SAML integration with Microsoft Azure

SAML integration allows using Microsoft Azure for authentication and automatic creation of internal and external users in ELMA365.

At the moment of authorization, a new internal user will be created in ELMA365 and the user record will appear in the Users directory. If authorization takes place on the portal, the user record will appear in the External users system directory.

Please note, that for an unregistered user to sign in to the portal via SAML, it is not necessary to send the user an individual invitation link. It is sufficient to provide them with a link to the portal page.

Primary configuration of the SAML application in Azure

1. Go to Azure > Enterprise applications. Click + New application, then click + Create your own application.
2. Set the application’s name, for example, ELMA365. Make sure that you select the Integrate any other application you don't find in the gallery (Non-gallery) option. Click Create.
3. You will see the application settings window. You will need a link to the application metadata file. Click 2. Set up single sign on section and choose SAML.
4. In 3. SAML Signing Certificate, copy the link to the metadata file from the App Federation Metadata Url field and move on to configuring the SAML integration in ELMA365.

Configure SAML integration in ELMA365

To configure the SAML integration, an active SSL certificate will be required and will need to be provided to the ELMA365 SAML integration and the Azure application.

1. Go to Administration > Modules > SAML.
2. Check the Enable Module box and click Add item.
3. In the opened provider settings window, fill in the fields.
   

• Name*. Name for the integration.
• IdP metadata URL*. The metadata URL of your AD FS server that was obtained when you initially configured the SAML application in Azure.
• Public key*. A string representation of your public key in .pem format.

-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

• Private key*. A string representation of your private key .pem formatted.

-----BEGIN PRIVATE KEY-----
…
-----END PRIVATE KEY-----

• Create users during authentication. Set the parameter to Yes so that missing external or internal users are created automatically when the user attempts to authorize in the system.

• Update existing users. Set this parameter to Yes if you want to update existing users at the time of authorization. When updating, the user will be converted to an external SAML user and will no longer be able to authorize in the same way.

начало внимание

At the moment, updating is only available for invited users, and the user’s email needs to be the same as the email or login of the SAML user.

конец внимание

4. Click Save. A link to the metadata file will then be generated and displayed in the Metadata URL field.
5. Follow the link and save the Service Provider metadata as an .xml file. You will need it to finalize the SAML application configuration in Azure.

Final configuration of the SAML application in Azure

1. Open the SAML settings. In 2. Set up single sign on section — SAML, go to 1. Basic SAML Configuration.

You can fill out the necessary fields in two ways: by entering the values manually or by uploading the SAML metadata file that you obtained in the previous step.

To upload the file, click the Upload metadata file button, select the metadata file you previously got in the SAML integration with ELMA365, and click Add.

To fill out the basic configuration manually, replace the default value of the Identifier (Entity ID) field with the entityID attribute of the EntityDescriptor key from the ELMA365 .xml metadata file (for example, https://yourCompanyName.elma365.net/api/integrations/saml/85c86556-5c9e-4616-9742-a0f19ab6280c/metadata).

In the Reply URL (Assertion Consumer Service URL) field, enter the value of the Location attribute of the AssertionConsumerService from the ELMA365 .xml metadata file, for example, https://elma365.ru/guard/login/saml/85c86556-5c9e-4616-9742-a0f19ab6280c?company=yourCompanyName.

2. Next, let’s add new claims to the User Attributes & Claims section.

1. Name: externalCode;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.objectid.

This claim is essential. It is used to identify external users in ELMA365.

2. Name: windowsaccountname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.userprincipalname;

This claim is essential. The attribute will be matched with the user’s login in ELMA365.

3. Name: emailaddress;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.mail.

The attribute will be matched with the user’s email in ELMA365.

4. Name: givenname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.givenname.

The attribute will be matched with the user’s first name in ELMA365.

5. Name: surname;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.surname.

The attribute will be matched with the user’s last name in ELMA365.

6. Name: name;

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims;

Source: attribute;

Source attribute: user.displayname.

The attribute will be matched with the user’s first name, middle name, and last name in ELMA365 if the givenname and surname attributes are empty.

3. Next, go to SAML Signing Certificate, import your pre-prepared certificate, and activate it. This certificate will be needed for the configuration of the SAML integration in ELMA365.
4. In the side menu, select Overview, go to 1. Assign users and groups and add the users who will be able to authorize through the created application.

Update the metadata file in a configured SAML integration in ELMA365

After you change the certificate in Azure, you need to update the Azure application metadata file in the SAML integration in ELMA365. To do that, open the settings of the SAML integration you previously configured and click Save. The Azure application metadata will be updated.

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

How we can improve it?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

Found a typo? Highlight the text, press ctrl + enter and notify us