generated we need to upload this in Azure AD.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
a. Click Upload metadata file to upload the Service Provider metadata file, which you have obtained
earlier.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in Basic SAML Configuration section textbox as shown below:
d. In the Sign-on URL text box, type a URL using the following pattern:
https://<your company instance of SAP NetWeaver>
NOTE
We have seen few customers reporting an error of incorrect Reply URL configured for their instance. If you receive
any such error, you can use following PowerShell script as a work around to set the correct Reply URL for your
instance.:
ServicePrincipal Object ID is to be set by yourself first or you can pass that also here.
5. SAP NetWeaver application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the
image above and perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Press Add and select Upload Metadata File from the context menu.
4. Upload metadata file, which you have downloaded from the Azure portal.
5. In the next screen type the Alias name. For example, aadsts and press Next to continue.
6. Make sure that your Digest Algorithm should be SHA -256 and don’t require any changes and press
Next.
7. On Single Sign-On Endpoints, use HTTP POST and click Next to continue.
8. On Single Logout Endpoints select HTTPRedirect and click Next to continue.
12. Click Add under the Identity Federation tab (bottom window ).
13. From the pop-up window, select Unspecified from the Supported NameID formats and click OK.
14. Note that user ID Source and user ID mapping mode values determine the link between SAP user and
Azure AD claim.
Scenario: SAP User to Azure AD user mapping.
a. NameID details screenshot from SAP.
Scenario: Select SAP user ID based on configured email address in SU01. In this case email ID should be configured in su01 for
each user who requires SSO.
a. NameID details screenshot from SAP.
15. Click Save and then click Enable to enable identity provider.
16. Click OK once prompted.
Test SSO
1. Once the identity provider Azure AD was activated, try accessing below URL to check SSO (there will no
prompt for username & password)
https://<sapurl>/sap/bc/bsp/sap/it00/default.htm
NOTE
Replace sapurl with actual SAP hostname.
2. The above URL should take you to below mentioned screen. If you are able to reach up to the below page,
Azure AD SSO setup is successfully done.
3. If username & password prompt occurs, please diagnose the issue by enable the trace using below URL
https://<sapurl>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=122&sap-language=EN#
3. In this example we want to connect the OData service: DAAG_MNGGRP with OAuth to Azure AD SSO. Use the
technical service name search for the service DAAG_MNGGRP and activate if not yet active, already (look for
green status under ICF nodes tab). Ensure if system alias (the connected backend system, where the service
actually running) is correct.
Then click pushbutton OAuth on the top button bar and assign scope (keep default name as offered).
4. For our example the scope is DAAG_MNGGRP_001 , it is generated from the service name by automatically
adding a number. Report /IWFND/R_OAUTH_SCOPES can be used to change name of scope or create manually.
NOTE
Message soft state status is not supported – can be ignored, as no problem. For more details, refer here
NOTE
For more details, refer OAuth 2.0 Client Registration for the SAML Bearer Grant Type here
3. tcod: SU01 / create user CLIENT1 as System type and assign password, save it as need to provide the
credential to the API programmer, who should burn it with the username to the calling code. No profile or
role should be assigned.
Register the new OAuth 2.0 Client ID with the creation wizard
1. To register a new OAuth 2.0 client start transaction SOAUTH2. The transaction will display an overview
about the OAuth 2.0 clients that were already registered. Choose Create to start the wizard for the new
OAuth client named as CLIENT1in this example.
2. Go to T-Code: SOAUTH2 and Provide the description then click next.
3. Select the already added SAML2 IdP – Azure AD from the dropdown list and save.
4. Click on Add under scope assignment to add the previously created scope: DAAG_MNGGRP_001
5. Click finish.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SAP NetWeaver with Azure AD
Tutorial: Azure Active Directory integration with
Sauce Labs - Mobile and Web Testing
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sauce Labs - Mobile and Web Testing with Azure Active Directory (Azure
AD ). Integrating Sauce Labs - Mobile and Web Testing with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Sauce Labs - Mobile and Web Testing.
You can enable your users to be automatically signed-in to Sauce Labs - Mobile and Web Testing (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Sauce Labs - Mobile and Web Testing, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Sauce Labs - Mobile and Web Testing single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Sauce Labs - Mobile and Web Testing supports IDP initiated SSO
Sauce Labs - Mobile and Web Testing supports Just In Time user provisioning
Adding Sauce Labs - Mobile and Web Testing from the gallery
To configure the integration of Sauce Labs - Mobile and Web Testing into Azure AD, you need to add Sauce Labs -
Mobile and Web Testing from the gallery to your list of managed SaaS apps.
To add Sauce Labs - Mobile and Web Testing from the gallery, perform the following steps:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Sauce Labs - Mobile and Web Testing, select Sauce Labs - Mobile and Web
Testing from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Sauce Labs - Mobile and Web Testing section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Sauce Labs - Mobile and Web Testing Single Sign-On
1. In a different web browser window, sign in to your Sauce Labs - Mobile and Web Testing company site as an
administrator.
2. Click on the User icon and select Team Management tab.
a. Click Browse and upload the downloaded metadata file from the Azure AD.
b. Select the ALLOW JUST-IN -TIME PROVISIONING checkbox.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. In the applications list, select Sauce Labs - Mobile and Web Testing.
3. In the menu on the left, select Users and groups.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Sauce Labs - Mobile and Web Testing test user
In this section, a user called Britta Simon is created in Sauce Labs - Mobile and Web Testing. Sauce Labs - Mobile
and Web Testing supports just-in-time user provisioning, which is enabled by default. There is no action item for
you in this section. If a user doesn't already exist in Sauce Labs - Mobile and Web Testing, a new one is created
after authentication.
NOTE
If you need to create a user manually, contact Sauce Labs - Mobile and Web Testing support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ScaleX Enterprise
10/18/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ScaleX Enterprise with Azure Active Directory (Azure AD ). When you
integrate ScaleX Enterprise with Azure AD, you can:
Control in Azure AD who has access to ScaleX Enterprise.
Enable your users to be automatically signed-in to ScaleX Enterprise with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ScaleX Enterprise single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ScaleX Enterprise supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://platform.rescale.com/saml2/<company id>/
b. In the Reply URL text box, type a URL using the following pattern:
https://platform.rescale.com/saml2/<company id>/acs/
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://platform.rescale.com/saml2/<company id>/sso/
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact ScaleX
Enterprise Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. Your ScaleX Enterprise application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes, where as emailaddress is mapped with user.mail. ScaleX Enterprise
application expects emailaddress to be mapped with user.userprincipalname, so you need to edit the
attribute mapping by clicking on Edit icon and change the attribute mapping.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up ScaleX Enterprise section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up ScaleX Enterprise will direct you to the ScaleX
Enterprise application. From there, provide the admin credentials to sign into ScaleX Enterprise. The
browser extension will automatically configure the application for you and automate steps 3-6.
3. If you want to setup ScaleX Enterprise manually, open a new web browser window and sign into your
ScaleX Enterprise company site as an administrator and perform the following steps:
4. Click the menu in the upper right and select Contoso Administration.
NOTE
Contoso is just an example. This should be your actual Company Name.
5. Select Integrations from the top menu and select single sign-on.
d. Identity Provider EntityDescriptor Entity ID: Paste the Azure AD Identifier value copied from the
Azure portal.
e. Identity Provider SingleSignOnService URL: Paste the Login URL from the Azure portal.
f. Identity Provider public X509 certificate: Open the X509 certificate downloaded from the Azure in
notepad and paste the contents in this box. Ensure there are no line breaks in the middle of the certificate
contents.
g. Check the following checkboxes: Enabled, Encrypt NameID and Sign AuthnRequests.
h. Click Update SSO Settings to save the settings.
Create ScaleX Enterprise test user
To enable Azure AD users to sign in to ScaleX Enterprise, they must be provisioned in to ScaleX Enterprise. In the
case of ScaleX Enterprise, provisioning is an automatic task and no manual steps are required. Any user who can
successfully authenticate with SSO credentials will be automatically provisioned on the ScaleX side.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ScaleX Enterprise tile in the Access Panel, you should be automatically signed in to the ScaleX
Enterprise for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ScaleX Enterprise with Azure AD
Tutorial: Azure Active Directory integration with SCC
LifeCycle
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SCC LifeCycle with Azure Active Directory (Azure AD ). Integrating SCC
LifeCycle with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SCC LifeCycle.
You can enable your users to be automatically signed-in to SCC LifeCycle (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SCC LifeCycle, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SCC LifeCycle single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SCC LifeCycle supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SCC LifeCycle, select SCC LifeCycle from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://bs1.scc.com/<entity>
https://lifecycle.scc.com/<entity>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SCC LifeCycle Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SCC LifeCycle section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SCC LifeCycle Single Sign-On
To configure single sign-on on SCC LifeCycle side, you need to send the downloaded Metadata XML and
appropriate copied URLs from Azure portal to SCC LifeCycle support team. They set this setting to have the SAML
SSO connection set properly on both sides.
NOTE
Single sign-on has to be enabled by the SCC LifeCycle support team.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SCC LifeCycle test user
In order to enable Azure AD users to log into SCC LifeCycle, they must be provisioned into SCC LifeCycle. There is
no action item for you to configure user provisioning to SCC LifeCycle.
When an assigned user tries to log into SCC LifeCycle, an SCC LifeCycle account is automatically created if
necessary.
NOTE
The Azure Active Directory account holder receives an email and follows a link to confirm their account before it becomes
active.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Screencast-O-Matic
11/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Screencast-O -Matic with Azure Active Directory (Azure AD ). When you
integrate Screencast-O -Matic with Azure AD, you can:
Control in Azure AD who has access to Screencast-O -Matic.
Enable your users to be automatically signed-in to Screencast-O -Matic with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Screencast-O -Matic single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Screencast-O -Matic supports SP initiated SSO
Screencast-O -Matic supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://screencast-o-matic.com/<InstanceName>
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Screencast-O-Matic Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Screencast-O -Matic section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Screencast-O -Matic.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Screencast-O -Matic.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Screencast-O -Matic will direct you to the
Screencast-O -Matic application. From there, provide the admin credentials to sign into Screencast-O -Matic.
The browser extension will automatically configure the application for you and automate steps 3-11.
3. If you want to setup Screencast-O -Matic manually, open a new web browser window and sign into your
Screencast-O -Matic company site as an administrator and perform the following steps:
4. Click on Subscription.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Screencast-O -Matic tile in the Access Panel, you should be automatically signed in to the
Screencast-O -Matic for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Screencast-O -Matic with Azure AD
Tutorial: Azure Active Directory integration with
Schoox
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Schoox with Azure Active Directory (Azure AD ). Integrating Schoox with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Schoox.
You can enable your users to be automatically signed-in to Schoox (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Schoox, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Schoox single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Schoox supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Schoox, select Schoox from result panel then click Add button to add the
application.
3. On the Set-up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://saml.schoox.com/saml/adfsmetadata
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://saml.schoox.com/saml/login?idpUrl=<entityID>
NOTE
<entityID> is the SAML Entity ID copied from the Quick Reference section, described later in tutorial.
6. On the Set-up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Schoox section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Schoox Single Sign-On
To configure single sign-on on Schoox side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Schoox support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialo,g select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog, select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Schoox test user
In this section, you create a user called Britta Simon in Schoox. Work with Schoox support team to add the users in
the Schoox platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Schoox tile in the Access Panel, you should be automatically signed in to the Schoox for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Sciforma
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sciforma with Azure Active Directory (Azure AD ). Integrating Sciforma
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Sciforma.
You can enable your users to be automatically signed-in to Sciforma (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Sciforma, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Sciforma single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Sciforma supports SP initiated SSO
Sciforma supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Sciforma, select Sciforma from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.sciforma.net/sciforma/saml
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Sciforma Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Sciforma section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Sciforma Single Sign-On
To configure single sign-on on Sciforma side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Sciforma support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Sciforma test user
In this section, a user called Britta Simon is created in Sciforma. Sciforma supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Sciforma, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sciforma tile in the Access Panel, you should be automatically signed in to the Sciforma for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SciQuest Spend Director
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SciQuest Spend Director with Azure Active Directory (Azure AD ).
Integrating SciQuest Spend Director with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SciQuest Spend Director.
You can enable your users to be automatically signed-in to SciQuest Spend Director (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SciQuest Spend Director, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SciQuest Spend Director single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SciQuest Spend Director supports SP initiated SSO
SciQuest Spend Director supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SciQuest Spend Director, select SciQuest Spend Director from result panel then
click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: https://<companyname>.sciquest.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.sciquest.com/apps/Router/ExternalAuth/Login/<instancename>
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
SciQuest Spend Director Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SciQuest Spend Director section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SciQuest Spend Director Single Sign-On
To configure single sign-on on SciQuest Spend Director side, you need to send the downloaded Federation
Metadata XML and appropriate copied URLs from Azure portal to SciQuest Spend Director support team. They
set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SciQuest Spend Director test user
The objective of this section is to create a user called Britta Simon in SciQuest Spend Director.
You need to contact your SciQuest Spend Director support team and provide them with the details about your test
account to get it created.
Alternatively, you can also leverage just-in-time provisioning, a single sign-on feature that is supported by
SciQuest Spend Director.
If just-in-time provisioning is enabled, users are automatically created by SciQuest Spend Director during a single
sign-on attempt if they don't exist. This feature eliminates the need to manually create single sign-on counterpart
users.
To get just-in-time provisioning enabled, you need to contact your SciQuest Spend Director support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SciQuest Spend Director tile in the Access Panel, you should be automatically signed in to the
SciQuest Spend Director for which you set up SSO. For more information about the Access Panel, see Introduction
to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ScreenSteps
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ScreenSteps with Azure Active Directory (Azure AD ). Integrating
ScreenSteps with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ScreenSteps.
You can enable your users to be automatically signed-in to ScreenSteps (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ScreenSteps, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ScreenSteps single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ScreenSteps supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ScreenSteps, select ScreenSteps from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This value is not real. Update this value with the actual Sign-On URL, which is explained later in this tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up ScreenSteps section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure ScreenSteps Single Sign-On
1. In a different web browser window, log into your ScreenSteps company site as an administrator.
2. Click Account Settings.
3. Click Single Sign-on.
5. In the Create Single Sign-on Endpoint section, perform the following steps:
7. In the Edit Single Sign-on Endpoint section, perform the following steps:
a. Click Upload new SAML Certificate file, and then upload the certificate, which you have downloaded
from Azure portal.
b. Paste Login URL value, which you have copied from the Azure portal into the Remote Login URL
textbox.
c. Paste Logout URL value, which you have copied from the Azure portal into the Log out URL textbox.
d. Select a Group to assign users to when they are provisioned.
e. Click Update.
f. Copy the SAML Consumer URL to the clipboard and paste in to the Sign-on URL textbox in Basic
SAML Configuration section in the Azure portal.
g. Return to the Edit Single Sign-on Endpoint.
h. Click the Make default for account button to use this endpoint for all users who log into ScreenSteps.
Alternatively you can click the Add to Site button to use this endpoint for specific sites in ScreenSteps.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ScreenSteps test user
In this section, you create a user called Britta Simon in ScreenSteps. Work with ScreenSteps Client support team to
add the users in the ScreenSteps platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ScreenSteps tile in the Access Panel, you should be automatically signed in to the ScreenSteps
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SD Elements
11/14/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SD Elements with Azure Active Directory (Azure AD ). When you
integrate SD Elements with Azure AD, you can:
Control in Azure AD who has access to SD Elements.
Enable your users to be automatically signed-in to SD Elements with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SD Elements single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SD Elements supports IDP initiated SSO
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern:
https://<tenantname>.sdelements.com/sso/saml2/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<tenantname>.sdelements.com/sso/saml2/acs/
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact SD Elements Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. SD Elements application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes.
6. In addition to above, SD Elements application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirements.
NAME SOURCE ATTRIBUTE
email user.mail
firstname user.givenname
lastname user.surname
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up SD Elements section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SD Elements tile in the Access Panel, you should be automatically signed in to the SD Elements
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SD Elements with Azure AD
Tutorial: Integrate Secret Server (On-Premises) with
Azure Active Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Secret Server (On-Premises) with Azure Active Directory (Azure AD ).
When you integrate Secret Server (On-Premises) with Azure AD, you can:
Control in Azure AD who has access to Secret Server (On-Premises).
Enable your users to be automatically signed-in to Secret Server (On-Premises) with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Secret Server (On-Premises) single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Secret Server (On-Premises) supports SP and IDP initiated SSO
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
enter the values for the following fields:
a. In the Identifier text box, enter the user chosen value as an example:
https://secretserveronpremises.azure
b. In the Reply URL text box, type a URL using the following pattern:
https://<SecretServerURL>/SAML/AssertionConsumerService.aspx
NOTE
The Entity ID shown above is an example only and you are free to choose any unique value that identifies your Secret
Server instance in Azure AD. You need to send this Entity ID to Secret Server (On-Premises) Client support team and
they configure it on their side. For more details, please read this article.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://<SecretServerURL>/login.aspx
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Secret Server
(On-Premises) Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up Single Sign-On with SAML page, click the Edit icon to open SAML Signing Certificate
dialog.
9. On the Set up Secret Server (On-Premises) section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Secret Server (On-Premises) test user
In this section, you create a user called Britta Simon in Secret Server (On-Premises). Work with Secret Server (On-
Premises) support team to add the users in the Secret Server (On-Premises) platform. Users must be created and
activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Secret Server (On-Premises) tile in the Access Panel, you should be automatically signed in to
the Secret Server (On-Premises) for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Sectigo Certificate Manager
7/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sectigo Certificate Manager with Azure Active Directory (Azure AD ).
Integrating Sectigo Certificate Manager with Azure AD gives you the following benefits:
You can use Azure AD to control who has access to Sectigo Certificate Manager.
Users can be automatically signed in to Sectigo Certificate Manager with their Azure AD accounts (single sign-
on).
You can manage your accounts in one central location, the Azure portal.
For more information about software as a service (SaaS ) app integration with Azure AD, see Single sign-on to
applications in Azure Active Directory.
Prerequisites
To configure Azure AD integration with Sectigo Certificate Manager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD subscription, create a free account before you begin.
Sectigo Certificate Manager subscription with single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment and integrate Sectigo
Certificate Manager with Azure AD.
Sectigo Certificate Manager supports the following features:
SP -initiated single sign-on
IDP -initiated single sign-on
5. In the search box, enter Sectigo Certificate Manager. In the search results, select Sectigo Certificate
Manager, and then select Add.
TASK DESCRIPTION
Configure Azure AD single sign-on Enables your users to use this feature.
Configure Sectigo Certificate Manager single sign-on Configures the single sign-on settings in the application.
Create an Azure AD test user Tests Azure AD single sign-on for a user named Britta Simon.
Assign the Azure AD test user Enables Britta Simon to use Azure AD single sign-on.
Create a Sectigo Certificate Manager test user Creates a counterpart of Britta Simon in Sectigo Certificate
Manager that is linked to the Azure AD representation of the
user.
TASK DESCRIPTION
2. In the Select a single sign-on method pane, select SAML or SAML/WS -Fed mode to enable single sign-
on.
3. In the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML
Configuration pane.
4. In the Basic SAML Configuration pane, to configure IDP -initiated mode, complete the following steps:
a. In the Identifier box, enter one of these URLs:
https://cert-manager.com/shibboleth
https://hard.cert-manager.com/shibboleth
b. In the Reply URL box, enter one of these URLs:
https://cert-manager.com/Shibboleth.sso/SAML2/POST
https://hard.cert-manager.com/Shibboleth.sso/SAML2/POST
c. Select Set additional URLs.
d. In the Relay State box, enter one of these URLs:
https://cert-manager.com/customer/SSLSupport/idp
https://hard.cert-manager.com/customer/SSLSupport/idp
6. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select
Download next to Certificate (Base64). Select a download option based on your requirements. Save the
certificate on your computer.
7. In the Set up Sectigo Certificate Manager section, copy the following URLs based on your requirements:
Login URL
Azure AD Identifier
Logout URL
4. Select Add user. Then, in the Add assignment pane, select Users and groups.
5. In the Users and groups pane, select Britta Simon in the list of users. Choose Select.
6. If you are expecting a role value in the SAML assertion, in the Select role pane, select the relevant role for
the user from the list. Choose Select.
7. In the Add Assignment pane, select Assign.
Create a Sectigo Certificate Manager test user
In this section, you create a user named Britta Simon in Sectigo Certificate Manager. Work with the Sectigo
Certificate Manager support team to add the user in the Sectigo Certificate Manager platform. Users must be
created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.
After you set up single sign-on, when you select Sectigo Certificate Manager in the My Apps portal, you are
automatically signed in to Sectigo Certificate Manager. For more information about the My Apps portal, see
Access and use apps in the My Apps portal.
Next steps
To learn more, review these articles:
List of tutorials for integrating SaaS apps with Azure Active Directory
Single sign-on to applications in Azure Active Directory
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SECURE DELIVER
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SECURE DELIVER with Azure Active Directory (Azure AD ). Integrating
SECURE DELIVER with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SECURE DELIVER.
You can enable your users to be automatically signed-in to SECURE DELIVER (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SECURE DELIVER, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SECURE DELIVER single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SECURE DELIVER supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SECURE DELIVER, select SECURE DELIVER from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.i-securedeliver.jp/sd/<tenantname>/postResponse
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SECURE DELIVER
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SECURE DELIVER section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SECURE DELIVER Single Sign-On
To configure single sign-on on SECURE DELIVER side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to SECURE DELIVER support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SECURE DELIVER test user
In this section, you create a user called Britta Simon in SECURE DELIVER. Work with SECURE DELIVER support
team to add the users in the SECURE DELIVER platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SECURE DELIVER tile in the Access Panel, you should be automatically signed in to the
SECURE DELIVER for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate SecureW2 JoinNow Connector with
Azure Active Directory
8/8/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SecureW2 JoinNow Connector with Azure Active Directory (Azure
AD ). When you integrate SecureW2 JoinNow Connector with Azure AD, you can:
Control in Azure AD who has access to SecureW2 JoinNow Connector.
Enable your users to be automatically signed-in to SecureW2 JoinNow Connector with their Azure AD
accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SecureW2 JoinNow Connector single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SecureW2 JoinNow Connector supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<organization-identifier>-auth.securew2.com/auth/saml/SSO
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<organization-identifier>-auth.securew2.com/auth/saml
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SecureW2 JoinNow
Connector Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Metadata XML and select Download to download the certificate and save it on your computer.
6. On the Set up SecureW2 JoinNow Connector section, copy the appropriate URL (s) based on your
requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create SecureW2 JoinNow Connector test user
In this section, you create a user called Britta Simon in SecureW2 JoinNow Connector. Work with SecureW2
JoinNow Connector support team to add the users in the SecureW2 JoinNow Connector platform. Users must be
created and activated before you use single sign-on.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SecureW2 JoinNow Connector tile in the Access Panel, you should be automatically signed in
to the SecureW2 JoinNow Connector for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Sedgwick CMS
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sedgwick CMS with Azure Active Directory (Azure AD ). Integrating
Sedgwick CMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Sedgwick CMS.
You can enable your users to be automatically signed-in to Sedgwick CMS (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Sedgwick CMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Sedgwick CMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Sedgwick CMS supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Sedgwick CMS, select Sedgwick CMS from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
expresspreview.sedgwickcms.net/voe/sso
claimlookup.com/Voe/sso
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.sedgwickcms.net/voe/sso
https://claimlookup.com/Voe/sso
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Sedgwick CMS Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Sedgwick CMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Sedgwick CMS Single Sign-On
To configure single sign-on on Sedgwick CMS side, you need to send the downloaded FederationMetadata
XML and appropriate copied URLs from Azure portal to Sedgwick CMS support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Sedgwick CMS test user
In this section, you create a user called Britta Simon in Sedgwick CMS. Work with Sedgwick CMS support team to
add the users in the Sedgwick CMS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sedgwick CMS tile in the Access Panel, you should be automatically signed in to the Sedgwick
CMS for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Seismic
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Seismic with Azure Active Directory (Azure AD ). Integrating Seismic
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Seismic.
You can enable your users to be automatically signed-in to Seismic (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Seismic, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Seismic single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Seismic supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Seismic, select Seismic from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.seismic.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Seismic Client
support team to get these values. You can also upload the Service Provider Metadata to auto populate the
Identifier value, for more information about Service Provider Metadata, contact to Seismic Client support team.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Seismic section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Seismic Single Sign-On
To configure single sign-on on Seismic side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Seismic support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Seismic test user
In this section, you create a user called Britta Simon in Seismic. Work with Seismic support team to add the users
in the Seismic platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Seismic tile in the Access Panel, you should be automatically signed in to the Seismic for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SensoScientific Wireless Temperature Monitoring
System
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SensoScientific Wireless Temperature Monitoring System with Azure
Active Directory (Azure AD ). Integrating SensoScientific Wireless Temperature Monitoring System with Azure AD
provides you with the following benefits:
You can control in Azure AD who has access to SensoScientific Wireless Temperature Monitoring System.
You can enable your users to be automatically signed-in to SensoScientific Wireless Temperature Monitoring
System (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SensoScientific Wireless Temperature Monitoring System, you need the
following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SensoScientific Wireless Temperature Monitoring System single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SensoScientific Wireless Temperature Monitoring System supports IDP initiated SSO
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SensoScientific Wireless Temperature Monitoring System, select
SensoScientific Wireless Temperature Monitoring System from result panel then click Add button to
add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SensoScientific Wireless Temperature Monitoring System section, copy the appropriate
URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SensoScientific Wireless Temperature Monitoring System Single Sign-On
1. Sign on to your SensoScientific Wireless Temperature Monitoring System application as an administrator.
2. In the navigation menu on the top, click Configuration and goto Configure under Single Sign On to
open the Single Sign On Settings and perform the following steps:
a. Select Issuer Name as Azure AD.
b. In the Issuer URL textbox, paste the Azure AD Identifier which you have copied from Azure portal.
c. In the Single Sign-On Service URL textbox, paste the Login URL which you have copied from Azure
portal.
d. In the Single Sign-Out Service URL textbox, paste the Logout URL which you have copied from Azure
portal.
e. Browse the certificate which you have downloaded from Azure portal and upload here.
f. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SensoScientific Wireless Temperature Monitoring System test user
To enable Azure AD users to sign in to SensoScientific Wireless Temperature Monitoring System, they must be
provisioned into SensoScientific Wireless Temperature Monitoring System. Work with SensoScientific Wireless
Temperature Monitoring System support team to add the users in the SensoScientific Wireless Temperature
Monitoring System platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SensoScientific Wireless Temperature Monitoring System tile in the Access Panel, you should
be automatically signed in to the SensoScientific Wireless Temperature Monitoring System for which you set up
SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Sequr
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sequr with Azure Active Directory (Azure AD ). Integrating Sequr with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Sequr.
You can enable your users to be automatically signed-in to Sequr (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Sequr, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Sequr single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Sequr supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Sequr, select Sequr from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type the URL: https://login.sequr.io
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
b. In the Relay State textbox, you will get this value, which is explained later in the tutorial.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Sequr section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Sequr Single Sign-On
1. In a different web browser window, sign in to your Sequr company site as an administrator.
2. Click on the Integrations from the left navigation panel.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Sequr test user
In this section, you create a user called Britta Simon in Sequr. Work with Sequr Client support team to add the
users in the Sequr platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sequr tile in the Access Panel, you should be automatically signed in to the Sequr for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ServiceChannel
9/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ServiceChannel with Azure Active Directory (Azure AD ). When you
integrate ServiceChannel with Azure AD, you can:
Control in Azure AD who has access to ServiceChannel.
Enable your users to be automatically signed-in to ServiceChannel with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ServiceChannel single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ServiceChannel supports IDP initiated SSO
ServiceChannel supports Just In Time user provisioning
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type the value as: http://adfs.<domain>.com/adfs/service/trust
b. In the Reply URL text box, type a URL using the following pattern:
https://<customer domain>.servicechannel.com/saml/acs
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use
the unique value of string in the Identifier. Contact ServiceChannel Client support team to get these values. You can
also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure
AD using this article. You can refer ServiceChannel guide here for more guidance on claims.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up ServiceChannel section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ServiceChannel tile in the Access Panel, you should be automatically signed in to the
ServiceChannel for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ServiceChannel with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ServiceNow
9/5/2019 • 13 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ServiceNow with Azure Active Directory (Azure AD ). When you
integrate ServiceNow with Azure AD, you can:
Control in Azure AD who has access to ServiceNow.
Enable your users to be automatically signed-in to ServiceNow with their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.
To learn more about software as a service (SaaS ) app integration with Azure AD, see What is application access
and single sign-on with Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A ServiceNow single sign-on (SSO ) enabled subscription.
For ServiceNow, an instance or tenant of ServiceNow, Calgary version or later.
For ServiceNow Express, an instance of ServiceNow Express, Helsinki version or later.
The ServiceNow tenant must have the Multiple Provider Single Sign On Plugin enabled. You can do this by
submitting a service request.
For automatic configuration, enable the multi-provider plugin for ServiceNow.
To install the ServiceNow Classic (Mobile) application, go to the appropriate store, and search for the
ServiceNow Classic application. Then download it.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. ServiceNow supports SP initiated
SSO, and Automated user provisioning.
You can configure the ServiceNow Classic (Mobile) application with Azure AD for enabling SSO. It supports both
Android and iOS users. In this tutorial, you configure and test Azure AD SSO in a test environment.
NOTE
These values aren't real. You need to update these values with the actual sign-on URL and identifier, which is
explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64). Select Download to download the certificate and save it on your computer.
a. Select the copy button to copy App Federation Metadata Url, and paste it into Notepad. This URL will
be used later in the tutorial.
b. Select Download to download Certificate(Base64), and then save the certificate file on your computer.
6. In the Set up ServiceNow section, copy the appropriate URLs, based on your requirement.
5. In the Users and groups dialog box, select B.Simon from the users list, and then choose Select.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, select the
appropriate role for the user from the list. Then choose Select.
7. In the Add Assignment dialog box, select Assign.
Configure Azure AD SSO for ServiceNow Express
1. In the Azure portal, on the ServiceNow application integration page, select single sign-on.
2. In the Select a single sign-on method dialog box, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up single sign-on with SAML page, select the pen icon to open the Basic SAML
Configuration dialog box.
b. For Identifier (Entity ID ), enter a URL that uses the following pattern:
https://<instance-name>.service-now.com
NOTE
These values aren't real. You need to update these values with the actual sign-on URL and identifier, which is
explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, select
Download to download the Certificate (Base64) from the specified options, as per your requirement.
Save it on your computer.
6. You can have Azure AD automatically configure ServiceNow for SAML -based authentication. To enable this
service, go to the Set up ServiceNow section, and select View step-by-step instructions to open the
Configure sign-on window.
7. In the Configure sign-on form, enter your ServiceNow instance name, admin username, and admin
password. Select Configure Now. The admin username provided must have the security_admin role
assigned in ServiceNow for this to work. Otherwise, to manually configure ServiceNow to use Azure AD as
a SAML Identity Provider, select Manually configure single sign-on. Copy the Logout URL, Azure AD
Identifier, and Login URL from the Quick Reference section.
Configure ServiceNow
1. Sign on to your ServiceNow application as an administrator.
2. Activate the Integration - Multiple Provider single sign-on Installer plug-in by following these steps:
a. In the left pane, search for the System Definition section from the search box, and then select Plugins.
b. Search for Integration - Multiple Provider single sign-on Installer.
c. Select the plug-in. Right-click, and select Activate/Upgrade.
d. Select Activate.
3. In the left pane, search for the Multi-Provider SSO section from the search bar, and then select
Properties.
4. In the Multiple Provider SSO Properties dialog box, perform the following steps:
For Enable multiple provider SSO, select Yes.
For Enable Auto Importing of users from all identity providers into the user table, select Yes.
For Enable debug logging for the multiple provider SSO integration, select Yes.
For The field on the user table that..., enter user_name.
Select Save.
5. You can configure ServiceNow automatically or manually. To configure ServiceNow automatically, follow
these steps:
a. Return to the ServiceNow single sign-on page in the Azure portal.
b. One-click configure service is provided for ServiceNow. To enable this service, go to the
ServiceNow Configuration section, and select Configure ServiceNow to open the Configure
sign-on window.
c. In the Configure sign-on form, enter your ServiceNow instance name, admin username, and admin
password. Select Configure Now. The admin username provided must have the security_admin
role assigned in ServiceNow for this to work. Otherwise, to manually configure ServiceNow to use
Azure AD as a SAML Identity Provider, select Manually configure single sign-on. Copy the Sign-
Out URL, SAML Entity ID, and SAML single sign-on Service URL from the Quick Reference
section.
d. Sign on to your ServiceNow application as an administrator.
In the automatic configuration, all the necessary settings are configured on the ServiceNow
side, but the X.509 Certificate isn't enabled by default. You have to map it manually to your
identity provider in ServiceNow. Follow these steps:
a. In the left pane, search for the Multi-Provider SSO section from the search box, and
select Identity Providers.
NOTE
The ServiceNow instance homepage is a concatenation of your ServiceNow tenant
URL and /navpage.do (for example:
https://fabrikam.service-now.com/navpage.do ).
Copy the Entity ID / Issuer value, and paste it in Identifier in the ServiceNow
Basic SAML Configuration section of the Azure portal.
Confirm that NameID Policy is set to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified value.
d. Scroll down to the X.509 Certificate section, and select Edit.
e. Select the certificate, and select the right arrow icon to add the certificate
f. Select Save.
g. At the upper-right corner of the page, select Test Connection.
h. When asked for your credentials, enter them. You'll see the following page. The SSO
Logout Test Results error is expected. Ignore the error and select Activate.
a. Enter the App Federation Metadata Url that you've copied from the Azure portal.
b. Select Import.
f. It reads the IdP metadata URL, and populates all the fields information.
For Name, enter a name for your configuration (for example, Microsoft Azure Federated
single sign-on).
Remove the populated Identity Provider's SingleLogoutRequest value from the text box.
Copy the ServiceNow Homepage value. Paste it in Sign-on URL in the ServiceNow Basic
SAML Configuration section of the Azure portal.
NOTE
The ServiceNow instance homepage is a concatenation of your ServiceNow tenant URL and
/navpage.do (for example: https://fabrikam.service-now.com/navpage.do ).
Copy the Entity ID / Issuer value. Paste it in Identifier in ServiceNow Basic SAML
Configuration section of the Azure portal.
Confirm that NameID Policy is set to
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified value.
Select Advanced. In User Field, enter email or user_name, depending on which field is
used to uniquely identify users in your ServiceNow deployment.
NOTE
You can configure Azure AD to emit either the Azure AD user ID (user principal name) or the email
address as the unique identifier in the SAML token. Do this by going to the ServiceNow >
Attributes > Single sign-on section of the Azure portal, and mapping the desired field to the
nameidentifier attribute. The value stored for the selected attribute in Azure AD (for example, user
principal name) must match the value stored in ServiceNow for the entered field (for example,
user_name).
NOTE
If you need to create a user manually, contact the ServiceNow Client support team.
a. For Name, enter a name for your configuration (for example: TestSAML2.0).
b. Select Active.
c. For Format, select PEM.
d. For Type, select Trust Store Cert.
e. Open your Base64 encoded certificate downloaded from Azure portal in Notepad. Copy the content of it
into your clipboard, and then paste it to the PEM Certificate text box.
f. Select Update
6. In the Single Sign-On dialog box, select Add New IdP.
7. In the Add New Identity Provider dialog box, under Configure Identity Provider, perform the
following steps:
a. For Name, enter a name for your configuration (for example: SAML 2.0).
b. For Identity Provider URL, paste the value of the identity provider ID that you copied from the Azure
portal.
c. For Identity Provider's AuthnRequest, paste the value of the authentication request URL that you
copied from the Azure portal.
d. For Identity Provider's SingleLogoutRequest, paste the value of the logout URL that you copied from
the Azure portal.
e. For Identity Provider Certificate, select the certificate you created in the previous step.
8. Select Advanced Settings. Under Additional Identity Provider Properties, perform the following steps:
NOTE
The ServiceNow instance homepage is a concatenation of your ServiceNow tenant URL and /navpage.do (for
example: https://fabrikam.service-now.com/navpage.do ).
f. Select Save.
Test SSO
When you select the ServiceNow tile in the Access Panel, you should be automatically signed in to the ServiceNow
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of tutorials on how to integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Configure user provisioning
Try ServiceNow with Azure AD
Tutorial: Azure Active Directory integration with
Settling music
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Settling music with Azure Active Directory (Azure AD ). Integrating
Settling music with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Settling music.
You can enable your users to be automatically signed-in to Settling music (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Settling music, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Settling music single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Settling music supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Settling music, select Settling music from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.rakurakuseisan.jp/<USERACCOUNT>/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Settling music
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Settling music section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Settling music Single Sign-On
1. In a different web browser window, sign in to Settling music as a Security Administrator.
2. On top of the page, click management tab.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Settling music test user
In this section, you create a user called Britta Simon in Settling music. Work with Settling music Client support
team to add the users in the Settling music platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Settling music tile in the Access Panel, you should be automatically signed in to the Settling
music for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SharePoint on-premises
11/20/2019 • 12 minutes to read • Edit Online
In this tutorial, you learn how to integrate SharePoint on-premises with Azure Active Directory (Azure AD ).
Integrating SharePoint on-premises with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SharePoint on-premises.
You can enable your users to be automatically signed-in to SharePoint on-premises (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SharePoint on-premises, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SharePoint on-premises single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SharePoint on-premises supports SP initiated SSO
NOTE
If the element should not be available, it can also be opened through the fixed All services link at the top of the left
navigation panel. In the following overview, the Azure Active Directory link is located in the Identity section or it
can be searched for by using the filter text box.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SharePoint on-premises, select SharePoint on-premises from result panel then
click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: urn:sharepoint:federation
c. In the Reply URL text box, type a URL using the following pattern:
https://<YourSharePointServerURL>/_trust/default.aspx
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
SharePoint on-premises Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
NOTE
Please note down the file path to which you have downloaded the certificate file, as you need to use it later in the
PowerShell script for configuration.
6. On the Set up SharePoint on-premises section, copy the appropriate URL (s) as per your requirement. For
Single Sign-On Service URL, use a value of the following pattern:
https://login.microsoftonline.com/_my_directory_id_/wsfed
NOTE
my_directory_id is the tenant id of Azure Ad subscription.
a. Login URL
b. Azure AD Identifier
c. Logout URL
NOTE
Sharepoint On-Premises application uses SAML 1.1 token, so Azure AD expects WS Fed request from SharePoint
server and after authentication, it issues the SAML 1.1. token.
TIP
If you're new to using PowerShell or want to learn more about how PowerShell works, see SharePoint PowerShell.
$realm = "<Identifier value from the SharePoint on-premises Domain and URLs section in the Azure
portal>"
$wsfedurl="<SAML single sign-on service URL value which you have copied from the Azure portal>"
$filepath="<Full path to SAML signing certificate file which you have downloaded from the Azure
portal>"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath)
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -
LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$map2 = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName
"GivenName" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName"
-SameAsIncoming
$map4 = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName
"Email" -SameAsIncoming
$map5 = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -
SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -
realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4,$map5 -SignInUrl
$wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Next, follow these steps to enable the trusted identity provider for your application:
a. In Central Administration, navigate to Manage Web Application and select the web application that you
wish to secure with Azure AD.
b. In the ribbon, click Authentication Providers and choose the zone that you wish to use.
c. Select Trusted Identity provider and select the identify provider you just registered named AzureAD.
d. On the sign-in page URL setting, select Custom sign in page and provide the value “/_trust/”.
e. Click OK.
NOTE
Some of the external users will not able to use this single sign-on integration as their UPN will have mangled value
something like MYEMAIL_outlook.com#ext#@TENANT.onmicrosoft.com . Soon we will allow customers app config on
how to handle the UPN depending on the user type. After that all your guest users should be able to use SSO
seamlessly as the organization employees.
3. Fill in Group type, Group name, Group description, Membership type. Click on the arrow to select
members, then search for or click on the member you will like to add to the group. Click on Select to add
the selected members, then click on Create.
NOTE
In order to assign Azure Active Directory Security Groups to SharePoint on-premises, it will be necessary to install and
configure AzureCP in the on-premises SharePoint farm OR develop and configure an alternative custom claims
provider for SharePoint. See the more information section at the end of the document for creating your own custom
claims provider, if you don’t use AzureCP.
3. Click on Manifest.
7. Add both Windows Azure Active Directory and Microsoft Graph API, but it’s only possible to select
one at a time.
8. Select Windows Azure Active Directory, check Read directory data and click on Select. Go back and add
Microsoft Graph and select Read directory data for it, as well. Click on Select and click on Done.
9. Now, under Required Settings, click on Grant permissions and then Click Yes to Grant permissions.
NOTE
Check under notifications to determine if the permissions were successfully granted. If they are not, then the AzureCP
will not work properly and it won’t be possible to configure SharePoint on-premises with Azure Active Directory
Security Groups.
10. Configure the AzureCP on the SharePoint on-premises farm or an alternative custom claims provider
solution. In this example, we are using AzureCP.
NOTE
Please note that AzureCP is not a Microsoft product or supported by Microsoft Technical Support. Download, install
and configure AzureCP on the on-premises SharePoint farm per https://yvand.github.io/AzureCP/
11. Grant access to the Azure Active Directory Security Group in the on-premises SharePoint :- The
groups must be granted access to the application in SharePoint on-premises. Use the following steps to set
the permissions to access the web application.
12. In Central Administration, click on Application Management, Manage web applications, then select the web
application to activate the ribbon and click on User Policy.
13. Under Policy for Web Application, click on Add Users, then select the zone, click on Next. Click on the
Address Book.
14. Then, search for and add the Azure Active Directory Security Group and click on OK.
17. Browse to the SharePoint site collection and add the Group there, as well. Click on Site Settings, then click
Site permissions and Grant Permissions. Search for the Group Role claim, assign the permission level and
click Share.
Configuring one trusted identity provider for multiple web applications
The configuration works for a single web application, but needs additional configuration if you intend to use the
same trusted identity provider for multiple web applications. For example, assume we had extended a web
application to use the URL https://portal.contoso.local and now want to authenticate the users to
https://sales.contoso.local as well. To do this, we need to update the identity provider to honor the WReply
parameter and update the application registration in Azure AD to add a reply URL.
1. In the Azure portal, open the Azure AD directory. Click App registrations, then click View all
applications. Click the application that you created previously (SharePoint SAML Integration).
2. Click Settings.
3. In the settings blade, click Reply URLs.
4. Add the URL for the additional web application with /_trust/default.aspx appended to the URL (such as
https://sales.contoso.local/_trust/default.aspx ) and click Save.
5. On the SharePoint server, open the SharePoint 2016 Management Shell and execute the following
commands, using the name of the trusted identity token issuer that you used previously.
$t = Get-SPTrustedIdentityTokenIssuer "AzureAD"
$t.UseWReplyParameter=$true
$t.Update()
6. In Central Administration, go to the web application and enable the existing trusted identity provider.
Remember to also configure the sign-in page URL as a custom sign in page /_trust/ .
7. In Central Administration, click the web application and choose User Policy. Add a user with the
appropriate permissions as demonstrated previously in this article.
Fixing People Picker
Users can now sign into SharePoint 2016 using identities from Azure AD, but there are still opportunities for
improvement to the user experience. For instance, searching for a user presents multiple search results in the
people picker. There is a search result for each of the 3 claim types that were created in the claim mapping. To
choose a user using the people picker, you must type their user name exactly and choose the name claim result.
There is no validation on the values you search for, which can lead to misspellings or users accidentally choosing
the wrong claim type to assign such as the SurName claim. This can prevent users from successfully accessing
resources.
To assist with this scenario, there is an open-source solution called AzureCP that provides a custom claims provider
for SharePoint 2016. It will use the Azure AD Graph to resolve what users enter and perform validation. Learn
more at AzureCP.
Assign the Azure AD Security Group in the Azure portal
1. In the Azure portal, select Enterprise Applications, select All applications, then select SharePoint on-
premises.
5. Search for the Security Group you want to use, then click on the group to add it to the Select members
section. Click Select, then click Assign.
NOTE
Check the notifications in the menu bar to be notified that the Group was successfully assigned to the Enterprise
application in the Azure portal.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Shibumi
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Shibumi with Azure Active Directory (Azure AD ). Integrating Shibumi
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Shibumi.
You can enable your users to be automatically signed-in to Shibumi (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Shibumi, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Shibumi single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Shibumi supports SP and IDP initiated SSO
Shibumi supports Just-In-Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Shibumi, select Shibumi from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.shibumi.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.shibumi.com/saml/SSO
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.shibumi.com/saml/SSO
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Shibumi
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Shibumi section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Shibumi Single Sign-On
To configure single sign-on on Shibumi side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Shibumi support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Shibumi test user
In this section, a user called Britta Simon is created in Shibumi. Shibumi supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Shibumi,
a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Shibumi tile in the Access Panel, you should be automatically signed in to the Shibumi for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ShipHazmat
10/18/2019 • 4 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ShipHazmat with Azure Active Directory (Azure AD ). When you
integrate ShipHazmat with Azure AD, you can:
Control in Azure AD who has access to ShipHazmat.
Enable your users to be automatically signed-in to ShipHazmat with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ShipHazmat single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ShipHazmat supports IDP initiated SSO
ShipHazmat supports Just In Time user provisioning
4. On the Set up single sign-on with SAML page, enter the values for the following fields:
a. In the Identifier text box, type a URL using the following pattern: ShipHazmat<CustomOrganization>Sso
b. In the Reply URL text box, type a URL using the following pattern:
https://www.shiphazmat.net/<CustomOrganization>/sso/saml/v1/ConsumerService.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact ShipHazmat Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ShipHazmat tile in the Access Panel, you should be automatically signed in to the ShipHazmat
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ShipHazmat with Azure AD
Tutorial: Integrate Shmoop For Schools with Azure
Active Directory
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Shmoop For Schools with Azure Active Directory (Azure AD ). When
you integrate Shmoop For Schools with Azure AD, you can:
Control in Azure AD who has access to Shmoop For Schools.
Enable your users to be automatically signed-in to Shmoop For Schools with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Shmoop For Schools single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Shmoop For Schools supports SP initiated SSO
Shmoop For Schools supports Just In Time user provisioning
Configure and test Azure AD single sign-on for Shmoop For Schools
Configure and test Azure AD SSO with Shmoop For Schools using a test user called B.Simon. For SSO to work,
you need to establish a link relationship between an Azure AD user and the related user in Shmoop For Schools.
To configure and test Azure AD SSO with Shmoop For Schools, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Shmoop For Schools SSO - to configure the Single Sign-On settings on application side.
Create Shmoop For Schools test user - to have a counterpart of B.Simon in Shmoop For Schools that
is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://schools.shmoop.com/<uniqueid>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Shmoop For
Schools Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. Shmoop For Schools application expects the SAML assertions in a specific format, which requires you to
add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes.
NOTE
Shmoop for School supports two roles for users: Teacher and Student. Set up these roles in Azure AD so that users
can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see here.
6. In addition to above, Shmoop For Schools application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirements.
role user.assignedroles
7. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
If you need to create a user manually, contact the Shmoop For Schools support team.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Shmoop For Schools tile in the Access Panel, you should be automatically signed in to the
Shmoop For Schools for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Shmoop For Schools with Azure AD
Tutorial: Azure Active Directory integration with
Showpad
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Showpad with Azure Active Directory (Azure AD ). Integrating Showpad
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Showpad.
You can enable your users to be automatically signed-in to Showpad (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Showpad, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Showpad single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Showpad supports SP initiated SSO
Showpad supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Showpad, select Showpad from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<company-name>.showpad.biz
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Showpad Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Showpad section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Showpad Single Sign-On
1. Sign in to your Showpad tenant as an administrator.
2. In the menu on the top, click the Settings.
4. On the Add a SAML 2.0 Service dialog, perform the following steps:
a. In the Name textbox, type the name of Identifier Provider (for example: your company name).
b. As Metadata Source, select XML.
c. Copy the content of metadata XML file, which you have downloaded from the Azure portal, and then
paste it into the Metadata XML textbox.
d. Select Auto-provision accounts for new users when they log in.
e. Click Submit.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Showpad test user
In this section, a user called Britta Simon is created in Showpad. Showpad supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
Showpad, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Showpad tile in the Access Panel, you should be automatically signed in to the Showpad for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Shuccho Navi
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Shuccho Navi with Azure Active Directory (Azure AD ). Integrating
Shuccho Navi with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Shuccho Navi.
You can enable your users to be automatically signed-in to Shuccho Navi (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Shuccho Navi, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Shuccho Navi single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Shuccho Navi supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Shuccho Navi, select Shuccho Navi from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Shuccho Navi Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Shuccho Navi section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Shuccho Navi Single Sign-On
To configure single sign-on on Shuccho Navi side, you need to send the downloaded Metadata XML and
appropriate copied URLs from Azure portal to Shuccho Navi support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Shuccho Navi test user
In this section, you create a user called Britta Simon in Shuccho Navi. Work with Shuccho Navi support team to
add the users in the Shuccho Navi platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Shuccho Navi tile in the Access Panel, you should be automatically signed in to the Shuccho
Navi for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Signagelive
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Signagelive with Azure Active Directory (Azure AD ). Integrating
Signagelive with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Signagelive.
You can enable your users to be automatically signed in to Signagelive (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
For more information about SaaS app integration with Azure AD, see What is application access and single sign-
on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with Signagelive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a one-month trial.
A Signagelive single-sign-on-enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Signagelive supports SP -initiated SSO.
5. Select Signagelive from the results pane, and then select the Add button to add the application.
3. On the Set up single sign-on with SAML page, select Edit to open the Basic SAML Configuration
dialog box.
NOTE
The value is not real. Update the value with the actual sign-on URL. To get the value, contact the Signagelive Client
support team . You can also refer to the patterns that are shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select
Download to download the Certificate (Raw) from the given options per your requirement. Then save it
on your computer.
6. In the Set up Signagelive section, copy the URL (s) that you need.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Signagelive Single sign-on
To configure single sign-on on the Signagelive side, send the downloaded Certificate (Raw) and copied URLs
from the Azure portal to the Signagelive support team. They ensure that the SAML SSO connection is set properly
on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Select the Add user button. Then, in the Add Assignment dialog box, select Users and groups.
5. In the Users and groups dialog box, in the Users list, select Britta Simon. Then click the Select button at
the bottom of the screen.
6. If you are expecting a role value in the SAML assertion, then, in the Select Role dialog box, select the
appropriate role for the user from the list. Next, click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, select the Assign button.
Create a Signagelive test user
In this section, you create a user called Britta Simon in Signagelive. Work with the Signagelive support team to add
the users in the Signagelive platform. You must create and activate users before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the MyApps portal.
When you select the Signagelive tile in the MyApps portal, you should be automatically signed in. For more
information about the MyApps portal, see What is the MyApps portal?.
Additional resources
List of tutorials on how to integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SignalFx
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SignalFx with Azure Active Directory (Azure AD ). Integrating SignalFx
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SignalFx.
You can enable your users to be automatically signed-in to SignalFx (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SignalFx, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SignalFx single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SignalFx supports IDP initiated SSO
SignalFx supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SignalFx, select SignalFx from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL: https://api.signalfx.com/v1/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://api.signalfx.com/v1/saml/acs/<integration ID>
NOTE
The preceding value is not real value. You update the value with the actual Reply URL, which is explained later in the
tutorial.
5. SignalFx application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
6. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
User.FirstName user.givenname
User.email user.mail
PersonImmutableID user.userprincipalname
User.LastName user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up SignalFx section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SignalFx Single Sign-On
1. Sign in to your SignalFx company site as administrator.
2. In SignalFx, on the top click Integrations to open the Integrations page.
4. Click on NEW INTEGRATION and under the INSTALL tab perform the following steps:
a. In the Name textbox type, a new integration name, like OurOrgName SAML SSO.
b. Copy the Integration ID value and append to the Reply URL in the place of <integration ID> in the
Reply URL textbox of Basic SAML Configuration section in Azure portal.
c. Click on Upload File to upload the Base64 encoded certificate downloaded from Azure portal in the
Certificate textbox.
d. In the Issuer URL textbox, paste the value of Azure AD Identifier, which you have copied from the
Azure portal.
e. In the Metadata URL textbox, paste the Login URL which you have copied from the Azure portal.
f. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SignalFx test user
The objective of this section is to create a user called Britta Simon in SignalFx. SignalFx supports just-in-time
provisioning, which is by default enabled. There is no action item for you in this section. A new user is created
during an attempt to access SignalFx if it doesn't exist yet.
When a user signs in to SignalFx from the SAML SSO for the first time, SignalFx support team sends them an
email containing a link that they must click through to authenticate. This will only happen the first time the user
signs in; subsequent login attempts will not require email validation.
NOTE
If you need to create a user manually, contact SignalFx support team
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Sigstr
8/20/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Sigstr with Azure Active Directory (Azure AD ). When you integrate
Sigstr with Azure AD, you can:
Control in Azure AD who has access to Sigstr.
Enable your users to be automatically signed-in to Sigstr with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Sigstr single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Sigstr supports IDP initiated SSO
Sigstr supports Just In Time user provisioning
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. Sigstr application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, Sigstr application expects few more attributes to be passed back in SAML response. In
the User Claims section on the User Attributes dialog, perform the following steps to add SAML token
attribute as shown in the below table:
email user.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Raw) and select Download to download the certificate and save it on your computer.
8. On the Set up Sigstr section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Sigstr test user
In this section, a user called Britta Simon is created in Sigstr. Sigstr supports just-in-time user provisioning, which
is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Sigstr, a new
one is created after authentication.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sigstr tile in the Access Panel, you should be automatically signed in to the Sigstr for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Slack with Azure AD
Tutorial: Azure Active Directory integration with
SilkRoad Life Suite
6/13/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate SilkRoad Life Suite with Azure Active Directory (Azure AD ). Integrating
SilkRoad Life Suite with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SilkRoad Life Suite.
You can enable your users to be automatically signed-in to SilkRoad Life Suite (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SilkRoad Life Suite, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SilkRoad Life Suite single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SilkRoad Life Suite supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SilkRoad Life Suite, select SilkRoad Life Suite from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you have Service Provider metadata file, perform the
following steps:
NOTE
You will get the Service Provider metadata file explained later in this tutorial.
c. Once the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated
in Basic SAML Configuration section:
NOTE
If the Identifier and Reply URL values are not getting auto polulated, then fill in the values manually according to
your requirement.
d. In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.silkroad-eng.com/Authentication/
5. On the Basic SAML Configuration section, if you do not have Service Provider metadata file, perform
the following steps:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<subdomain>.silkroad-eng.com/Authentication/
https://<subdomain>.silkroad-eng.com/Authentication/SP
https://<subdomain>.silkroad.com/Authentication/SP
c. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.silkroad-eng.com/Authentication/
https://<subdomain>.silkroad.com/Authentication/
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
SilkRoad Life Suite Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up SilkRoad Life Suite section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SilkRoad Life Suite Single Sign-On
1. Sign in to your SilkRoad company site as administrator.
NOTE
To obtain access to the SilkRoad Life Suite Authentication application for configuring federation with Microsoft Azure
AD, please contact SilkRoad Support or your SilkRoad Services representative.
3. Click Download Federation Metadata, and then save the metadata file on your computer. Use
Downloaded Federation Metadata as a Service Provider metadata file in the Basic SAML
Configuration section in the Azure portal.
a. Under Option 2 - Metadata File, click Browse to upload the downloaded metadata file from Azure
portal.
b. Click Create Identity Provider using File Data.
7. In the Authentication Sources section, click Edit.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SilkRoad Life Suite test user
In this section, you create a user called Britta Simon in SilkRoad Life Suite. Work with SilkRoad Life Suite Client
support team to add the users in the SilkRoad Life Suite platform. Users must be created and activated before you
use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SilkRoad Life Suite tile in the Access Panel, you should be automatically signed in to the
SilkRoad Life Suite for which you set up SSO. For more information about the Access Panel, see Introduction to
the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Silverback
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Silverback with Azure Active Directory (Azure AD ). Integrating
Silverback with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Silverback.
You can enable your users to be automatically signed-in to Silverback (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Silverback, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Silverback single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Silverback supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Silverback, select Silverback from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: <YOURSILVERBACKURL>.com
c. In the Reply URL text box, type a URL using the following pattern:
https://<YOURSILVERBACKURL>.com/sts/authorize/login
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact
Silverback Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Silverback test user
To enable Azure AD users to log in to Silverback, they must be provisioned into Silverback. In Silverback,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Login to your Silverback Server as an Administrator.
2. Navigate to Users and add a new device user.
3. On the Basic page, perform the following steps:
NOTE
If you don’t want to create each user manually Enable the Dynamic User Creation Checkbox under Admin >
Authentication Provider.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SimpleNexus
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SimpleNexus with Azure Active Directory (Azure AD ). Integrating
SimpleNexus with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SimpleNexus.
You can enable your users to be automatically signed-in to SimpleNexus (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SimpleNexus, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SimpleNexus single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SimpleNexus supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SimpleNexus, select SimpleNexus from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://simplenexus.com/<companyname>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SimpleNexus Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SimpleNexus section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SimpleNexus Single Sign-On
To configure single sign-on on SimpleNexus side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to SimpleNexus support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SimpleNexus test user
In order to enable Azure AD users to log in to SimpleNexus, they must be provisioned into SimpleNexus. In the
case of SimpleNexus, provisioning is a manual task performed by the tenant administrator.
NOTE
You can use any other SimpleNexus user account creation tools or APIs provided by SimpleNexus to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Simple Sign
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Simple Sign with Azure Active Directory (Azure AD ). Integrating Simple
Sign with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Simple Sign.
You can enable your users to be automatically signed-in to Simple Sign (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Simple Sign, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Simple Sign single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Simple Sign supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Simple Sign, select Simple Sign from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.simplesign.io/saml/simplesamlphp/www/module.php/saml/sp/metadata.php/cloudfish-sp
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.simplesign.io/saml/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/cloudfish-sp
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Simple Sign Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Simple Sign section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Simple Sign Single Sign-On
To configure single sign-on on Simple Sign side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Simple Sign support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Simple Sign test user
In this section, you create a user called Britta Simon in Simple Sign. Work with Simple Sign support team to add
the users in the Simple Sign platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Simple Sign tile in the Access Panel, you should be automatically signed in to the Simple Sign
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Skilljar
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skilljar with Azure Active Directory (Azure AD ). Integrating Skilljar with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skilljar.
You can enable your users to be automatically signed-in to Skilljar (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skilljar, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Skilljar single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skilljar supports SP initiated SSO
Skilljar supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skilljar, select Skilljar from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.skilljar.com/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Skilljar Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Skilljar section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skilljar Single Sign-On
To configure single sign-on on Skilljar side, you need to send the downloaded Federation Metadata XML, and
Name Identifier Format Value - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to Skilljar
support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skilljar test user
In this section, a user called Britta Simon is created in Skilljar. Skilljar supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Skilljar, a
new one is created after authentication.
NOTE
If you need to create a user manually, you need to contact the Skilljar support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Skillport
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skillport with Azure Active Directory (Azure AD ). Integrating Skillport
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skillport.
You can enable your users to be automatically signed-in to Skillport (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skillport, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Skillport single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skillport supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skillport, select Skillport from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
US Datacenter: https://sso.skillport.com
US Datacenter: https://sso.skillport.com
US Datacenter: https://sso.skillport.com/sp/ACS.saml2
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Skillport section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skillport Single Sign-On
To configure single sign-on on Skillport side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Skillport support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skillport test user
In order to create Skillport test user, you need to contact Skillport support team as they have multiple business
scenarios according to the requirement of end user. They will configure it after discussion with the users.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Skillport tile in the Access Panel, you should be automatically signed in to the Skillport for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Skills
Base
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skills Base with Azure Active Directory (Azure AD ). Integrating Skills
Base with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skills Base.
You can enable your users to be automatically signed-in to Skills Base (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skills Base, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Skills Base single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skills Base supports SP initiated SSO
Skills Base supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skills Base, select Skills Base from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
You can get the Sign-On URL from Skills Base application. Please login as an Administrator and to go to Admin->
Settings-> Instance details -> Shortcut link. Copy the Sign-On URL and paste it in above textbox.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Skills Base section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skills Base Single Sign-On
1. In a different web browser window, login to Skills Base as a Security Administrator.
2. From the left side of menu, under ADMIN click Authentication.
a. Click on Update IdP metadata button next to Status option and paste the contents of Metadata XML
that you downloaded from the Azure portal in the specified textbox.
NOTE
You can also validate idp metadata through the Metadata validator tool as highlighted in screenshot above.
b. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skills Base test user
In this section, a user called Britta Simon is created in Skills Base. Skills Base supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Skills Base, a new one is created after authentication.
NOTE
If you need to create a user manually, follow the instructions here.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with Skills
Manager
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skills Manager with Azure Active Directory (Azure AD ). Integrating Skills
Manager with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skills Manager.
You can enable your users to be automatically signed-in to Skills Manager (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skills Manager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Skills Manager single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skills Manager supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skills Manager, select Skills Manager from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<SUBDOMAIN>.skills-manager.com/kennametal
b. In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.skills-manager.com/public/SamlLogin2.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Skills Manager Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Skills Manager section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skills Manager Single Sign-On
To configure single sign-on on Skills Manager side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Skills Manager support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skills Manager test user
In this section, you create a user called Britta Simon in Skills Manager. Work with Skills Manager support team to
add the users in the Skills Manager platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Skills Manager tile in the Access Panel, you should be automatically signed in to the Skills
Manager for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SkyDesk Email
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SkyDesk Email with Azure Active Directory (Azure AD ). Integrating
SkyDesk Email with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SkyDesk Email.
You can enable your users to be automatically signed-in to SkyDesk Email (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SkyDesk Email, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SkyDesk Email single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SkyDesk Email supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SkyDesk Email, select SkyDesk Email from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact SkyDesk Email Client support team to
get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SkyDesk Email section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SkyDesk Email Single Sign-On
1. In a different web browser, sign-on to your SkyDesk Email account as administrator.
2. In the menu on the top, click Setup, and select Org.
a. In the Login URL textbox, paste the value of Login URL, which you have copied from Azure portal.
b. In the Logout URL textbox, paste the value of Logout URL, which you have copied from Azure portal.
c. Change Password URL is optional so leave it blank.
d. Click on Get Key From File to select your downloaded certificate from Azure portal, and then click Open
to upload the certificate.
e. As Algorithm, select RSA.
f. Click Ok to save the changes.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SkyDesk Email test user
In this section, you create a user called Britta Simon in SkyDesk Email.
Click on User Access from the left panel in SkyDesk Email and then enter your username.
NOTE
If you need to create bulk users, you need to contact the SkyDesk Email Client support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Skyhigh Networks
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skyhigh Networks with Azure Active Directory (Azure AD ). Integrating
Skyhigh Networks with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skyhigh Networks.
You can enable your users to be automatically signed-in to Skyhigh Networks (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skyhigh Networks, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Skyhigh Networks single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skyhigh Networks supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skyhigh Networks, select Skyhigh Networks from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<ENV>.myshn.net/shndash/saml/Azure_SSO
b. In the Reply URL text box, type a URL using the following pattern:
https://<ENV>.myshn.net/shndash/response/saml-postlogin
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<ENV>.myshn.net/shndash/saml/Azure_SSO
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Skyhigh
Networks Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Skyhigh Networks section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skyhigh Networks Single Sign-On
To configure single sign-on on Skyhigh Networks side, you need to send the downloaded Certificate (Base64)
and appropriate copied URLs from Azure portal to Skyhigh Networks support team. They set this setting to have
the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skyhigh Networks test user
In this section, you create a user called Britta Simon in Skyhigh Networks. Work with Skyhigh Networks support
team to add the users in the Skyhigh Networks platform. Users must be created and activated before you use
single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Skyhigh Networks tile in the Access Panel, you should be automatically signed in to the
Skyhigh Networks for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SKYSITE
10/7/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SKYSITE with Azure Active Directory (Azure AD ). When you integrate
SKYSITE with Azure AD, you can:
Control in Azure AD who has access to SKYSITE.
Enable your users to be automatically signed-in to SKYSITE with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SKYSITE single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SKYSITE supports IDP initiated SSO
SKYSITE supports Just In Time user provisioning
Copy the User access URL and you have to paste it in Configure SKYSITE SSO section, which is
explained later in the tutorial.
2. On the SKYSITE application integration page, navigate to single sign-on.
3. On the Select a single sign-on method page, select SAML.
4. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to
edit the settings.
5. On the Basic SAML Configuration section the application is pre-configured in IDP initiated mode and the
necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking
the Save button.
6. SKYSITE application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, SKYSITE application expects few more attributes to be passed back in SAML response.
In the User Attributes & Claims section on the Group Claims (Preview) dialog, perform the following
steps:
a. Click the pen next to Groups returned in claim.
9. On the Set up SKYSITE section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Configure SKYSITE SSO
1. Open a new web browser window and sign into your SKYSITE company site as an administrator and
perform the following steps:
2. Click on Settings on the top right side of page and then navigate to Account setting.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SKYSITE tile in the Access Panel, you should be automatically signed in to the SKYSITE for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SKYSITE with Azure AD
Tutorial: Azure Active Directory integration with
Skytap
8/1/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skytap with Azure Active Directory (Azure AD ). Integrating Skytap with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skytap.
You can enable your users to be automatically signed-in to Skytap (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skytap, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Skytap single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skytap supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Skytap, select Skytap from the result panel then click the Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: http://pingone.com/<custom EntityID>
b. In the Reply URL text box, type a URL using the following pattern:
https://sso.connect.pingidentity.com/sso/sp/ACS.saml2
5. Click Set additional URLs and perform the following steps if you wish to configure the application in SP
initiated mode:
d. In the Sign-on URL text box, type a URL using the following pattern:
https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=<saasid>&idpid=<idpid>
e. In the Relay State text box, type a URL using the following pattern: https://pingone.com/1.0/<custom ID>
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State.
Contact Skytap Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Skytap section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Skytap Single Sign-On
To configure single sign-on on Skytap side, you need to send the downloaded Federation Metadata XML and
appropriate copied URLs from Azure portal to Skytap support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skytap test user
In this section, you create a user called Britta Simon in Skytap. Any Admininstrator or User Manager within a
Skytap Account can create users. More information on how to do this is in Skytap's help files, see:
https://help.skytap.com/users-create.html
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Skytap tile in the Access Panel, you should be automatically signed in to the Skytap for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Skyward Qmlativ
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Skyward Qmlativ with Azure Active Directory (Azure AD ). Integrating
Skyward Qmlativ with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Skyward Qmlativ.
You can enable your users to be automatically signed-in to Skyward Qmlativ (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Skyward Qmlativ, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Skyward Qmlativ single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Skyward Qmlativ supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Skyward Qmlativ, select Skyward Qmlativ from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<BASEURL>/customeridentifierSTS
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Skyward Qmlativ
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Skyward Qmlativ test user
In this section, you create a user called Britta Simon in Skyward Qmlativ. Work with Skyward Qmlativ support
team to add the users in the Skyward Qmlativ platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Skyward Qmlativ tile in the Access Panel, you should be automatically signed in to the Skyward
Qmlativ for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Slack
11/8/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Slack with Azure Active Directory (Azure AD ). When you integrate
Slack with Azure AD, you can:
Control in Azure AD who has access to Slack.
Enable your users to be automatically signed-in to Slack with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Slack single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Slack supports SP initiated SSO
Slack supports Just In Time user provisioning
Slack supports Automated user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<your Slack company>.slack.com
NOTE
The Sign on URL value is not real. Update the value with the actual Sign on URL. Contact Slack Client support team
to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Slack section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. In the Team Settings section, click the Authentication tab, and then click Change Settings.
NOTE
If you need to create a user manually, you need to contact Slack support team.
NOTE
Azure AD Connect is the synchronization tool which can sync on premises Active Directory Identities to Azure AD and then
these synced users can also use the applications as like other cloud users.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Slack tile in the Access Panel, you should be automatically signed in to the Slack for which you
set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Slack with Azure AD
Tutorial: Azure Active Directory integration with Small
Improvements
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Small Improvements with Azure Active Directory (Azure AD ).
Integrating Small Improvements with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Small Improvements.
You can enable your users to be automatically signed-in to Small Improvements (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Small Improvements, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Small Improvements single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Small Improvements supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Small Improvements, select Small Improvements from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.small-improvements.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Small
Improvements Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Small Improvements section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Small Improvements Single Sign-On
1. In another browser window, sign on to your Small Improvements company site as an administrator.
2. From the main dashboard page, click Administration button on the left.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Small Improvements test user
To enable Azure AD users to log in to Small Improvements, they must be provisioned into Small Improvements. In
the case of Small Improvements, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign-on to your Small Improvements company site as an administrator.
2. From the Home page, go to the menu on the left, click Administration.
3. Click the User Directory button from User Management section.
4. Click Add users.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SmartDraw
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SmartDraw with Azure Active Directory (Azure AD ). Integrating
SmartDraw with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SmartDraw.
You can enable your users to be automatically signed-in to SmartDraw (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SmartDraw, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SmartDraw single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SmartDraw supports SP and IDP initiated SSO
SmartDraw supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SmartDraw, select SmartDraw from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode
the user does not have to perform any step as the app is already pre-integrated with Azure.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://cloud.smartdraw.com/sso/saml/login/<domain>
NOTE
The Sign-on URL value is not real. You will update the Sign-on URL value with the actual Sign-on URL, which is
explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
6. SmartDraw application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes. Click Edit icon to open User Attributes dialog.
7. In addition to above, SmartDraw application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
FirstName user.givenname
LastName user.surname
Email user.mail
Groups user.groups
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up SmartDraw section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SmartDraw Single Sign-On
1. In a different web browser window, login to SmartDraw as an Administrator.
2. Click on Single Sign-On under Manage your SmartDraw License.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SmartDraw test user
In this section, a user called Britta Simon is created in SmartDraw. SmartDraw supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in SmartDraw, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SmartDraw tile in the Access Panel, you should be automatically signed in to the SmartDraw
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SmarterU
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SmarterU with Azure Active Directory (Azure AD ). Integrating SmarterU
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SmarterU.
You can enable your users to be automatically signed-in to SmarterU (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SmarterU, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SmarterU single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SmarterU supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SmarterU, select SmarterU from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SmarterU section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SmarterU Single Sign-On
1. In a different web browser window, sign in to your SmarterU company site as an administrator.
2. In the toolbar on the top, click Account Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SmarterU test user
To enable Azure AD users to sign in to SmarterU, they must be provisioned into SmarterU. In the case of
SmarterU, provisioning is a manual task.
To provision a user account, perform the following steps:
1. sign in to your SmarterU tenant.
2. Go to Users.
3. In the user section, perform the following steps:
a. Click +User.
b. Type the related attribute values of the Azure AD user account into the following textboxes: Primary
Email, Employee ID, Password, Verify Password, Given Name, Surname.
c. Click Active.
d. Click Save.
NOTE
You can use any other SmarterU user account creation tools or APIs provided by SmarterU to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SmartFile
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SmartFile with Azure Active Directory (Azure AD ). Integrating SmartFile
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SmartFile.
You can enable your users to be automatically signed-in to SmartFile (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SmartFile, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SmartFile single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SmartFile supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SmartFile, select SmartFile from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern: <SUBDOMAIN>.smartfile.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SmartFile Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SmartFile section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure SmartFile Single Sign-On
To configure single sign-on on SmartFile side, you need to send the downloaded Federation Metadata XML
and appropriate copied URLs from Azure portal to SmartFile support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SmartFile test user
In this section, you create a user called Britta Simon in SmartFile. Work with SmartFile support team to add the
users in the SmartFile platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SmartFile tile in the Access Panel, you should be automatically signed in to the SmartFile for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SmartLPA
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SmartLPA with Azure Active Directory (Azure AD ). Integrating
SmartLPA with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SmartLPA.
You can enable your users to be automatically signed-in to SmartLPA (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SmartLPA, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SmartLPA single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SmartLPA supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SmartLPA, select SmartLPA from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<TENANTNAME>.smartlpa.com/<UNIQUE ID>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SmartLPA Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SmartLPA section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SmartLPA Single Sign-On
To configure single sign-on on SmartLPA side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to SmartLPA support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SmartLPA test user
In this section, you create a user called Britta Simon in SmartLPA. Work with SmartLPA support team to add the
users in the SmartLPA platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SmartLPA tile in the Access Panel, you should be automatically signed in to the SmartLPA for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SmartRecruiters
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SmartRecruiters with Azure Active Directory (Azure AD ). Integrating
SmartRecruiters with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SmartRecruiters.
You can enable your users to be automatically signed-in to SmartRecruiters (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SmartRecruiters, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SmartRecruiters single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SmartRecruiters supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SmartRecruiters, select SmartRecruiters from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://www.smartrecruiters.com/web-sso/saml/<companyname>
b. In the Reply URL text box, type a URL using the following pattern:
https://www.smartrecruiters.com/web-sso/saml/<companyname>/callback
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://www.smartrecruiters.com/web-sso/saml/<companyname>/login
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
SmartRecruiters Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up SmartRecruiters section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SmartRecruiters Single Sign-On
1. In a different web browser window, log in to your SmartRecruiters company site as an administrator.
2. Go to Settings / Admin.
a. In Identity Provider URL textbox, paste the value of Login URL which you have copied from Azure
portal.
b. Open certificate(Base64) which you have downloaded from Azure portal in the Notepad, copy the
content of it and paste into Identity Provider certificate textbox.
6. Click Save Web SSO configuration.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SmartRecruiters test user
In this section, you create a user called Britta Simon in SmartRecruiters. Work with SmartRecruiters support
team to add the users in the SmartRecruiters platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SmartRecruiters tile in the Access Panel, you should be automatically signed in to the
SmartRecruiters for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
smartvid.io
10/30/2019 • 4 minutes to read • Edit Online
In this tutorial, you learn how to integrate smartvid.io with Azure Active Directory (Azure AD ). Integrating
smartvid.io with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to smartvid.io.
You can enable your users to be automatically signed-in to smartvid.io (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with smartvid.io, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
smartvid.io single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
smartvid.io supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type smartvid.io, select smartvid.io from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, the user does not have to perform any step as the app is
already pre-integrated with Azure.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up smartvid.io section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure smartvid.io Single Sign-On
To configure single sign-on on smartvid.io side, you need to send the downloaded Certificate (Raw) and
appropriate copied URLs from Azure portal to smartvid.io support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create smartvid.io test user
In this section, you create a user called Britta Simon in smartvid.io. Work with smartvid.io support team to add the
users in the smartvid.io platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the smartvid.io tile in the Access Panel, you should be automatically signed in to the smartvid.io for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Snowflake
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Snowflake with Azure Active Directory (Azure AD ). Integrating
Snowflake with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Snowflake.
You can enable your users to be automatically signed-in to Snowflake (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Snowflake, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Snowflake single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Snowflake supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Snowflake, select Snowflake from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, perform the following steps, if you wish to configure the
application in IDP initiated mode:
a. In the Identifier text box, type a URL using the following pattern:
https://<SNOWFLAKE-URL>.snowflakecomputing.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<SNOWFLAKE-URL>.snowflakecomputing.com/fed/login
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SNOWFLAKE-URL>.snowflakecomputing.com
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact
Snowflake Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up Snowflake section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Snowflake Single Sign-On
1. In a different web browser window, login to Snowflake as a Security Administrator.
2. Switch Role to ACCOUNTADMIN, by clicking on profile on the top right side of page.
NOTE
This is separate from the context you have selected in the top-right corner under your User Name
3. Open the downloaded Base 64 certificate in notepad. Copy the value between “-----BEGIN
CERTIFICATE -----” and “-----END CERTIFICATE -----" and paste this into the quotation marks next to
certificate below. In the ssoUrl, paste Login URL value which you have copied from the Azure portal.
Select the All Queries and click Run.
use role accountadmin;
alter account set saml_identity_provider = '{
"certificate": "<Paste the content of downloaded certificate from Azure portal>",
"ssoUrl":"<Login URL value which you have copied from the Azure portal>",
"type":"custom",
"label":"AzureAD"
}';
alter account set sso_login_page = TRUE;
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Snowflake test user
To enable Azure AD users to log in to Snowflake, they must be provisioned into Snowflake. In Snowflake,
provisioning is a manual task.
To provision a user account, perform the following steps:
1. Log in to Snowflake as a Security Administrator.
2. Switch Role to ACCOUNTADMIN, by clicking on profile on the top right side of page.
3. Create the user by running the below SQL query, ensuring "Login name" is set to the Azure AD username
on the worksheet as shown below.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Softeon WMS
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Softeon WMS with Azure Active Directory (Azure AD ). Integrating
Softeon WMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Softeon WMS.
You can enable your users to be automatically signed-in to Softeon WMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Softeon WMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Softeon WMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Softeon WMS supports SP initiated SSO
Softeon WMS supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Softeon WMS, select Softeon WMS from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.softeon.com/sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Softeon WMS
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Softeon WMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Softeon WMS Single Sign-On
To configure single sign-on on Softeon WMS side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Softeon WMS support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Softeon WMS test user
In this section, a user called Britta Simon is created in Softeon WMS. Softeon WMS supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Softeon WMS, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Softeon WMS tile in the Access Panel, you should be automatically signed in to the Softeon
WMS for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Soloinsight-CloudGate SSO with
Azure Active Directory
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Soloinsight-CloudGate SSO with Azure Active Directory (Azure AD ).
When you integrate Soloinsight-CloudGate SSO with Azure AD, you can:
Control in Azure AD who has access to Soloinsight-CloudGate SSO.
Enable your users to be automatically signed-in to Soloinsight-CloudGate SSO with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Soloinsight-CloudGate SSO single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Soloinsight-CloudGate SSO supports
SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.sigateway.com/login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<SUBDOMAIN>.sigateway.com/process/sso
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier which is explained later in
the Configure Soloinsight-CloudGate SSO Single Sign-On section of the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Soloinsight-CloudGate SSO section, copy the appropriate URL (s) based on your
requirement.
Configure Soloinsight-CloudGate SSO
1. To automate the configuration within Soloinsight-CloudGate SSO, you need to install My Apps Secure
Sign-in browser extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup Soloinsight-CloudGate SSO will direct you to the
Soloinsight-CloudGate SSO application. From there, provide the admin credentials to sign into Soloinsight-
CloudGate SSO. The browser extension will automatically configure the application for you and automate
steps 3-8.
3. If you want to setup Soloinsight-CloudGate SSO manually, open a new web browser window and sign into
your Soloinsight-CloudGate SSO company site as an administrator and perform the following steps:
4. To get the values that are to be pasted in the Azure portal while configuring Basic SAML, sign in to the
CloudGate Web Portal using your credentials then access the SSO settings, which can be found on the
following path Home>Administration>System settings>General.
5. SAML Consumer URL
Copy the links available against the Saml Consumer URL and the Redirect URL fields and paste
them in the Azure portal Basic SAML Configuration section for Identifier (Entity ID ) and Reply
URL fields respectively.
7. Default Group
Select Business Admin from the drop-down list of the Default Group option in the CloudGate
Web Portal
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Soloinsight-CloudGate SSO test user
To Create a test user, Select Employees from the main menu of your CloudGate Web Portal and fill out the Add
New employee form. The Authority Level that is to be assigned to the test user is Business Admin Click on
Create once all the required fields are filled.
Test SSO
When you select the Soloinsight-CloudGate SSO tile in the Access Panel, you should be automatically signed in to
the Soloinsight-CloudGate SSO for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Sonarqube
10/7/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Sonarqube with Azure Active Directory (Azure AD ). When you
integrate Sonarqube with Azure AD, you can:
Control in Azure AD who has access to Sonarqube.
Enable your users to be automatically signed-in to Sonarqube with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Sonarqube single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Sonarqube supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL:
For Production Environment
https://servicessonar.corp.microsoft.com/
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Sonarqube section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Sonarqube.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Sonarqube.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sonarqube tile in the Access Panel, you should be automatically signed in to the Sonarqube for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Sonarqube with Azure AD
Tutorial: Azure Active Directory integration with
Soonr Workplace
7/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Soonr Workplace with Azure Active Directory (Azure AD ). Integrating
Soonr Workplace with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Soonr Workplace.
You can enable your users to be automatically signed-in to Soonr Workplace (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Soonr Workplace, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Soonr Workplace single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Soonr Workplace supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Soonr Workplace, select Soonr Workplace from the result panel then click the
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<servername>.soonr.com/singlesignon/saml/metadata
b. In the Reply URL text box, type a URL using the following pattern:
https://<servername>.soonr.com/singlesignon/saml/SSO
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<servername>.soonr.com/singlesignon/saml/SSO
NOTE
These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact Soonr
Workplace Client support team to get these values. You can also refer to the patterns shown in the Basic SAML
Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up Soonr Workplace section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Soonr Workplace Single Sign-On
To configure single sign-on on Soonr Workplace side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Soonr Workplace support team. They set this setting to
have the SAML SSO connection set properly on both sides.
NOTE
If you require assistance with configuring Autotask Workplace, please see this page to get assistance with your Workplace
account.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Soonr Workplace test user
In this section, you create a user called Britta Simon in Soonr Workplace. Work with Soonr Workplace support
team to add the users in the Soonr Workplace platform. Users must be created and activated before you use single
sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Soonr Workplace tile in the Access Panel, you should be automatically signed in to the Soonr
Workplace for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SpaceIQ
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SpaceIQ with Azure Active Directory (Azure AD ). Integrating SpaceIQ
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SpaceIQ.
You can enable your users to be automatically signed-in to SpaceIQ (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SpaceIQ, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SpaceIQ single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SpaceIQ supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SpaceIQ, select SpaceIQ from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type the URL: https://api.spaceiq.com
b. In the Reply URL text box, type a URL using the following pattern:
https://api.spaceiq.com/saml/<instanceid>/callback
NOTE
Update these values with the actual Reply URL and identifier which is explained later in the tutorial.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SpaceIQ section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SpaceIQ Single Sign-On
1. Open a new browser window, and then sign in to your SpaceIQ environment as an administrator.
2. Once you are logged in, click on the puzzle sign at the top right, then click on Integrations
3. Under All PROVISIONING & SSO, click on the Azure tile to add an instance of Azure as IDP.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SpaceIQ test user
In this section, you create a user called Britta Simon in SpaceIQ. Work SpaceIQ support team to add the users in
the SpaceIQ platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SpaceIQ tile in the Access Panel, you should be automatically signed in to the SpaceIQ for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Spacio
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Spacio with Azure Active Directory (Azure AD ). Integrating Spacio with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Spacio.
You can enable your users to be automatically signed-in to Spacio (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Spacio, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Spacio single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Spacio supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Spacio, select Spacio from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://sso.spac.io/<brokerageID>
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Spacio Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Spacio test user
In this section, you create a user called Britta Simon in Spacio. Work with Spacio support team to add the users in
the Spacio platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Spacio tile in the Access Panel, you should be automatically signed in to the Spacio for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Splunk Enterprise and Splunk Cloud
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Splunk Enterprise and Splunk Cloud with Azure Active Directory (Azure
AD ). Integrating Splunk Enterprise and Splunk Cloud with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Splunk Enterprise and Splunk Cloud.
You can enable your users to be automatically signed-in to Splunk Enterprise and Splunk Cloud (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Splunk Enterprise and Splunk Cloud, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Splunk Enterprise and Splunk Cloud single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Splunk Enterprise and Splunk Cloud supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Splunk Enterprise and Splunk Cloud, select Splunk Enterprise and Splunk
Cloud from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier box, type a URL using the following pattern: <splunkserverUrl>
c. In the Reply URL text box, type a URL using the following pattern: https://<splunkserver>/saml/acs
NOTE
These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Splunk
Enterprise and Splunk Cloud Client support team to get these values. You can also refer to the patterns shown in the
Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
2. In the applications list, type and select Splunk Enterprise and Splunk Cloud.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Splunk Enterprise and Splunk Cloud test user
In this section, you create a user called Britta Simon in Splunk Enterprise and Splunk Cloud. Work with Splunk
Enterprise and Splunk Cloud support team to add the users in the Splunk Enterprise and Splunk Cloud platform.
Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Splunk Enterprise and Splunk Cloud tile in the Access Panel, you should be automatically
signed in to the Splunk Enterprise and Splunk Cloud for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Spotinst
7/9/2019 • 7 minutes to read • Edit Online
In this tutorial, you learn how to integrate Spotinst with Azure Active Directory (Azure AD ). Integrating Spotinst
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Spotinst.
You can enable your users to be automatically signed-in to Spotinst (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Spotinst, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Spotinst single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Spotinst supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Spotinst, select Spotinst from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. Check Set additional URLs.
b. In the Relay State textbox, type a value: <ID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
NOTE
The Relay State value is not real. You will update the Relay State value with the actual Relay State value, which is
explained later in the tutorial.
6. Spotinst application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
Email user.mail
FirstName user.givenname
NAME SOURCE ATTRIBUTE
LastName user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
9. On the Set up Spotinst section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Spotinst Single Sign-On
1. In a different web browser window, sign in to Spotinst as a Security Administrator.
2. Click on the user icon on the top right side of the screen and click Settings.
3. Click on the SECURITY tab on the top and then select Identity Providers and perform the following steps:
a. Copy the Relay State value for your instance and paste it in Relay State textbox in Basic SAML
Configuration section on Azure portal.
b. Click BROWSE to upload the metadata xml file that you have downloaded from Azure portal
c. Click SAVE.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Spotinst test user
The objective of this section is to create a user called Britta Simon in Spotinst.
1. If you have configured the application in the SP initiated mode, perform the following steps:
a. In a different web browser window, sign in to Spotinst as a Security Administrator.
b. Click on the user icon on the top right side of the screen and click Settings.
c. Click Users and select ADD USER.
In the Full Name textbox, enter the full name of user like BrittaSimon.
In the Email textbox, enter the email address of the user like brittasimon\@contoso.com .
Select your organization-specific details for the Organization Role, Account Role, and Accounts.
2. If you have configured the application in the IDP initiated mode, There is no action item for you in this
section. Spotinst supports just-in-time provisioning, which is by default enabled. A new user is created
during an attempt to access Spotinst if it doesn't exist yet.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Spotinst tile in the Access Panel, you should be automatically signed in to the Spotinst for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SpringCM
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SpringCM with Azure Active Directory (Azure AD ). Integrating
SpringCM with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SpringCM.
You can enable your users to be automatically signed-in to SpringCM (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SpringCM, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
SpringCM single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SpringCM supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type SpringCM, select SpringCM from the result panel then click the Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact SpringCM Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
6. On the Set up SpringCM section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SpringCM Single Sign-On
1. In a different web browser window, sign on to your SpringCM company site as administrator.
2. In the menu on the top, click GO TO, click Preferences, and then, in the Account Preferences section, click
SAML SSO.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SpringCM test user
To enable Azure Active Directory users to sign in to SpringCM, they must be provisioned into SpringCM. In the
case of SpringCM, provisioning is a manual task.
NOTE
For more information, see Create and Edit a SpringCM User.
NOTE
You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision Azure AD
user accounts.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Springer Link
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Springer Link with Azure Active Directory (Azure AD ). Integrating
Springer Link with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Springer Link.
You can enable your users to be automatically signed-in to Springer Link (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Springer Link, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Springer Link single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Springer Link supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Springer Link, select Springer Link from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL: https://fsso.springer.com
5. If you wish to configure the application in SP initiated mode, perform the following step:
In the Sign-on URL text box, type a URL using the following pattern:
https://fsso.springer.com/saml/login?idp=<entityID>&targetUrl=https://link.springer.com
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. <entityID> is the Azure AD
Identifier copied from the Set up Springer Link section, described later in tutorial. You can also refer to the patterns
shown in the Basic SAML Configuration section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click the copy
icon to copy App Federation Metadata Url and save it on your computer.
7. On the Set up Springer Link section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Springer Link Single Sign-On
To configure single sign-on on Springer Link side, you need to send the copied App Federation Metadata Url
and appropriate copied URLs from Azure portal to Springer Link support team. They set this setting to have the
SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Springer Link test user
In this section, you create a user called Britta Simon in Springer Link. Work with Springer Link support team to add
the users in the Springer Link platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Springer Link tile in the Access Panel, you should be automatically signed in to the Springer
Link for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Sprinklr
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Sprinklr with Azure Active Directory (Azure AD ). Integrating Sprinklr
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Sprinklr.
You can enable your users to be automatically signed-in to Sprinklr (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Sprinklr, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Sprinklr single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Sprinklr supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Sprinklr, select Sprinklr from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.sprinklr.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Sprinklr Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Sprinklr section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Sprinklr Single Sign-On
1. In a different web browser window, log in to your Sprinklr company site as an administrator.
2. Go to Administration > Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Sprinklr test user
1. Log in to your Sprinklr company site as an administrator.
2. Go to Administration > Settings.
IMPORTANT
Password Disabled must be selected to enable a user to log in via an Identity provider.
NOTE
You can use any other Sprinklr user account creation tools or APIs provided by Sprinklr to provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
StatusPage
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate StatusPage with Azure Active Directory (Azure AD ). Integrating
StatusPage with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to StatusPage.
You can enable your users to be automatically signed-in to StatusPage (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with StatusPage, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
StatusPage single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
StatusPage supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type StatusPage, select StatusPage from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern:
https://<subdomain>.statuspagestaging.com/
https://<subdomain>.statuspage.io/
b. In the Reply URL text box, type a URL using the following pattern:
https://<subdomain>.statuspagestaging.com/sso/saml/consume
https://<subdomain>.statuspage.io/sso/saml/consume
NOTE
Contact the StatusPage support team at SupportTeam@statuspage.ioto request metadata necessary to configure
single sign-on.
a. From the metadata, copy the Issuer value, and then paste it into the Identifier textbox.
b. From the metadata, copy the Reply URL, and then paste it into the Reply URL textbox.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up StatusPage section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure StatusPage Single Sign-On
1. In another browser window, sign in to your StatusPage company site as an administrator.
2. In the main toolbar, click Manage Account.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create StatusPage test user
The objective of this section is to create a user called Britta Simon in StatusPage.
StatusPage supports just-in-time provisioning. You have already enabled it in Configure Azure AD Single Sign-On.
To create a user called Britta Simon in StatusPage, perform the following steps:
1. Sign-on to your StatusPage company site as an administrator.
2. In the menu on the top, click Manage Account.
3. Click the Team Members tab.
5. Type the Email Address, First Name, and Surname of a valid user you want to provision into the related
textboxes.
In this tutorial, you learn how to integrate Stormboard with Azure Active Directory (Azure AD ). Integrating
Stormboard with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Stormboard.
You can enable your users to be automatically signed-in to Stormboard (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Stormboard, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Stormboard single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Stormboard supports SP and IDP initiated SSO
Stormboard supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Stormboard, select Stormboard from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following step:
In the Reply URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.stormboard.com/saml2/ad/acs/<TEAMID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://<SUBDOMAIN>.stormboard.com/saml2/ad/login/<TEAMID>
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Stormboard
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up Stormboard section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Stormboard Single Sign-On
To configure single sign-on on Stormboard side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Stormboard support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Stormboard test user
In this section, a user called Britta Simon is created in Stormboard. Stormboard supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Stormboard, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Stormboard tile in the Access Panel, you should be automatically signed in to the Stormboard
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SuccessFactors
8/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SuccessFactors with Azure Active Directory (Azure AD ). When you
integrate SuccessFactors with Azure AD, you can:
Control in Azure AD who has access to SuccessFactors.
Enable your users to be automatically signed-in to SuccessFactors with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SuccessFactors single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SuccessFactors supports SP initiated SSO
https://<companyname>.successfactors.com/<companyname>
https://<companyname>.sapsf.com/<companyname>
https://<companyname>.successfactors.eu/<companyname>
https://<companyname>.sapsf.eu
https://www.successfactors.com/<companyname>
https://www.successfactors.com
https://<companyname>.successfactors.eu
https://www.successfactors.eu/<companyname>
https://<companyname>.sapsf.com
https://hcm4preview.sapsf.com/<companyname>
https://<companyname>.sapsf.eu
https://www.successfactors.cn
https://www.successfactors.cn/<companyname>
c. In the Reply URL textbox, type a URL using the following pattern:
https://<companyname>.successfactors.com/<companyname>
https://<companyname>.successfactors.com
https://<companyname>.sapsf.com/<companyname>
https://<companyname>.sapsf.com
https://<companyname>.successfactors.eu/<companyname>
https://<companyname>.successfactors.eu
https://<companyname>.sapsf.eu
https://<companyname>.sapsf.eu/<companyname>
https://<companyname>.sapsf.cn
https://<companyname>.sapsf.cn/<companyname>
NOTE
These values are not real. Update these values with the actual Sign-on URL, Identifier and Reply URL. Contact
SuccessFactors Client support team to get these values.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up SuccessFactors section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SuccessFactors.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select SuccessFactors.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
This value is used as the on/off switch. If any value is saved, the SAML SSO is ON. If a blank value is saved the SAML
SSO is OFF.
NOTE
The certificate content must have begin certificate and end certificate tags.
NOTE
If you try to enable this, the system checks if it creates a duplicate SAML login name. For example if the customer has
usernames User1 and user1. Taking away case sensitivity makes these duplicates. The system gives you an error
message and does not enable the feature. The customer needs to change one of the usernames so it’s spelled
different.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SuccessFactors tile in the Access Panel, you should be automatically signed in to the
SuccessFactors for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SuccessFactors with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Sugar CRM
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Sugar CRM with Azure Active Directory (Azure AD ). When you
integrate Sugar CRM with Azure AD, you can:
Control in Azure AD who has access to Sugar CRM.
Enable your users to be automatically signed-in to Sugar CRM with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Sugar CRM single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Sugar CRM supports SP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern:
https://<companyname>.sugarondemand.com
https://<companyname>.trial.sugarcrm
b. In the Reply URL text box, type a URL using the following pattern:
https://<companyname>.sugarondemand.com/<companyname>
https://<companyname>.trial.sugarcrm.com/<companyname>
https://<companyname>.trial.sugarcrm.eu/<companyname>
NOTE
These values are not real. Update these values with the actual Sign-On URL and Reply URL. Contact Sugar CRM Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Sugar CRM section, copy the appropriate URL (s) based on your requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
a. In the Login URL textbox, paste the value of Login URL, which you have copied from Azure portal.
b. In the SLO URL textbox, paste the value of Logout URL, which you have copied from Azure portal.
c. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then
paste the entire Certificate into X.509 Certificate textbox.
d. Click Save.
Create Sugar CRM test user
In order to enable Azure AD users to sign in to Sugar CRM, they must be provisioned to Sugar CRM. In the case of
Sugar CRM, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Sugar CRM company site as administrator.
2. Go to Admin.
3. In the Administration section, click User Management.
NOTE
You can use any other Sugar CRM user account creation tools or APIs provided by Sugar CRM to provision Azure AD user
accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Sugar CRM tile in the Access Panel, you should be automatically signed in to the Sugar CRM
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Sugar CRM with Azure AD
Tutorial: Azure Active Directory integration with
SumoLogic
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate SumoLogic with Azure Active Directory (Azure AD ). Integrating
SumoLogic with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SumoLogic.
You can enable your users to be automatically signed-in to SumoLogic (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SumoLogic, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SumoLogic single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SumoLogic supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SumoLogic, select SumoLogic from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<tenantname>.us2.sumologic.com
https://<tenantname>.sumologic.com
https://<tenantname>.us4.sumologic.com
https://<tenantname>.eu.sumologic.com
https://<tenantname>.au.sumologic.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact SumoLogic Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up SumoLogic section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SumoLogic Single Sign-On
1. In a different web browser window, sign in to your SumoLogic company site as an administrator.
2. Go to Manage > Security.
3. Click SAML.
4. From the Select a configuration or create a new one list, select Azure AD, and then click Configure.
5. On the Configure SAML 2.0 dialog, perform the following steps:
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SumoLogic test user
In order to enable Azure AD users to sign in to SumoLogic, they must be provisioned to SumoLogic. In the case of
SumoLogic, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your SumoLogic tenant.
2. Go to Manage > Users.
3. Click Add.
a. Type the related information of the Azure AD account you want to provision into the First Name, Last
Name, and Email textboxes.
b. Select a role.
c. As Status, select Active.
d. Click Save.
NOTE
You can use any other SumoLogic user account creation tools or APIs provided by SumoLogic to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
SumTotalCentral
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate SumTotalCentral with Azure Active Directory (Azure AD ). Integrating
SumTotalCentral with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to SumTotalCentral.
You can enable your users to be automatically signed-in to SumTotalCentral (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with SumTotalCentral, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
SumTotalCentral single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
SumTotalCentral supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type SumTotalCentral, select SumTotalCentral from result panel then click Add button
to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact SumTotalCentral Client
support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up SumTotalCentral section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure SumTotalCentral Single Sign-On
To configure single sign-on on SumTotalCentral side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to SumTotalCentral support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create SumTotalCentral test user
In this section, you create a user called Britta Simon in SumTotalCentral. Work with SumTotalCentral support team
to add the users in the SumTotalCentral platform. Users must be created and activated before you use single sign-
on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SumTotalCentral tile in the Access Panel, you should be automatically signed in to the
SumTotalCentral for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Supermood
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Supermood with Azure Active Directory (Azure AD ). Integrating
Supermood with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Supermood.
You can enable your users to be automatically signed-in to Supermood (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Supermood, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Supermood single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Supermood supports SP and IDP initiated SSO
Supermood supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Supermood, select Supermood from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following steps:
a. Check Set additional URLs.
b. If you wish to configure the application in IDP initiated mode, in the Relay State textbox, type a URL:
https://supermood.co/auth/sso/saml20
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. Supermood application expects the SAML assertions in a specific format. Configure the following claims for
this application. You can manage the values of these attributes from the User Attributes section on
application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open
User Attributes dialog.
7. In the User Claims section on the User Attributes dialog, edit the claims by using Edit icon or add the
claims by using Add new claim to configure SAML token attribute as shown in the image above and
perform the following steps:
firstName user.givenname
lastName user.surname
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
8. On the Set up Single Sign-On with SAML page, In the SAML Signing Certificate section, click copy
button to copy App Federation Metadata Url and save it on your computer.
4. On Add an SAML 2.0 configuration for an email domain. section, perform the following steps:
a. In the email domain for this Identity provider textbox, type your domain.
b. In the Use a metadata URL textbox, paste the App Federation Metadata Url which you have copied
from Azure portal.
c. Click Add.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Supermood test user
In this section, a user called Britta Simon is created in Supermood. Supermood supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in Supermood, a new one is created after authentication. If you need to create a user manually,
contact Supermood support team.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Supermood tile in the Access Panel, you should be automatically signed in to the Supermood
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with SurveyMonkey Enterprise
10/17/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate SurveyMonkey Enterprise with Azure Active Directory (Azure AD ).
When you integrate SurveyMonkey Enterprise with Azure AD, you can:
Control in Azure AD who has access to SurveyMonkey Enterprise.
Enable your users to be automatically signed-in to SurveyMonkey Enterprise with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
SurveyMonkey Enterprise single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
SurveyMonkey Enterprise supports IDP initiated SSO
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. SurveyMonkey Enterprise application expects the SAML assertions in a specific format, which requires you
to add custom attribute mappings to your SAML token attributes configuration. The following screenshot
shows the list of default attributes.
6. In addition to above, SurveyMonkey Enterprise application expects few more attributes to be passed back in
SAML response which are shown below. These attributes are also pre populated but you can review them as
per your requirement.
Email user.mail
NAME SOURCE ATTRIBUTE
FirstName user.givenname
LastName user.surname
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
8. On the Set up SurveyMonkey Enterprise section, copy the appropriate URL (s) based on your
requirement.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SurveyMonkey Enterprise tile in the Access Panel, you should be automatically signed in to the
SurveyMonkey Enterprise for which you set up SSO. For more information about the Access Panel, see
Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try SurveyMonkey Enterprise with Azure AD
Tutorial: Azure Active Directory integration with
Symantec Web Security Service (WSS)
10/30/2019 • 6 minutes to read • Edit Online
In this tutorial, you will learn how to integrate your Symantec Web Security Service (WSS ) account with your
Azure Active Directory (Azure AD ) account so that WSS can authenticate an end user provisioned in the Azure AD
using SAML authentication and enforce user or group level policy rules.
Integrating Symantec Web Security Service (WSS ) with Azure AD provides you with the following benefits:
Manage all of the end users and groups used by your WSS account from your Azure AD portal.
Allow the end users to authenticate themselves in WSS using their Azure AD credentials.
Enable the enforcement of user and group level policy rules defined in your WSS account.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Symantec Web Security Service (WSS ), you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Symantec Web Security Service (WSS ) single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Symantec Web Security Service (WSS ) supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Symantec Web Security Service (WSS ), select Symantec Web Security Service
(WSS ) from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
Contact Symantec Web Security Service (WSS) Client support team f the values for the Identifier and Reply URL are
not working for some reason.. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Symantec Web Security Service (WSS ) test user
In this section, you create a user called Britta Simon in Symantec Web Security Service (WSS ). The corresponding
end username can be manually created in the WSS portal or you can wait for the users/groups provisioned in the
Azure AD to be synchronized to the WSS portal after a few minutes (~15 minutes). Users must be created and
activated before you use single sign-on. The public IP address of the end user machine, which will be used to
browse websites also need to be provisioned in the Symantec Web Security Service (WSS ) portal.
NOTE
Please click here to get your machine's public IPaddress.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Integrate Syncplicity with Azure Active
Directory
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Syncplicity with Azure Active Directory (Azure AD ). When you
integrate Syncplicity with Azure AD, you can:
Control in Azure AD who has access to Syncplicity.
Enable your users to be automatically signed-in to Syncplicity with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get one-month free trial here.
Syncplicity single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment. Syncplicity supports SP initiated SSO.
4. On the Basic SAML Configuration page, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<companyname>.syncplicity.com
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<companyname>.syncplicity.com/sp
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Syncplicity Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Syncplicity section, copy the appropriate URL (s) based on your requirement.
Configure Syncplicity SSO
1. Sign in to your Syncplicity tenant.
2. In the menu on the top, click admin, select settings, and then click Custom domain and single sign-on.
3. On the Single Sign-On (SSO ) dialog page, perform the following steps:
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Create Syncplicity test user
For Azure AD users to be able to sign in, they must be provisioned to Syncplicity application. This section describes
how to create Azure AD user accounts in Syncplicity.
To provision a user account to Syncplicity, perform the following steps:
1. Sign in to your Syncplicity tenant (for example: https://company.Syncplicity.com ).
2. Click admin and select user accounts and then click ADD A USER.
3. Type the Email addresses of an Azure AD account you want to provision, select User as Role, and then
click NEXT.
NOTE
The Azure AD account holder gets an email including a link to confirm and activate the account.
4. Select a group in your company that your new user should become a member of, and then click NEXT.
NOTE
If there are no groups listed, click NEXT.
5. Select the folders you would like to place under Syncplicity’s control on the user’s computer, and then click
NEXT.
NOTE
You can use any other Syncplicity user account creation tools or APIs provided by Syncplicity to provision Azure AD user
accounts.
Test SSO
When you select the Syncplicity tile in the Access Panel, you should be automatically signed in to the Syncplicity for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Synergi
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Synergi with Azure Active Directory (Azure AD ). Integrating Synergi with
Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Synergi.
You can enable your users to be automatically signed-in to Synergi (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Synergi, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Synergi single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Synergi supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Synergi, select Synergi from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://<company name>.irmsecurity.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<company name>.irmsecurity.com/sso/<organization id>
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Contact Synergi Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Synergi section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Synergi Single Sign-On
To configure single sign-on on Synergi side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Synergi support team. They set this setting to have the SAML SSO
connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Synergi test user
In this section, you create a user called Britta Simon in Synergi. Work with Synergi support team to add the users in
the Synergi platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Synergi tile in the Access Panel, you should be automatically signed in to the Synergi for which
you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with T&E
Express
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate T&E Express with Azure Active Directory (Azure AD ). Integrating T&E
Express with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to T&E Express.
You can enable your users to be automatically signed-in to T&E Express (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with T&E Express, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
T&E Express single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
T&E Express supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type T&E Express, select T&E Express from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type the value as URL using the following pattern:
https://<domain>.tyeexpress.com
b. In the Reply URL text box, type a URL using the following pattern:
https://<domain>.tyeexpress.com/authorize/samlConsume.aspx
NOTE
These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use
the unique value of string in the Identifier. Contact T&E Express Client support team to get these values. You can also
refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up T&E Express section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure T&E Express Single Sign-On
1. To configure single sign-on on T&E Express side, login to the T&E express application without SAML single
sign on using admin credentials.
2. Under the Admin Tab, Click on SAML domain to Open the SAML settings page.
3. Select the Activar(Activate) option from No to SI (Yes). In the Identity Provider Metadata textbox,
paste the metadata XML which you have downloaded from the Azure portal.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create T&E Express test user
In order to enable Azure AD users to log into T&E Express, they must be provisioned into T&E Express. In case of
T&E Express, provisioning is a manual task.
To provision a user accounts, perform the following steps:
1. Log in to your T&E Express company site as an administrator.
2. Under Admin tag, click on Users to open the Users master page.
4. Enter all the mandatory details as asked in the form and click the save button to save the details.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the T&E Express tile in the Access Panel, you should be automatically signed in to the T&E Express
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Tableau Online
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate Tableau Online with Azure Active Directory (Azure AD ). Integrating
Tableau Online with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Tableau Online.
You can enable your users to be automatically signed-in to Tableau Online (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Tableau Online, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Tableau Online single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Tableau Online supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Tableau Online, select Tableau Online from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
You will get the <entityid> value from the Set up Tableau Online section in this tutorial. The entity ID value will
be Azure AD identifier value in Set up Tableau Online section.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Tableau Online section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Tableau Online Single Sign-On
1. In a different browser window, sign-on to your Tableau Online application. Go to Settings and then
Authentication.
2. To enable SAML, Under Authentication types section. Check Enable an additional authentication
method and then check SAML checkbox.
3. Scroll down up to Import metadata file into Tableau Online section. Click Browse and import the
metadata file, which you have downloaded from Azure AD. Then, click Apply.
4. In the Match assertions section, insert the corresponding Identity Provider assertion name for email
address, first name, and last name. To get this information from Azure AD:
a. In the Azure portal, go on the Tableau Online application integration page.
b. In the User Attributes & Claims section, click on the edit icon.
c. Copy the namespace value for these attributes: givenname, email and surname by using the following
steps:
d. Click user.givenname value
e. Copy the value from the Namespace textbox.
f. To copy the namespace values for the email and surname repeat the above steps.
g. Switch to the Tableau Online application, then set the User Attributes & Claims section as follows:
Email: mail or userprincipalname
First name: givenname
Last name: surname
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Tableau Online test user
In this section, you create a user called Britta Simon in Tableau Online.
1. On Tableau Online, click Settings and then Authentication section. Scroll down to Manage Users
section. Click Add Users and then click Enter Email Addresses.
2. Select Add users for (SAML ) authentication. In the Enter email addresses textbox add
britta.simon@contoso.com
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Tableau Server
9/24/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Tableau Server with Azure Active Directory (Azure AD ). When you
integrate Tableau Server with Azure AD, you can:
Control in Azure AD who has access to Tableau Server.
Enable your users to be automatically signed-in to Tableau Server with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Tableau Server single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Tableau Server supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign-on URL text box, type a URL using the following pattern: https://azure.<domain name>.link
b. In the Identifier box, type a URL using the following pattern: https://azure.<domain name>.link
c. In the Reply URL text box, type a URL using the following pattern:
https://azure.<domain name>.link/wg/saml/SSO/index.html
NOTE
The preceding values are not real values. Update the values with the actual URL and identifier from the Tableau Server
configuration page which is explained later in the tutorial.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up Tableau Server section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Tableau Server.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Tableau Server.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
NOTE
Customer have to upload any certificate in the Tableau Server SAML SSO configuration and it will get ignored in the
SSO flow. If you need help configuring SAML on Tableau Server then please refer to this article Configure SAML.
NOTE
If you need to create a user manually, you need to contact the Tableau Server administrator in your organization.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Tableau Server tile in the Access Panel, you should be automatically signed in to the Tableau
Server for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Tableau Server with Azure AD
Tutorial: Azure Active Directory integration with
TalentLMS
11/19/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate TalentLMS with Azure Active Directory (Azure AD ). Integrating
TalentLMS with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TalentLMS.
You can enable your users to be automatically signed-in to TalentLMS (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TalentLMS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
TalentLMS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TalentLMS supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TalentLMS, select TalentLMS from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
http://<tenant-name>.talentlms.com
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact TalentLMS Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. In the SAML Signing Certificate section, click Edit button to open SAML Signing Certificate dialog.
6. In the SAML Signing Certificate section, copy the THUMBPRINT and save it on your computer.
7. On the Set up TalentLMS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TalentLMS Single Sign-On
1. In a different web browser window, sign in to your TalentLMS company site as an administrator.
2. In the Account & Settings section, click the Users tab.
5. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TalentLMS test user
To enable Azure AD users to sign in to TalentLMS, they must be provisioned into TalentLMS. In the case of
TalentLMS, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your TalentLMS tenant.
2. Click Users, and then click Add User.
3. On the Add user dialog page, perform the following steps:
a. In the First name textbox, enter the first name of user like Britta.
b. In the Last name textbox, enter the last name of user like Simon.
c. In the Email address textbox, enter the email of user like brittasimon\@contoso.com .
d. Click Add User.
NOTE
You can use any other TalentLMS user account creation tools or APIs provided by TalentLMS to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Talent Palette
10/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Talent Palette with Azure Active Directory (Azure AD ). Integrating Talent
Palette with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Talent Palette.
You can enable your users to be automatically signed-in to Talent Palette (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Talent Palette, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Talent Palette single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Folloze supports IDP initiated SSO
Folloze supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Talent Palette, select Talent Palette from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
In the Reply URL text box, type a URL using the following pattern:
https://talent-p.net/saml/acs/<tenantID>
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern:
https://talent-p.net/saml/sso/<tenantID>
NOTE
These values are not real. Update these values with the actual Reply URL and Sign-On URL. Contact Talent Palette
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Raw) from the given options as per your requirement and save it
on your computer.
7. On the Set up Talent Palette section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure Talent Palette Single Sign-On
To configure single sign-on on Talent Palette side, you need to send the downloaded Certificate (Raw) and
appropriate copied URLs from Azure portal to Talent Palette support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Talent Palette test user
In this section, you create a user called Britta Simon in Talent Palette. Work with Talent Palette support team to add
the users in the Talent Palette platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Talent Palette tile in the Access Panel, you should be automatically signed in to the Talent
Palette for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Tango Analytics
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Tango Analytics with Azure Active Directory (Azure AD ). Integrating
Tango Analytics with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Tango Analytics.
You can enable your users to be automatically signed-in to Tango Analytics (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Tango Analytics, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Tango Analytics single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Tango Analytics supports IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Tango Analytics, select Tango Analytics from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Set up Single Sign-On with SAML page, perform the following steps:
a. In the Identifier text box, type the value: TACORE_SSO
b. In the Reply URL text box, type a URL using the following pattern:
https://mts.tangoanalytics.com/saml2/sp/acs/post
NOTE
The Reply URL value is not real. Update this with the actual Reply URL. Contact Tango Analytics Client support team
to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure
portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Tango Analytics section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Tango Analytics Single Sign-On
To configure single sign-on on Tango Analytics side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Tango Analytics support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Tango Analytics test user
In this section, you create a user called Britta Simon in Tango Analytics. Work with Tango Analytics support team to
add the users in the Tango Analytics platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Tango Analytics tile in the Access Panel, you should be automatically signed in to the Tango
Analytics for which you set up SSO. For more information about the Access Panel, see Introduction to the Access
Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Tangoe Command Premium Mobile
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Tangoe Command Premium Mobile with Azure Active Directory (Azure
AD ). Integrating Tangoe Command Premium Mobile with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Tangoe Command Premium Mobile.
You can enable your users to be automatically signed-in to Tangoe Command Premium Mobile (Single Sign-
On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Tangoe Command Premium Mobile, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Tangoe Command Premium Mobile single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Tangoe Command Premium Mobile supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Tangoe Command Premium Mobile, select Tangoe Command Premium
Mobile from result panel then click Add button to add the application.
2. On the Select a Single sign-on method dialog, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Reply URL text box, type a URL using the following pattern: https://sso.tangoe.com/sp/ACS.saml2
NOTE
These values are not real. Update these values with the actual Sign on URL and Reply URL. Contact Tangoe Command
Premium Mobile Client support team to get these values. You can also refer to the patterns shown in the Basic
SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Tangoe Command Premium Mobile section, copy the appropriate URL (s) as per your
requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Tangoe Command Premium Mobile Single Sign-On
To configure single sign-on on Tangoe Command Premium Mobile side, you need to send the downloaded
Federation Metadata XML and appropriate copied URLs from Azure portal to Tangoe Command Premium
Mobile support team. They set this setting to have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Tangoe Command Premium Mobile test user
In this section, you create a user called Britta Simon in Tangoe Command Premium Mobile. Work with Tangoe
Command Premium Mobile support team to add the users in the Tangoe Command Premium Mobile platform.
Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Tangoe Command Premium Mobile tile in the Access Panel, you should be automatically
signed in to the Tangoe Command Premium Mobile for which you set up SSO. For more information about the
Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
TargetProcess
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate TargetProcess with Azure Active Directory (Azure AD ). Integrating
TargetProcess with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TargetProcess.
You can enable your users to be automatically signed-in to TargetProcess (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TargetProcess, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
TargetProcess single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TargetProcess supports SP initiated SSO
TargetProcess supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TargetProcess, select TargetProcess from result panel then click Add button to add
the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.tpondemand.com/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact TargetProcess
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and
save it on your computer.
6. On the Set up TargetProcess section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TargetProcess Single Sign-On
1. To automate the configuration within TargetProcess, you need to install My Apps Secure Sign-in
browser extension by clicking Install the extension.
2. After adding extension to the browser, click on setup TargetProcess will direct you to the TargetProcess
application. From there, provide the admin credentials to sign into TargetProcess. The browser extension
will automatically configure the application for you and automate steps 3-7.
If you want to configure the application manually perform the following steps:
3. Sign-on to your TargetProcess application as an administrator.
4. In the menu on the top, click Setup.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TargetProcess test user
In this section, a user called Britta Simon is created in TargetProcess. TargetProcess supports just-in-time user
provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already
exist in TargetProcess, a new one is created after authentication.
NOTE
If you need to create a user manually, contact TargetProcess support team.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with TAS
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate TAS with Azure Active Directory (Azure AD ). Integrating TAS with Azure
AD provides you with the following benefits:
You can control in Azure AD who has access to TAS.
You can enable your users to be automatically signed-in to TAS (Single Sign-On) with their Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TAS, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
TAS single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TAS supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TAS, select TAS from result panel then click Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, If you wish to configure the application in IDP initiated mode,
perform the following steps:
a. In the Identifier text box, type a URL using the following pattern: https://taseu.combtas.com/<DOMAIN>
b. In the Reply URL text box, type a URL using the following pattern:
https://taseu.combtas.com/<ENVIRONMENTNAME>/AssertionService.aspx
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL using the following pattern: https://taseu.combtas.com/<DOMAIN>
NOTE
These values are not real. You will update these with the actual Identifier, Reply URL and Sign-on URL which is
explained later in the tutorial. You can also refer to the patterns shown in the Basic SAML Configuration section in
the Azure portal.
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
7. On the Set up TAS section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TAS Single Sign-On
1. In a different web browser window, login to TAS as an Administrator.
2. On the left side of menu, click on Settings and navigate to Administrator and then click on Manage
Single sign on.
NOTE
Contact TAS support team to get the IP Address.
f. Copy the Single Sign On url and paste it into the identifier (Entity ID ) and Sign on URL textbox of
Basic SAML Configuration in Azure portal. Please note that the url is case sensitive and must end with a
slash (/).
g. Copy the Assertion Service url in the setup page and paste it into the Reply URL textbox of Basic
SAML Configuration in Azure portal.
h. Click Insert SSO row.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TAS test user
In this section, you create a user called Britta Simon in TAS. Work with TAS support team to add the users in the
TAS platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the TAS tile in the Access Panel, you should be automatically signed in to the TAS for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Teamphoria
10/15/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Teamphoria with Azure Active Directory (Azure AD ). When you
integrate Teamphoria with Azure AD, you can:
Control in Azure AD who has access to Teamphoria.
Enable your users to be automatically signed-in to Teamphoria with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Teamphoria single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Teamphoria supports SP initiated SSO
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern:
https://<sub-domain>.teamphoria.com/login
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Teamphoria Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
6. On the Set up Teamphoria section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Teamphoria.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select Teamphoria.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
2. After adding extension to the browser, click on Set up Teamphoria will direct you to the Teamphoria
application. From there, provide the admin credentials to sign into Teamphoria. The browser extension will
automatically configure the application for you and automate steps 3-6.
3. If you want to setup Teamphoria manually, open a new web browser window and sign into your Teamphoria
company site as an administrator and perform the following steps:
4. Go to ADMIN SETTINGS option in the left toolbar and under the Configure Tab click on SINGLE SIGN -
ON to open the SSO configuration window.
5. Click on ADD NEW IDENTITY PROVIDER option in the top right corner to open the form for adding the
settings for SSO.
6. Enter the details in the fields as described below -
a. DISPLAY NAME: Enter the display name of the plugin on the admin page.
b. BUTTON NAME: The name of the tab that will display on the login page for logging in via SSO.
c. CERTIFICATE: Open the Certificate downloaded earlier from the Azure portal in notepad, copy the
contents of the same and paste it here in the box.
d. ENTRY POINT: Paste the Login URL copied earlier from the Azure portal.
e. Switch the option to ON and click on SAVE.
Create Teamphoria test user
In order to enable Azure AD users to sign in to Teamphoria, they must be provisioned into Teamphoria. In the case
of Teamphoria, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your Teamphoria company site as an administrator.
2. Click on ADMIN settings on the left toolbar and under the MANAGE tab Click on USERS to open the
admin page for users.
3. Click on the MANUAL INVITE option.
a. In the EMAIL ADDRESS textbox, enter the email address of the user like B.Simon.
b. In the FIRST NAME textbox, enter the first name of the user like B.
c. In the LAST NAME textbox, enter the last name of the user like Simon.
d. Click INVITE 1 USER. User needs to accept the invite to get created in the system.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Teamphoria tile in the Access Panel, you should be automatically signed in to the Teamphoria
for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Teamphoria with Azure AD
Tutorial: Azure Active Directory integration with
TeamSeer
6/13/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate TeamSeer with Azure Active Directory (Azure AD ). Integrating TeamSeer
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TeamSeer.
You can enable your users to be automatically signed-in to TeamSeer (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TeamSeer, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
TeamSeer single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TeamSeer supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TeamSeer, select TeamSeer from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact TeamSeer Client support team to get
the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up TeamSeer section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TeamSeer Single Sign-On
1. In a different web browser window, sign in to your TeamSeer company site as an administrator.
2. Go to HR Admin.
3. Click Setup.
a. In the URL textbox, paste the Login URL value, which you have copied from the Azure portal.
b. Open your base-64 encoded certificate in notepad, copy the content of it in to your clipboard, and then
paste it to the IdP Public Certificate textbox.
6. To complete the SAML provider configuration, perform the following steps:
a. In the Test Email Addresses, type the test user’s email address.
b. In the Issuer textbox, type the Issuer URL of the service provider.
c. Click Save.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TeamSeer test user
To enable Azure AD users to sign in to TeamSeer, they must be provisioned in to ShiftPlanning. In the case of
TeamSeer, provisioning is a manual task.
To provision a user account, perform the following steps:
1. Sign in to your TeamSeer company site as an administrator.
2. Go to HR Admin > Users and then click Run the New User wizard.
a. Type the First Name, Surname, User name (Email address) of a valid Azure AD account you want to
provision in to the related textboxes.
b. Click Next.
4. Follow the on-screen instructions for adding a new user, and click Finish.
NOTE
You can use any other TeamSeer user account creation tools or APIs provided by TeamSeer to provision Azure AD user
accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Teamwork.com
7/5/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Teamwork.com with Azure Active Directory (Azure AD ). Integrating
Teamwork.com with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Teamwork.com.
You can enable your users to be automatically signed-in to Teamwork.com (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Teamwork.com, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account
Teamwork.com single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Teamwork.com supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Teamwork.com, select Teamwork.com from the result panel then click the Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://teamwork.com/saml
https://eu.teamwork.com/saml
NOTE
This Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact Teamwork.com support
team to get this value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Teamwork.com section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Teamwork.com Single Sign-On
To configure single sign-on on Teamwork.com side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to Teamwork.com support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Teamwork.com test user
In this section, you create a user called Britta Simon in Teamwork.com. Work with Teamwork.com support team to
add the users in the Teamwork.com platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Teamwork.com tile in the Access Panel, you should be automatically signed in to the
Teamwork.com for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with Templafy
11/14/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate Templafy with Azure Active Directory (Azure AD ). When you integrate Templafy
with Azure AD, you can:
Control in Azure AD who has access to Templafy.
Enable your users to be automatically signed-in to Templafy with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure
Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
Templafy single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
Templafy supports SP initiated SSO
Templafy supports Just In Time user provisioning
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Sign-on URL text box, type a URL using the following pattern: https://<CLIENTSUBDOMAIN>.templafy.com
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Templafy Client support team to get the value. You
can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. Templafy application expects the SAML assertions in a specific format, which requires you to add custom attribute
mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
6. In addition to above, Templafy application expects few more attributes to be passed back in SAML response which are
shown below. These attributes are also pre populated but you can review them as per your requirements.
7. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy
App Federation Metadata Url and save it on your computer.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the
screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the
user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Templafy tile in the Access Panel, you should be automatically signed in to the Templafy for which you set
up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try Templafy with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with TextMagic
10/17/2019 • 6 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate TextMagic with Azure Active Directory (Azure AD ). When you integrate
TextMagic with Azure AD, you can:
Control in Azure AD who has access to TextMagic.
Enable your users to be automatically signed-in to TextMagic with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
TextMagic single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
TextMagic supports IDP initiated SSO
TextMagic supports Just In Time user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, enter the values for the following fields:
In the Identifier text box, type a URL: https://my.textmagic.com/saml/metadata
5. TextMagic application expects the SAML assertions in a specific format, which requires you to add custom
attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of
default attributes, where as nameidentifier is mapped with user.userprincipalname. TextMagic
application expects nameidentifier to be mapped with user.mail, so you need to edit the attribute
mapping by clicking on Edit icon and change the attribute mapping.
6. In addition to above, TextMagic application expects few more attributes to be passed back in SAML
response which are shown below. These attributes are also pre populated but you can review them as per
your requirement.
NAME SOURCE ATTRIBUTE NAMESPACE
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
8. On the Set up TextMagic section, copy the appropriate URL (s) based on your requirement.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Configure TextMagic SSO
1. To automate the configuration within TextMagic, you need to install My Apps Secure Sign-in browser
extension by clicking Install the extension.
2. After adding extension to the browser, click on Setup TextMagic will direct you to the TextMagic
application. From there, provide the admin credentials to sign into TextMagic. The browser extension will
automatically configure the application for you and automate steps 3-5.
3. If you want to setup TextMagic manually, open a new web browser window and sign into your TextMagic
company site as an administrator and perform the following steps:
4. Select Account settings under the username.
5. Click on the Single Sign-On (SSO ) tab and fill in the following fields:
a. In Identity provider Entity ID: textbox, paste the value of Azure AD Identifier, which you have copied
from Azure portal.
b. In Identity provider SSO URL: textbox, paste the value of Login URL, which you have copied from
Azure portal.
c. In Identity provider SLO URL: textbox, paste the value of Logout URL, which you have copied from
Azure portal.
d. Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of
it into your clipboard, and then paste it to the Public x509 certificate: textbox.
e. Click Save.
Create TextMagic test user
Application supports Just in time user provisioning and after authentication users will be created in the
application automatically. You need to fill in the information once at the first login to activate the sub-account into
the system. There is no action item for you in this section.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the TextMagic tile in the Access Panel, you should be automatically signed in to the TextMagic for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try TextMagic with Azure AD
Tutorial: Azure Active Directory single sign-on (SSO)
integration with The Funding Portal
8/30/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate The Funding Portal with Azure Active Directory (Azure AD ). When you
integrate The Funding Portal with Azure AD, you can:
Control in Azure AD who has access to The Funding Portal.
Enable your users to be automatically signed-in to The Funding Portal with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
The Funding Portal single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
The Funding Portal supports SP initiated SSO
Configure and test Azure AD single sign-on for The Funding Portal
Configure and test Azure AD SSO with The Funding Portal using a test user called B.Simon. For SSO to work,
you need to establish a link relationship between an Azure AD user and the related user in The Funding Portal.
To configure and test Azure AD SSO with The Funding Portal, complete the following building blocks:
1. Configure Azure AD SSO - to enable your users to use this feature.
a. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure The Funding Portal SSO - to configure the single sign-on settings on application side.
a. Create The Funding Portal test user - to have a counterpart of B.Simon in The Funding Portal that is
linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.
4. On the Basic SAML Configuration section, enter the values for the following fields:
a. In the Sign on URL text box, type a URL using the following pattern:
https://<subdomain>.regenteducation.net/
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.regenteducation.net
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact The Funding Portal
Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Federation Metadata XML and select Download to download the certificate and save it on your
computer.
6. On the Set up The Funding Portal section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to The Funding Portal.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select The Funding Portal.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the The Funding Portal tile in the Access Panel, you should be automatically signed in to the The
Funding Portal for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try The Funding Portal with Azure AD
Tutorial: Azure Active Directory integration with
ThirdLight
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ThirdLight with Azure Active Directory (Azure AD ). This integration
provides these benefits:
You can use Azure AD to control who has access to ThirdLight.
You can enable your users to be automatically signed in to ThirdLight (single sign-on) with their Azure AD
accounts.
You can manage your accounts in one central location: the Azure portal.
If you want to learn more about SaaS app integration with Azure AD, see Single sign-on to applications in Azure
Active Directory.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with ThirdLight, you need to have:
An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
A ThirdLight subscription that has single sign-on enabled.
Scenario description
In this tutorial, you'll configure and test Azure AD single sign-on in a test environment.
ThirdLight supports SP -initiated SSO.
4. In the search box, enter ThirdLight. Select ThirdLight in the search results and then select Add.
3. On the Set up Single Sign-On with SAML page, select the Edit icon to open the Basic SAML
Configuration dialog box:
4. In the Basic SAML Configuration dialog box, complete the following steps.
a. In the Sign on URL box, enter a URL in this pattern:
https://<subdomain>.thirdlight.com/
NOTE
These values are placeholders. You need to use the actual sign-on URL and identifier. Contact the ThirdLight
support team to get the values. You can also refer to the patterns shown in the Basic SAML Configuration
dialog box in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, select the
Download link next to Federation Metadata XML, per your requirements, and save the file on your
computer:
6. In the Set up ThirdLight section, copy the appropriate URLs, based on your requirements:
a. Login URL.
b. Azure AD Identifier.
c. Logout URL.
Configure ThirdLight single sign-on
1. In a new web browser window, sign in to your ThirdLight company site as an admin.
2. Go to Configuration > System Administration > SAML2:
4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
5. In the Users and groups dialog box, select Britta Simon in the users list, and then click the Select button
at the bottom of the window.
6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role
for the user from the list. Click the Select button at the bottom of the window.
7. In the Add Assignment dialog box, select Assign.
Create a ThirdLight test user
To enable Azure AD users to sign in to ThirdLight, you need to add them to ThirdLight. You need to add them
manually.
To create a user account, take these steps:
1. Sign in to your ThirdLight company site as an admin.
2. Go to the Users tab.
3. Select Users and Groups.
4. Select Add new User.
5. Enter the user name, a name or description, and the email address of a valid Azure AD account that you
want to provision. Choose a Preset or Group of New Members.
6. Select Create.
NOTE
You can use any user account creation tool or API provided by ThirdLight to provision Azure AD user accounts.
Additional resources
Tutorials for integrating SaaS applications with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
ThirdPartyTrust
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate ThirdPartyTrust with Azure Active Directory (Azure AD ). Integrating
ThirdPartyTrust with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to ThirdPartyTrust.
You can enable your users to be automatically signed-in to ThirdPartyTrust (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with ThirdPartyTrust, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
ThirdPartyTrust single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
ThirdPartyTrust supports SP and IDP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type ThirdPartyTrust, select ThirdPartyTrust from result panel then click Add button to
add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode,
perform the following step:
In the Identifier text box, type a URL: https://api.thirdpartytrust.com/sai3/saml/metadata
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
7. On the Set up ThirdPartyTrust section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure ThirdPartyTrust Single Sign-On
To configure single sign-on on ThirdPartyTrust side, you need to send the downloaded Federation Metadata
XML and appropriate copied URLs from Azure portal to ThirdPartyTrust support team. They set this setting to
have the SAML SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create ThirdPartyTrust test user
In this section, you create a user called Britta Simon in ThirdPartyTrust. Work with ThirdPartyTrust support team to
add the users in the ThirdPartyTrust platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ThirdPartyTrust tile in the Access Panel, you should be automatically signed in to the
ThirdPartyTrust for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
Thoughtworks Mingle
11/19/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Thoughtworks Mingle with Azure Active Directory (Azure AD ).
Integrating Thoughtworks Mingle with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Thoughtworks Mingle.
You can enable your users to be automatically signed-in to Thoughtworks Mingle (Single Sign-On) with their
Azure AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Thoughtworks Mingle, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Thoughtworks Mingle single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Thoughtworks Mingle supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Thoughtworks Mingle, select Thoughtworks Mingle from result panel then click
Add button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
The value is not real. Update the value with the actual Sign-On URL. Contact Thoughtworks Mingle Client support
team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the
Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Federation Metadata XML from the given options as per your requirement
and save it on your computer.
6. On the Set up Thoughtworks Mingle section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Thoughtworks Mingle Single Sign-On
1. Sign in to your Thoughtworks Mingle company site as administrator.
2. Click the Admin tab, and then, click SSO Config.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Thoughtworks Mingle test user
For Azure AD users to be able to sign in, they must be provisioned to the Thoughtworks Mingle application using
their Azure Active Directory user names. In the case of Thoughtworks Mingle, provisioning is a manual task.
To configure user provisioning, perform the following steps:
1. Sign in to your Thoughtworks Mingle company site as administrator.
2. Click Profile.
3. Click the Admin tab, and then click Users.
NOTE
You can use any other Thoughtworks Mingle user account creation tools or APIs provided by Thoughtworks Mingle to
provision Azure AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with ThousandEyes
10/15/2019 • 5 minutes to read • Edit Online
In this tutorial, you'll learn how to integrate ThousandEyes with Azure Active Directory (Azure AD ). When you
integrate ThousandEyes with Azure AD, you can:
Control in Azure AD who has access to ThousandEyes.
Enable your users to be automatically signed-in to ThousandEyes with their Azure AD accounts.
Manage your accounts in one central location - the Azure portal.
To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with
Azure Active Directory.
Prerequisites
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
ThousandEyes single sign-on (SSO ) enabled subscription.
Scenario description
In this tutorial, you configure and test Azure AD SSO in a test environment.
ThousandEyes supports SP and IDP initiated SSO
ThousandEyes supports Automated user provisioning
NOTE
Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
4. On the Basic SAML Configuration section, the application is pre-configured and the necessary URLs are
already pre-populated with Azure. The user needs to save the configuration by clicking the Save button.
5. Click Set additional URLs and perform the following step if you wish to configure the application in SP
initiated mode:
In the Sign-on URL text box, type a URL: https://app.thousandeyes.com/login/sso
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find
Certificate (Base64) and select Download to download the certificate and save it on your computer.
7. On the Set up ThousandEyes section, copy the appropriate URL (s) based on your requirement.
Create an Azure AD test user
In this section, you'll create a test user in the Azure portal called B.Simon.
1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For example,
B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's displayed in the Password
box.
d. Click Create.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ThousandEyes.
1. In the Azure portal, select Enterprise Applications, and then select All applications.
2. In the applications list, select ThousandEyes.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the
bottom of the screen.
6. If you're expecting any role value in the SAML assertion, in the Select Role dialog, select the appropriate
role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog, click the Assign button.
3. Click Account
3. Click Account.
5. In the Add Users & Accounts section, perform the following steps:
NOTE
The Azure Active Directory account holder will get an email including a link to confirm and activate the account.
NOTE
You can use any other ThousandEyes user account creation tools or APIs provided by ThousandEyes to provision Azure
Active Directory user accounts.
Test SSO
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the ThousandEyes tile in the Access Panel, you should be automatically signed in to the
ThousandEyes for which you set up SSO. For more information about the Access Panel, see Introduction to the
Access Panel.
Additional resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is conditional access in Azure Active Directory?
Try ThousandEyes with Azure AD
Configure User Provisioning
Tutorial: Azure Active Directory integration with
Tidemark
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate Tidemark with Azure Active Directory (Azure AD ). Integrating Tidemark
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to Tidemark.
You can enable your users to be automatically signed-in to Tidemark (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with Tidemark, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
Tidemark single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
Tidemark supports SP initiated SSO
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type Tidemark, select Tidemark from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
https://<subdomain>.tidemark.com/login
https://<subdomain>.tidemark.net/login
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<subdomain>.tidemark.com/saml
https://<subdomain>.tidemark.net/saml
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Tidemark Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up Tidemark section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure Tidemark Single Sign-On
To configure single sign-on on Tidemark side, you need to send the downloaded Certificate (Base64) and
appropriate copied URLs from Azure portal to Tidemark support team. They set this setting to have the SAML
SSO connection set properly on both sides.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create Tidemark test user
In this section, you create a user called Britta Simon in Tidemark. Work with Tidemark support team to add the
users in the Tidemark platform. Users must be created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Tidemark tile in the Access Panel, you should be automatically signed in to the Tidemark for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
TigerText Secure Messenger
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate TigerText Secure Messenger with Azure Active Directory (Azure AD ).
Integrating TigerText Secure Messenger with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TigerText Secure Messenger.
You can enable your users to be automatically signed in to TigerText Secure Messenger (single sign-on) with
their Azure AD accounts.
You can manage your accounts in one central location: the Azure portal.
For details about software as a service (SaaS ) app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory?.
Prerequisites
To configure Azure AD integration with TigerText Secure Messenger, you need the following items:
An Azure AD subscription. If you don't have an Azure subscription, create a free account before you begin.
A TigerText Secure Messenger subscription with single sign-on enabled.
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment and integrate TigerText
Secure Messenger with Azure AD.
TigerText Secure Messenger supports SP -initiated single sign-on (SSO ).
5. In the search box, enter TigerText Secure Messenger. In the search results, select TigerText Secure
Messenger, and then select Add to add the application.
2. On the Select a single sign-on method pane, select SAML/WS -Fed mode to enable single sign-on.
3. On the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML
Configuration pane.
b. In the Identifier (Entity ID ) box, type a URL by using the following pattern:
https://saml-lb.tigertext.me/v1/organization/<instance ID>
NOTE
The Identifier (Entity ID) value isn't real. Update this value with the actual identifier. To get the value, contact the
TigerText Secure Messenger support team. You can also refer to the patterns shown in the Basic SAML
Configuration pane in the Azure portal.
5. On the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select
Download to download the Federation Metadata XML from the given options and save it on your
computer.
6. In the Set up TigerText Secure Messenger section, copy the URL or URLs that you need:
Login URL
Azure AD Identifier
Logout URL
Configure TigerText Secure Messenger single sign-on
To configure single sign-on on the TigerText Secure Messenger side, you need to send the downloaded Federation
Metadata XML and the appropriate copied URLs from the Azure portal to the TigerText Secure Messenger support
team. The TigerText Secure Messenger team will make sure the SAML SSO connection is set properly on both
sides.
Create an Azure AD test user
In this section, you create a test user named Britta Simon in the Azure portal.
1. In the Azure portal, in the left pane, select Azure Active Directory > Users > All users.
4. Select + Add user, and then select Users and groups in the Add Assignment pane.
5. In the Users and groups pane, select Britta Simon in the Users list, and then choose Select at the bottom
of the pane.
6. If you're expecting a role value in the SAML assertion, then in the Select Role pane, select the appropriate
role for the user from the list. At the bottom of the pane, choose Select.
7. In the Add Assignment pane, select Assign.
Create a TigerText Secure Messenger test user
In this section, you create a user called Britta Simon in TigerText Secure Messenger. Work with the TigerText
Secure Messenger support team to add Britta Simon as a user in TigerText Secure Messenger. Users must be
created and activated before you use single sign-on.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.
When you select TigerText Secure Messenger in the My Apps portal, you should be automatically signed in to
the TigerText Secure Messenger subscription for which you set up single sign-on. For more information about the
My Apps portal, see Access and use apps on the My Apps portal.
Additional resources
List of tutorials for integrating SaaS apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
TimeLive
6/13/2019 • 5 minutes to read • Edit Online
In this tutorial, you learn how to integrate TimeLive with Azure Active Directory (Azure AD ). Integrating TimeLive
with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TimeLive.
You can enable your users to be automatically signed-in to TimeLive (Single Sign-On) with their Azure AD
accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TimeLive, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
TimeLive single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TimeLive supports SP initiated SSO
TimeLive supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TimeLive, select TimeLive from result panel then click Add button to add the
application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
b. In the Identifier (Entity ID ) text box, type a URL using the following pattern:
https://<domainname>.livetecs.com/
NOTE
These values are not real. Update these values with the actual Sign on URL and Identifier. Contact TimeLive Client
support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration
section in the Azure portal.
5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
6. On the Set up TimeLive section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TimeLive Single Sign-On
1. In a different web browser window, sign in to your TimeLive company site as an administrator.
2. Select Preferences under Admin Options.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TimeLive test user
In this section, a user called Britta Simon is created in TimeLive. TimeLive supports just-in-time user provisioning,
which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in
TimeLive, a new one is created after authentication.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the TimeLive tile in the Access Panel, you should be automatically signed in to the TimeLive for
which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory integration with
TimeOffManager
8/9/2019 • 6 minutes to read • Edit Online
In this tutorial, you learn how to integrate TimeOffManager with Azure Active Directory (Azure AD ). Integrating
TimeOffManager with Azure AD provides you with the following benefits:
You can control in Azure AD who has access to TimeOffManager.
You can enable your users to be automatically signed-in to TimeOffManager (Single Sign-On) with their Azure
AD accounts.
You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and
single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before
you begin.
Prerequisites
To configure Azure AD integration with TimeOffManager, you need the following items:
An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
TimeOffManager single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
TimeOffManager supports IDP initiated SSO
TimeOffManager supports Just In Time user provisioning
2. Navigate to Enterprise Applications and then select the All Applications option.
3. To add new application, click New application button on the top of dialog.
4. In the search box, type TimeOffManager, select TimeOffManager from result panel then click Add
button to add the application.
3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration
dialog.
NOTE
This value is not real. Update this value with the actual Reply URL. You can get this value from Single Sign on
settings page which is explained later in the tutorial or Contact TimeOffManager support team. You can also refer to
the patterns shown in the Basic SAML Configuration section in the Azure portal.
5. TimeOffManager application expects the SAML assertions in a specific format, which requires you to add
custom attribute mappings to your SAML token attributes configuration. The following screenshot shows
the list of default attributes. Click Edit icon to open User Attributes dialog.
6. In addition to above, TimeOffManager application expects few more attributes to be passed back in SAML
response. In the User Claims section on the User Attributes dialog, perform the following steps to add
SAML token attribute as shown in the below table:
Firstname User.givenname
Lastname User.surname
Email User.mail
a. Click Add new claim to open the Manage user claims dialog.
b. In the Name textbox, type the attribute name shown for that row.
c. Leave the Namespace blank.
d. Select Source as Attribute.
e. From the Source attribute list, type the attribute value shown for that row.
f. Click Ok
g. Click Save.
7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click
Download to download the Certificate (Base64) from the given options as per your requirement and save
it on your computer.
8. On the Set up TimeOffManager section, copy the appropriate URL (s) as per your requirement.
a. Login URL
b. Azure AD Identifier
c. Logout URL
Configure TimeOffManager Single Sign-On
1. In a different web browser window, sign into your TimeOffManager company site as an administrator.
2. Go to Account > Account Options > Single Sign-On Settings.
4. Click the Add user button, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the
bottom of the screen.
6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the
appropriate role for the user from the list, then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog click the Assign button.
Create TimeOffManager test user
In this section, a user called Britta Simon is created in TimeOffManager. TimeOffManager supports just-in-time
user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't
already exist in TimeOffManager, a new one is created after authentication.
NOTE
You can use any other TimeOffManager user account creation tools or APIs provided by TimeOffManager to provision Azure
AD user accounts.
Additional Resources
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
What is application access and single sign-on with Azure Active Directory?
What is Conditional Access in Azure Active Directory?
Tutorial: Azure Active Directory single sign-on (SSO)
integration with TINFOIL SECURITY
11/18/2019 • 6 minutes to read • Edit Online