Adding an Azure AD SSO
Important:
Perform the following tasks in sequential order to create a single sign-on using Azure AD:
• | Step 1: Creating a SAML 2.0 Application in Azure AD |
• | Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values |
• | Step 3: Updating the Unique User Identifier |
• | Step 4: Downloading Azure AD’s SAML Signing Certificate |
• | Step 5: Setting Up an Identity Provider in Flexera One |
• | Step 6: Setting Up Azure AD SSO With SAML 2.0 |
• | Step 7: Testing the Azure AD SSO |
Note:For additional information, see Microsoft Azure AD.
Step 1: Creating a SAML 2.0 Application in Azure AD
To create a SAML 2.0 application in Azure AD, perform the following steps.
To create a SAML 2.0 application in Azure AD:
1. | Sign in to https://portal.azure.com/#home using your Azure AD account’s administrator credentials. |
2. | Click Azure Active Directory. |
3. | On the Default Directory listing, click Enterprise applications. |
4. | Click All applications and then click New application. The Add an application screen opens. |
5. | Click Non-Gallery application. The Add your own application screen opens. |
6. | Enter the name of your application and click Add. |
7. | On the Manage listing, click Single sign-on. The Select a single sign-on method screen opens. |
8. | Click SAML. The Setup Single Sign-On with SAML screen opens. |
9. | Continue with the steps in Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values. |
Step 2: Setting Up Azure AD SSO With SAML 2.0 Using Temporary Values
Perform the following steps to set up Azure AD single sign-on with SAML 2.0 using temporary values.
To set up Azure AD SSO with SAML 2.0 using temporary values:
1. | Go to Azure’s Setup Single Sign-On with SAML screen. |
2. | Click the pencil icon to edit the Basic SAML Configure section |
3. | Complete the following fields with temporary values in an https:// format. You will later populate these fields with actual values. |
• | Identifier (Entity ID) |
• | Reply URL (Assertion Consumer Service URL) |
4. | Continue with the steps in Step 3: Updating the Unique User Identifier. |
Step 3: Updating the Unique User Identifier
When a user authenticates to the application, Azure AD issues the application a SAML token with information (or claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name, and last name. For Flexera One, you must change the default Unique User Identifier from user.userprincipalname to user.mail.
To update the unique user identifier:
1. | On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the User Attributes & Claims. |
2. | In the Required claim section, click the ellipses (...) to edit the Unique User Identifier (Name ID) value. The Manage claim screen opens. |
3. | Change the Unique User Identifier from user.userprincipalname to user.mail. |
Change the Email address Source attribute from user.userprincipalname to user.mail.
4. | Click Save. |
5. | Continue with the steps in Step 4: Downloading Azure AD’s SAML Signing Certificate. |
Step 4: Downloading Azure AD’s SAML Signing Certificate
Important:You must have the following roles to download Azure AD’s SAML signing certificate:
• | Flexera One Manage organization role or Administer organization role. For complete descriptions of each role available in Flexera One, see Flexera One Roles. |
• | Administrative privileges in your organization’s Azure AD SSO. |
The next step is to download Azure AD’s SAML signing certificate.
To download Azure AD’s SAML signing certificate:
1. | On the SAML Signing Certificate tab, download the Certificate (Base64). |
2. | Save the .cer certificate file so that it can be later uploaded to Flexera One. |
3. | Continue with the steps in Step 5: Setting Up an Identity Provider in Flexera One. |
Step 5: Setting Up an Identity Provider in Flexera One
Perform the following steps to set up an identity provider in Flexera One.
To set up an identity provider in Flexera One:
1. | Sign in to Flexera One (for details, see Log In to Flexera One or Reset Your Password). |
2. | Go to Administration and click Identity Providers. |
3. | On the Identity Providers screen: |
• | If adding a new identity provider, click New Identity Provider. |
• | If editing an existing identity provider, select your identity provider’s listing on the left and click Edit. |
4. | In the new identity provider record, click the General tab and complete the following fields. |
Field |
Description |
Name* |
Enter the display name of your identity provider. Example: Azure |
Signature Certificate* |
Drag and drop to upload, or browse for your identity provider’s Privacy Enhanced Mail (PEM) encoded public key certificate (x.509 certificate) that is used to verify SAML message and assertion signatures. |
IDP SSO URL* |
In Azure AD’s Set up tab for your SAML 2.0 application, copy the Login URL and paste into this field the endpoint responsible for receiving SAML AuthnRequest messages. It is the URL Flexera One’s sign in process uses to verify your users and log them in. Example: https://mycompanyname.mysamlprovider.com/app/myorg456_test123/exjo2H0GTZ357/sso/saml |
Issuer URI* |
In Azure AD’s Set up tab for your SAML 2.0 application, copy the Azure AD Identifier and paste into this field the global unique identifier for SAML entities to your identity provider SAML application setup. Example: https://mysamlprovider.com/exjo2H0GTZ357 |
Discovery Hint |
Enter unique values to help users navigate more quickly to your organization’s federated identity provider sign in page. Note:If you include special characters in the Discovery Hint, be aware that following characters (including spaces) are the only permissible special characters: |
Logout Redirect URL |
When you sign in to Flexera One through your organization's identity provider, you will be directed to a logout redirect URL when your session ends. A Flexera One session may end when you log out or when your session expires due to inactivity. If no logout redirect URL is set, you will be directed to the Flexera One sign in page when your session ends. One suggested use for this feature is to set the logout redirect URL to the homepage of your organization's identity provider. An https:// URL is strongly recommended. However, an http:// URL is also valid). Note:When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then sign in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active. |
Note:All fields marked with an asterisk (*) are required.
5. | If you click the Show Advanced Settings link, the following additional fields are displayed. The default options are noted below for your reference. Changes to these settings are rarely required. You only need to reveal these settings if changes are needed. |
Field |
Description |
|||||||||
Request Binding |
Select the SAML Authentication Request Protocol binding used by your identity provider to send SAML AuthnRequest messages to the IDP.Enum.
|
|||||||||
Request Signature Algorithm |
Select the signature algorithm used to sign SAML AuthnRequest messages sent to the IDP.Enum.
|
|||||||||
Response Signature Algorithm |
Select the minimum signature algorithm when validating SAML assertions issued by the IDP.Enum.
|
|||||||||
Response Signature Verification |
Select the protocol to use when authenticating users from this IDP.Enum.
|
|||||||||
Sign Authorization Request (optional) |
Select this option if you wish to have Flexera One enable signing AuthnRequest (authentication) messages to your identity provider. Signing these AuthnRequest messages increases the security of your transactions between your identity provider and Flexera One.
|
6. | Click Save. |
7. | Continue with the steps in Step 6: Setting Up Azure AD SSO With SAML 2.0. |
Step 6: Setting Up Azure AD SSO With SAML 2.0
Perform the following steps to set up Azure AD single sign-on with SAML 2.0.
To set up Azure AD single sign-on with SAML 2.0:
1. | On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the Basic SAML Configuration. |
2. | In the Identifier (Entity ID) field, copy and paste Flexera One’s Service Provider Entity ID. The information to be copied is generated in step 4 of Step 5: Setting Up an Identity Provider in Flexera One. For example: |
https://secure.flexera.com/sso/saml2/<someChars>
3. | In the Reply URL (Assertion Consumer Service URL) field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example: |
https://secure.flexera.com/sso/saml2/<someChars>
4. | In the Sign on URL field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example: |
https://secure.flexera.com/sso/saml2/<someChars>
5. | Click Save. |
6. | On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the Attributes & Claims. Flexera One expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. Make sure the following attribute claims are configured. |
Name |
Source Attribute |
givenname |
user.givenname |
surname |
user.surname |
emailaddress |
user.mail |
name |
user.userprincipalname |
Unique User Identifier |
user.mail Note:This value should be the same as what was configured in Step 3: Updating the Unique User Identifier. |
7. | Make sure the following settings are also configured for the additional attributes that Flexera One expects to be passed back in SAML response. |
Name |
Source Attribute |
firstName |
user.givenname |
lastName |
user.surname |
8. | Remove all the other attribute claims. If the Namespace field of any other attribute has pre-populated value, clear the field. |
9. | Remove any XML schema from all the attributes. |
10. | Click Save. |
11. | Continue with the steps in Step 7: Testing the Azure AD SSO. |
Step 7: Testing the Azure AD SSO
Perform the following tasks to test the Azure AD single sign-on:
• | Assigning a User or Group to Test the Azure AD SSO |
• | Adding and Verifying a Domain |
• | Testing Azure Single Sign On |
Assigning a User or Group to Test the Azure AD SSO
Perform the following steps to assign a user or group to test the Azure AD single sign-on.
To assign a user or group to test the Azure AD SSO:
1. | On Azure’s Enterprise applications screen, go to Manage and click Users and groups. The Users and groups screen opens. |
2. | Click Add user. |
3. | Click Users and groups. |
4. | Select the appropriate user or group email address. |
5. | Click Select. |
6. | Click Assign. |
7. | Continue with the steps in Adding and Verifying a Domain. |
Perform the following steps to add and verify a domain.
To add and verify a domain:
1. | Complete all the steps for Adding a Domain and Verifying a Domain With a TXT Record. |
2. | Continue with the steps in Testing Azure Single Sign On |
Perform the following steps to test Azure single sign-on.
To test Azure single sign-on:
1. | On Azure’s Enterprise applications. screen, go to Manage and click Single sign-on. The SAML-based Sign-on screen opens. |
2. | In the Test single sign-on tab, click Test. The Test Single sign-on screen opens. |
3. | Click Sign in as current user. |