Roadmap for SSO via ADFS/Microsoft

Before we can get started with setting up SSO via ADFS/Microsoft Azure, there are a number of steps that the organization itself must go through first.

1. Application creation

As an administrator, go to Azure Active Directory and click on Applications -> Enterprise Applications (link) from the menu.

At the top, choose "New Application" and then choose "Create Your Own Application" at the top. Give the application a name; for example "< Product Name > SSO", choose the bottom option "Integrate any other application not present in the gallery (non-gallery)" and click on the "Create" button

After this you will be taken to the overview page of this application.

2. Assign users

Click on the "1. Assign Users and Groups" tile to select the appropriate users/groups to use this application.

3. Set up SAML link

Click the "2. Set single sign-on to" tile to configure the SAML link.
Under "Select a method for single sign-on," choose SAML.

To establish the link Paragin needs the "App URL for federated metadata". Once this is entered into RemindoConnect, we will provide a metadata file.

You can upload this metadata file by clicking "Upload metadata file" at the top and adding the xml file. After this, press "Save" and then go to the overview page of "Single sign-on".
The fields at "Default SAML configuration" are now filled in.
Depending on the configuration, the "User attributes and claims" can be adjusted. It is important that at "Unique user id" that what identifies a user in Azure (username, employee number, email address) is set here. This unique value should then also be added to the users' account (Single Sign-on identifier) within the Paragin environment.

Below is an example where the email address is set as a unique value and the group identifiers are also sent along with it.

4. Testing

The link has been set up; now it can be tested (after uploading the metadata file, it can sometimes take several minutes for the link to be up to date).

You may get the following message while testing:

AADSTS50105: Your administrator has configured the application < Product name > SSO ('fa3e920c-dba4-67b9-16f2-e2c4e33e29ad ') to block users unless they are specifically granted ('assigned') access to the application. The signed in user '< email address >' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.

If everyone within the tenant is allowed to use the SSO link you can change some attributes under "Manage -> Properties" in the left menu. In this case, "Access required?" should be set to "No".

The SSO configuration is now ready.

5. Sending data

To establish the link, Paragin needs the "App URL for federated metadata". Send this metadata URL, along with the rest of the application data to us. We can prepare the technical link on this basis.

Then the organization itself has to work on adding the unique IDs to the participants and users. See the article Setting up SSO in the products of Paragin for this.

Disclaimer: This text was automatically translated from the Dutch version.