SAML SSO with Azure Active Directory (AD)
This article details how to configure Active Directory as the primary Identity Provider to facilitate SSO with the Prelim application for enterprise users.
Requirements
In order to proceed with configuring login with SSO through Active Directory, you must:
- Have access to a Microsoft Azure account with the permissions required to create and modify enterprise applications
- Have access to Prelim as an enterprise user with the SSO Admin permission
Configuration Steps
-
Sign in to your Azure account at https://portal.azure.com/
-
Navigate to the Enterprise Applications service, which can be found under the Identity category
3. If you have not done so already, create a new enterprise application by clicking the + New Application button at the top of the page.
3a. You will then be taken to the Browse Azure AD Gallery. Click the + Create your own application button at the top of this page.
3b. Name this app "Prelim SSO" and make sure the "Integrate any other application you don't find in the gallery (Non-gallery)" option is selected. Click the Create button. You may have to wait a few moments for the new application to be created.
4. Select Single sign-on in the left sidebar under the manage tab, then select SAML as the single sign-on method.
5. Now open the prelim app in a new tab or window. Sign in to your Prelim Admin Console and navigate to https://[hostName]/dashboard/organization/employee-sso where [hostName] is your Prelim host name.
- Select SAML 2.0 from the protocol dropdown menu. Copy the newly generated Login URL to your clipboard.
7. Return to the Azure portal and click on the edit button on the Basic SAML Configuration section.
7a. We will use the URL copied from prelim as both the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL). Paste the URL into both of those fields, then press save at the top of the configuration pane. You may now exit this pane.
8. Now click the edit button on the Attributes and Claims Section.
8a. In the Additional Claims section, copy the Claim name with the associates value of "user.userprinciplename". If the claim name is cut off, you may need to click and drag the boundary between the claim name and value to increase the column width as you would in a spreadsheet.
8b. Return to the Prelim SSO page and paste this value into the ID Attribute Name field.
8c. Return to Azure and copy the Claim name associated with user.mail. You will paste this value into the Email Attribute Name field in Prelim. Save these values for ID and email by pressing the save button below.
9. Returning to the SSO Set Up page in Azure, download the Certificate (Base64) found in the SAML Signing Certificate.
9a. Navigate to your downloads folder and open this certificate with a raw text editor like Notepad (Windows) or TextEdit (Mac). Copy the entire contents of this file to your clipboard.
9b. Return to Prelim and paste the certificate into the Identity Provider Certificate section.
10. In order for your users or groups of users to be authenticated, you will need to assign them to your Azure AD SAML application. Select "Users and groups" from the "Manage" section of the navigation menu.
10a. Select "Add user/group" from the top menu.
10b. Select "None selected" under the "Users and Groups". In the menu, select the users and groups of users that you want to add to the SAML application, and click "Select".
10c. Select "Assign" to add the selected users and groups of users to your SAML application.
11. We're now ready to test the SSO integration! Select "Single sign-on" from the "Manage" section of the navigation menu. Scroll to the Test single sign-on with Prelim SSO section and click test.
11a. If you'd like to test logging into Prelim with an email different from the one used to login to your Azure account, follow the instructions shown on the page to install the My Apps Secure Sign-in Extension.
11b. Click Test sign in. If SSO is setup correctly, you should be directed to a login page for your organization, where you can log in and access Prelim!
12. If you encounter any errors during this setup process, please feel free to contact us at [email protected] and we’ll help you troubleshoot.
Updated about 1 year ago