Adding an Azure AD SSO

Important: To add an Azure AD SSO, you must have the Administrative privileges in your organization’s Azure AD SSO and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

Perform the following tasks in sequential order to create a single sign-on using Azure AD:

Step 1: Creating a SAML 2.0 Application in Azure AD
Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values
Step 3: Updating the Unique User Identifier
Step 4: Downloading Azure AD’s SAML Signing Certificate
Step 5: Setting Up an Identity Provider in Flexera One
Step 6: Setting Up Azure AD SSO With SAML 2.0
Step 7: Testing the Azure AD SSO

Note:For additional information, see Microsoft Azure AD.

Step 1: Creating a SAML 2.0 Application in Azure AD

To create a SAML 2.0 application in Azure AD, perform the following steps.

To create a SAML 2.0 application in Azure AD:

1. Sign in to https://portal.azure.com/#home using your Azure AD account’s administrator credentials.
2. Click Azure Active Directory.
3. On the Default Directory listing, click Enterprise applications.
4. Click All applications and then click New application. The Add an application screen opens.
5. Click Non-Gallery application. The Add your own application screen opens.
6. Enter the name of your application and click Add.
7. On the Manage listing, click Single sign-on. The Select a single sign-on method screen opens.
8. Click SAML. The Setup Single Sign-On with SAML screen opens.
9. Continue with the steps in Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values.

Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values

Perform the following steps to set up Azure AD single sign-on with SAML 2.0 using temporary values.

To set up Azure AD SSO with SAML 2.0 using temporary values:

1. Go to Azure’s Setup Single Sign-On with SAML screen.
2. Click the pencil icon to edit the Basic SAML Configure section
3. Complete the following fields with temporary values in an https:// format. You will later populate these fields with actual values.
Identifier (Entity ID) 
Reply URL (Assertion Consumer Service URL) 
4. Continue with the steps in Step 3: Updating the Unique User Identifier.

Step 3: Updating the Unique User Identifier

When a user authenticates to the application, Azure AD issues the application a SAML token with information (or claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name, and last name. For Flexera One, you must change the default Unique User Identifier from user.userprincipalname to user.mail.

To update the unique user identifier:

1. On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the User Attributes & Claims.
2. In the Required claim section, click the ellipses (...) to edit the Unique User Identifier (Name ID) value. The Manage claim screen opens.
3. Change the Unique User Identifier from user.userprincipalname to user.mail.

Change the Email address Source attribute from user.userprincipalname to user.mail.

4. Click Save.
5. Continue with the steps in Step 4: Downloading Azure AD’s SAML Signing Certificate.

Step 4: Downloading Azure AD’s SAML Signing Certificate

Important:You must have the following roles to download Azure AD’s SAML signing certificate:

Flexera One Manage organization role or Administer organization role. For complete descriptions of each role available in Flexera One, see Flexera One Roles.
Administrative privileges in your organization’s Azure AD SSO.

The next step is to download Azure AD’s SAML signing certificate.

To download Azure AD’s SAML signing certificate:

1. On the SAML Signing Certificate tab, download the Certificate (Base64).
2. Save the .cer certificate file so that it can be later uploaded to Flexera One.
3. Continue with the steps in Step 5: Setting Up an Identity Provider in Flexera One.

Step 5: Setting Up an Identity Provider in Flexera One

Perform the following steps to set up an identity provider in Flexera One.

To set up an identity provider in Flexera One:

1. Sign in to Flexera One (for details, see Log In to Flexera One or Reset Your Password).
2. Go to Administration and click Identity Providers.
3. On the Identity Providers screen:
If adding a new identity provider, click New Identity Provider.
If editing an existing identity provider, select your identity provider’s listing on the left and click Edit.
4. In the new identity provider record, click the General tab and complete the following fields.

Field

Description

Name*

Enter the display name of your identity provider.

Example: Azure 

Signature Certificate*

Drag and drop to upload, or browse for your identity provider’s Privacy Enhanced Mail (PEM) encoded public key certificate (x.509 certificate) that is used to verify SAML message and assertion signatures.

IDP SSO URL*

In Azure AD’s Set up tab for your SAML 2.0 application, copy the Login URL and paste into this field the endpoint responsible for receiving SAML AuthnRequest messages. It is the URL Flexera One’s sign in process uses to verify your users and log them in.

Example:

https://mycompanyname.mysamlprovider.com/app/myorg456_test123/exjo2H0GTZ357/sso/saml 

Issuer URI*

In Azure AD’s Set up tab for your SAML 2.0 application, copy the Azure AD Identifier and paste into this field the global unique identifier for SAML entities to your identity provider SAML application setup.

Example:

https://mysamlprovider.com/exjo2H0GTZ357

Discovery Hint

Enter unique values to help users navigate more quickly to your organization’s federated identity provider sign in page.

Note:If you include special characters in the Discovery Hint, be aware that following characters (including spaces) are the only permissible special characters:
:( )_+-.@

Logout Redirect URL

When you sign in to Flexera One through your organization's identity provider, you will be directed to a logout redirect URL when your session ends. A Flexera One session may end when you log out or when your session expires due to inactivity. If no logout redirect URL is set, you will be directed to the Flexera One sign in page when your session ends. One suggested use for this feature is to set the logout redirect URL to the homepage of your organization's identity provider. An https:// URL is strongly recommended. However, an http:// URL is also valid).

Note:When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then sign in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active.

Note:All fields marked with an asterisk (*) are required.

5. If you click the Show Advanced Settings link, the following additional fields are displayed. The default options are noted below for your reference. Changes to these settings are rarely required. You only need to reveal these settings if changes are needed.

Field

Description

Request Binding

Select the SAML Authentication Request Protocol binding used by your identity provider to send SAML AuthnRequest messages to the IDP.Enum.

HTTP-POST (This is the default option.)
HTTP-REDIRECT 

Request Signature Algorithm

Select the signature algorithm used to sign SAML AuthnRequest messages sent to the IDP.Enum.

SHA-256 (This is the default option.)
SHA-1 

Response Signature Algorithm

Select the minimum signature algorithm when validating SAML assertions issued by the IDP.Enum.

SHA-256 (This is the default option.)
SHA-1 

Response Signature Verification

Select the protocol to use when authenticating users from this IDP.Enum.

Response or Assertion (This is the default option.)
Response 
Assertion 

Sign Authorization Request

(optional)

Select this option if you wish to have Flexera One enable signing AuthnRequest (authentication) messages to your identity provider. Signing these AuthnRequest messages increases the security of your transactions between your identity provider and Flexera One.

Make sure your identity provider supports verifying AuthnRequests before enabling this feature.
If you enable this feature, you must go to Creating a New Signing Key and create the Flexera One signing key to submit to your identity provider for verifying authorization requests.
6. Click Save.
7. Continue with the steps in Step 6: Setting Up Azure AD SSO With SAML 2.0.

Step 6: Setting Up Azure AD SSO With SAML 2.0

Perform the following steps to set up Azure AD single sign-on with SAML 2.0.

To set up Azure AD single sign-on with SAML 2.0:

1. On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the Basic SAML Configuration.
2. In the Identifier (Entity ID) field, copy and paste Flexera One’s Service Provider Entity ID. The information to be copied is generated in step 4 of Step 5: Setting Up an Identity Provider in Flexera One. For example:

https://secure.flexera.com/sso/saml2/<someChars>

3. In the Reply URL (Assertion Consumer Service URL) field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example:

https://secure.flexera.com/sso/saml2/<someChars>

4. In the Sign on URL field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example:

https://secure.flexera.com/sso/saml2/<someChars>

5. Click Save.
6. On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the Attributes & Claims. Flexera One expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. Make sure the following attribute claims are configured.

Name

Source Attribute

givenname

user.givenname

surname

user.surname

emailaddress

user.mail

name

user.userprincipalname

Unique User Identifier

user.mail

Note:This value should be the same as what was configured in Step 3: Updating the Unique User Identifier.

7. Make sure the following settings are also configured for the additional attributes that Flexera One expects to be passed back in SAML response.

Name

Source Attribute

firstName

user.givenname

lastName

user.surname

8. Remove all the other attribute claims. If the Namespace field of any other attribute has pre-populated value, clear the field.
9. Remove any XML schema from all the attributes.
10. Click Save.
11. Continue with the steps in Step 7: Testing the Azure AD SSO.

Step 7: Testing the Azure AD SSO

Perform the following tasks to test the Azure AD single sign-on:

Assigning a User or Group to Test the Azure AD SSO
Adding and Verifying a Domain
Testing Azure Single Sign On

Assigning a User or Group to Test the Azure AD SSO

Perform the following steps to assign a user or group to test the Azure AD single sign-on.

To assign a user or group to test the Azure AD SSO:

1. On Azure’s Enterprise applications screen, go to Manage and click Users and groups. The Users and groups screen opens.
2. Click Add user.
3. Click Users and groups.
4. Select the appropriate user or group email address.
5. Click Select.
6. Click Assign.
7. Continue with the steps in Adding and Verifying a Domain.

Adding and Verifying a Domain

Perform the following steps to add and verify a domain.

To add and verify a domain:

1. Complete all the steps for Adding a Domain and Verifying a Domain With a TXT Record.
2. Continue with the steps in Testing Azure Single Sign On

Testing Azure Single Sign On

Perform the following steps to test Azure single sign-on.

To test Azure single sign-on:

1. On Azure’s Enterprise applications. screen, go to Manage and click Single sign-on. The SAML-based Sign-on screen opens.
2. In the Test single sign-on tab, click Test. The Test Single sign-on screen opens.
3. Click Sign in as current user.