1. In the Azure AD management blade in the Azure portal (portal.azure.com) select Enterprise applications.
2. Select New application.
3. Select Create your own application.
4. When creating your own application, enter the following settings.
- What's the name of your app? CollaborNation
- What are you looking to do with your application? Integrate any other application you don't find in the gallery (Non-gallery)
Then select Create.
5. Select Properties in the Manage pane of the newly created application.
6. Note the three yes/no toggles.
- Enabled for users to sign-in: This is basically the global on/off switch for the app, should all users ever need to be locked out of it.
- Assignment required: Allows administrators to assign specific users or groups access to the application.
- Visible to users? Controls whether or not the app is visible in the My Apps and Office 365 apps portals. This is useful if a particular application’s SSO mode is Service Provider (SP) initiated and an IDP-initiated link in the portals may cause confusion. If you keep “assignment required” set to yes, you will need to use the Users and Groups pane of the app to assign users/groups as appropriate before they can SSO.
7. Set up SSO by navigating to the Single sign-on section of the CollaborNation Enterprise Application’s management pane and selecting SAML as the SSO method.
8. Begin navigating through the SAML configuration steps, beginning with the Edit option of Step 1. Alternately, if provided with a SP metadata file you can upload it on this page instead of manually entering the SAML config parameters.
9. Enter the following required fields.
- Identifier (Entity ID): collabornation
- Reply URL (Assertion Consumer Service URL): This will be provided to you
- Logout Url: This will be provided to you
Click Save.
10. Step 2 in the Set up Single Sign-On with SAML area is available to edit. Typically, Name ID will be a user’s unique identifier such as SAMAccountName or UserPrincipalName, the latter of which is Azure AD’s default, so likely won’t have to be changed.
11. Delete all the default Additional claims as we will be adding these per spec.
12. Add four new claims.
Claim Name | Source Attribute |
---|---|
emailaddress | user.mail |
firstname | user.givenname |
lastname | user.surname |
orgAccountName | A constant value will be provided |
13. Provide the relevant metadata from Steps 3 & 4 to the vendor.
Step 3
- App Federation Metadata Url
- Certificate (Base64)
- Federation Metadata XML
Step 4
- Login URL
- Azure AD Identifier
- Logout URL
You will need to provide at a minimum the Azure AD Identifier URL and the Certificate (Base64). This information can also be provided by providing the App Federation Metadata URL or Federation Metadata XML file.
Please note the Expiration Date – this is the expiration date of the signing certificate. You may wish to edit this section to add additional email addresses to notify in advance of expiration, as SSO will break if this certificate expires and is not replaced.
14. SSO is complete and ready for testing!