ELMA365 Store solutions > SAML integration with Windows Server / SAML integration with AZURE

SAML integration with AZURE

Primary configuration of the SAML application in Azure

  1. Go to Azure Active Directory > Enterprise applications. Click + New application, then click + Create your own application.
  2. Set the application’s name, for example, ELMA365. Make sure that you select the Integrate any other application you don't find in the gallery (Non-gallery) option. Click Create.
  3. You will see the application settings window. You will need a link to the application metadata file. Click 2. Set up single sign on section and choose SAML.
  4. In 3. SAML Signing Certificate, copy the link to the metadata file from the App Federation Metadata Url field and move on to configuring the SAML integration in ELMA365.

Configure SAML integration in ELMA365

To configure the SAML integration, you need an active SSL certificate. The SAML integration in ELMA365 and the Azure Active Directory application will need access to it.

  1. Go to Administration > Modules > SAML.
  2. Check the Enable Module box and click Add item. The service provider settings window will open.
  3. In the Name field, specify the integration name.
  4. In the Metadata IdP URL field, specify the metadata URL of your AD FS server that you got in the previous step.
  5. In the Public key field, enter your public key from the .pem file formatted as a string.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

  1. In the Private key field, enter your private key from the .pem file formatted as a string.

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

  1. Switch the Create users at authentication option to Yes so that the system can create new users automatically when a user who doesn’t have an account tries to sign in.
  2. Switch the Update existing users option to Yes if you need to update the existing users upon authorization. This update will turn users into external SAML users, and they won’t be able to sign in as before.

начало внимание

At the moment, updating is only available for invited users, and the user’s email needs to be the same as the email or login of the SAML user.

конец внимание

  1. Click Save.

Once the SAML integration settings are successfully saved, a link to the metadata file will be generated and displayed in the URL metadata field. Follow the link and save the Service Provider metadata as an .xml file. You will need it to finalize the SAML application configuration in Azure.

Final configuration of the SAML application in Azure

  1. Open the SAML settings. In 2. Set up single sign on section — SAML, go to 1. Basic SAML Configuration.

You can fill out the necessary fields in two ways: by entering the values manually or by uploading the SAML metadata file that you obtained in the previous step.

To upload the file, click the Upload metadata file button, select the metadata file you previously got in the SAML integration with ELMA365, and click Add. The configuration fields will be filled out automatically, you only need to save them.

To fill out the basic configuration manually, replace the default value of the Identifier (Entity ID) field with the entityID attribute of the EntityDescriptor key from the ELMA365 .xml metadata file (for example, https://yourCompanyName.elma365.net/api/integrations/saml/85c86556-5c9e-4616-9742-a0f19ab6280c/metadata).

In the Reply URL (Assertion Consumer Service URL) field, enter the value of the Location attribute of the AssertionConsumerService from the ELMA365 .xml metadata file (for example, https://elma365.net/guard/login/saml/85c86556-5c9e-4616-9742-a0f19ab6280c?company=yourCompanyName).

  1. Next, let’s add new claims to the User Attributes & Claims section.
  1. Name: externalCode;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.objectid.

This claim is essential. It is used to identify external users in ELMA365.

  1. Name: windowsaccountname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.userprincipalname;

This claim is essential. The attribute will be matched with the user’s login in ELMA365.

  1. Name: emailaddress;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.mail.

The attribute will be matched with the user’s email in ELMA365.

  1. Name: givenname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.givenname.

The attribute will be matched with the user’s first name in ELMA365.

  1. Name: surname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.surname.

The attribute will be matched with the user’s last name in ELMA365.

  1. Name: name;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.displayname.

The attribute will be matched with the user’s first name, middle name, and last name in ELMA365 if the givenname and surname attributes are empty.

  1. Next, go to SAML Signing Certificate, import your pre-prepared certificate, and activate it. This certificate will be needed for the configuration of the SAML integration in ELMA365.
  2. Now you only need to specify which users will have access to authorization via the created app. To do that, click Overview in the side menu, go to 1. Assign users and groups and add the users you need.

Update the metadata file in a configured SAML integration in ELMA365

After you change the certificate in Azure, you need to update the Azure application metadata file in the SAML integration in ELMA365. To do that, open the settings of the SAML integration you previously configured and click Save. The Azure application metadata will be updated.

 

Found a typo? Highlight the text, press ctrl + enter and notify us