SSO - Azure AD

Features and Functionality
Last Updated:
February 21, 2023
by
Jesse Langstaff
| Version: 17
| 7,910 views
| 2 followers
 
members are following updates on this item.
Last Updated:
February 21, 2023
by
Jesse Langstaff
| Version: 17
7,910
2
 
members are following updates on this item.
Publication details
Published
on
September 4, 2017
by
Matthew Seabrook
Authentication

Overview

This article describes how to configure Azure AD as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Azure AD as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Azure AD credentials.

To follow this process, you must be able to add applications to your Azure AD and be a workplace administrator in your digital workplace.

Go to one of the following sections in this article:

Configuring Azure AD single sign-on

Adding the Igloo Software application

  1. Go to your Microsoft Azure portal.
  2. At the top of the page, select Show portal menu, and then select Azure Active Directory.
  3. In the left navigation panel, select Enterprise applications.
  4. Above the list of applications, select New application.
  5. In the Search application text box, enter Igloo Software.
  6. Select Igloo Software from the search results.
  7. (Optional) In the Name text box, enter a more descriptive name for the application.
  8. Select Create.

Configuring single sign-on for the Igloo Software application

  1. Go to the Igloo Software application that you've created.
  2. In the left navigation panel, under Manage, select Single sign-on.
  3. Select SAML as the single sign-on method.
  4. In the Basic SAML Configuration panel, select Edit.
  5. Configure these Basic SAML Configuration options as follows:
    1. Identifier: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
    2. Select the checkbox next to the Identifier URL that you entered to make it the default identifier.
    3. Reply URL: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
    4. Sign on URL: Enter your digital workplace URL (e.g., https://customercare.igloosoftware.com). 
    5. (Optional) Logout Url: Enter your digital workplace URL with /saml.digestlogout appended to it (e.g., https://customercare.igloocommunities.com/saml.digestlogout).
    6. Select Save.
  6. In the SAML Signing Certificate panel, next to Certificate (Base64), select Download. You will need this when configuring single sign-on in your digital workplace.
  7. In the Set up panel, copy the following values; you will need these when configuring single sign-on in your digital workplace: 
    1. Login URL
    2. Logout URL

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure these General Configuration options as follows:
    1. Connection Name: Enter a name for this connection.
    2. IdP Login URL: Enter the Login URL that you copied from your Azure portal.
    3. (Optional) IdP Logout URL: Enter the Logout URL that you copied from your Azure portal.
    4. (Optional) Logout Response and Request HTTP Type: Select Post.
    5. Logout Final Redirect URL: Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
    6. Binding Type: Select POST.
    7. Public Certificate:  In a text editor, open the Certificate (Base64) that you downloaded from your Azure portal. Copy and paste its contents into this field.
  6. Configure these Response and Authentication Configuration options as follows:
    1. Identity Provider: Select Other.
    2. Identifier Type: Select Email.
    3. Identifier Path: Enter /samlp:Response/saml:Assertion/saml:Subject/saml:NameID. This value will match the Unique User Identifier claim, which by default is associated with user.userprincipalname in Azure.
    4. Session Index Path: Enter /samlp:Response/saml:Assertion/saml:AuthnStatement[@Name="SessionIndex"].
    5. Email Path: Enter emailaddress. This is the default claim name that is associated with user.mail in Azure. 
    6. First Name Path: Enter givenname. This is the default claim name that is associated with user.givenname in Azure. 
    7. Last Name Path: Enter surname. This is the default claim name that is associated with user.surname in Azure.
    8. Drift Time: Enter 5.
  7. For User creation on Sign in, select how your digital workplace handles users who attempt to sign in to your digital workplace when they have valid Azure credentials but are not members of the workplace. If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.
  8. For Sign in Settings, select how users sign in to your workplace using Azure single sign-on. For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.
  9. Select Save.

Verifying that single sign-on is set up correctly

Adding a test user to the Igloo Software application in Azure

  1. In Azure, Go to the Igloo Software application that you've created.
  2. In the left navigation panel, under Manage, select Users and groups.
  3. Select Add user/group.
  4. Under Users, select None Selected.
  5. In the search box on the Users panel, enter the user's name.
  6. Select the user from the list of search results, and then select Select.
  7. Select Assign.

Adding the same test user as a member of your digital workplace

  1. Go to your digital workplace and sign in.
  2. Select Control Panel.
  3. Under Membership, select Manage Members.
  4. Select Add Members.
  5. Add the user as follows:
    1. First Name: Enter the first name of the user.
    2. Last Name: Enter the last name of the user.
    3. Email: Enter the user's email. This email address should match the user's user.userprincipalname value in Azure.
    4. Password: Enter a password for the user. This password is for Igloo Authentication. You are required to enter a value in this field even if you only intend to sign in. 
    5. Confirm Password: Re-enter the user's Igloo Authentication password.
    6. System Groups: Do not select any other groups to add the user to.
    7. Regular Groups: Do not select any other groups to add the user to.
  6. Select Create Member.

Using the test user to sign in to your workplace with Azure single sign-on

In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign in box, select Use: {your connection's name} to go to your IdP.

While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.

Troubleshooting issues

Incorrect IdP Login URL

If you see a "page can't be found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you have entered in this field matches the Login URL in Azure AD. You can find this value in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection.

Incorrect Identifier (Entity ID) and or Reply URL

If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates "Misconfigured application", either the Identifier (Entity ID) or the Reply URL (Assertion Consumer Service URL) for the connection in Azure AD may be incorrect. Verify that these values are your digital workplace's domain with /saml.digest appended to it. You can configure these values in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection. 

Public certificate issues

The following are issues that can occur with the public certificate:

  • Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
  • Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Azure is expecting.

To resolve these issues, verify that the public certificate in your digital workplace matches that of your application in Azure. You can find the Certificate (Base64) in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection. 

Workplace membership

Not being a member of a digital workplace can result in the following:

  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.

In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.

Azure AD membership

If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates that "the signed-in user is not assigned a role", you have not been assigned to the application in Azure AD. You can configure who is assigned to the application in Azure AD on the Users and groups page of the Enterprise Application configured for this connection. 

Additional resources

Related Content (2)

  • Managing the authentication method of a workplace using the EAP
    /support/knowledgebase/all_articles/articles/create_configuring_a_networked_enterprises_authentication_method
    Wiki
    published
    February 19, 2019
    by
    Jesse Langstaff
    Use the Enterprise Administration Panel (EAP) to select how users sign in to their digital workplace. While you can also configure the authentication method from EAP, it is recommended that you go to …
  • Authentication
    /support/knowledgebase/all_articles/articles/authentication
    Wiki
    published
    September 4, 2017
    by
    Matthew Seabrook
    What is it?Authentication is the process whereby users login to their digital workplace. Our platform offers three methods of authentication: Igloo Auth, SAML and LDAP Auth. LDAP and SSO authenticat…
Viewed 7,910 times