This article describes how to configure Azure AD as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Azure AD as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Azure AD credentials.
To follow this process, you must be able to add applications to your Azure AD and be a workplace administrator in your digital workplace.
Sections in this article:
- Configuring an Azure AD single sign-on application
- Configuring your digital workplace's single sign-on
- Verifying that single sign-on is set up correctly
- Troubleshooting issues
- Additional resources
Configuring an Azure AD single sign-on application
Adding the Igloo Software application
- Go to your Microsoft Azure portal.
- At the top of the page, select Show portal menu, and then select Azure Active Directory.
- In the left navigation panel, select Enterprise applications.
- Above the list of applications, select New application.
- In the Search application text box, enter
Igloo Software
. - Select Igloo Software from the search results.
- (Optional) In the Name text box, enter a more descriptive name for the application.
- Select Create.
Configuring single sign-on for the Igloo Software application
- Go to the Igloo Software application that you've created.
- In the left navigation panel, under Manage, select Single sign-on.
- Select SAML as the single sign-on method.
- In theBasic SAML Configuration panel, select Edit.
- Configure these Basic SAML Configuration options as follows and then select Save:
-
Identifier: Enter your digital workplace URL with
/saml.digest
appended to it (e.g., https://customercare.igloosoftware.com/saml.digest). - Select the checkbox next to the Identifier URL that you entered to make it the default identifier.
-
Reply URL: Enter your digital workplace URL with
/saml.digest
appended to it (e.g., https://customercare.igloosoftware.com/saml.digest). - Sign on URL: Enter your digital workplace URL (e.g., https://customercare.igloosoftware.com).
- (Optional) Logout Url: Enter your digital workplace URL with
/saml.digestlogout
appended to it (e.g., https://customercare.igloocommunities.com/saml.digestlogout).
-
Identifier: Enter your digital workplace URL with
- In the SAML Signing Certificate panel, next to Certificate (Base64), select Download. You will need this when configuring single sign-on in your digital workplace.
- In the Set up panel, copy the following values; you will need these when configuring single sign-on in your digital workplace:
- Login URL
- Logout URL
Configuring your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- Select Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure the settings as described in the Configuration settings table below.
- Select Save.
Setting | Description |
---|---|
Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
IdP Login URL |
Copy and paste the Login URL URL from the Azure set-up instructions into this field. |
IdP Logout URL | Copy and paste the Logout URL from the Azure configuration instructions into this field. |
Logout Response and Request HTTP Type | Select POST. |
Logout Final Redirect URL | Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. |
Binding Type |
Select POST. |
Public Certificate |
Copy and paste the Certificate (Base64) from the Azure set-up instructions into this field. You will need to open the certificate file using a text editor. |
Identity Provider |
Select Other. |
Identifier Type |
Select Email Address. |
Identifier Path |
Enter:
|
Session Index Path |
Enter: |
Email Path |
Enter |
First Name Path |
Enter |
Last Name Path |
Enter |
Drift Time |
Enter |
User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts. |
Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |
Verifying that single sign-on is set up correctly
Adding a test user to the Igloo Software application in Azure
- In Azure, Go to the Igloo Software application that you've created.
- In the left navigation panel, under Manage, select Users and groups.
- Select Add user/group.
- Under Users, select None Selected.
- In the search box on the Users panel, enter the user's name.
- Select the user from the list of search results, and then select Select.
- Select Assign.
Adding the same test user as a member of your digital workplace
- Go to your digital workplace and sign in.
- Select Control Panel.
- Under Membership, select Manage Members.
- Select Add Members.
- Add the user as follows:
- First Name: Enter the first name of the user.
- Last Name: Enter the last name of the user.
- Email: Enter the user's email. This email address should match the user's user.userprincipalname value in Azure.
- Password: Enter a password for the user. This password is for Igloo Authentication. You are required to enter a value in this field even if you only intend to sign in.
- Confirm Password: Re-enter the user's Igloo Authentication password.
- System Groups: Do not select any other groups to add the user to.
- Regular Groups: Do not select any other groups to add the user to.
- Select Create Member.
Using the test user to sign in to your workplace with Azure single sign-on
In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign in box, select Use: {your connection's name} to go to your IdP.
While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.
Troubleshooting issues
Incorrect IdP Login URL
If you see a "page can't be found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you have entered in this field matches the Login URL in Azure AD. You can find this value in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection.
Incorrect Identifier (Entity ID) and or Reply URL
If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates "Misconfigured application", either the Identifier (Entity ID) or the Reply URL (Assertion Consumer Service URL) for the connection in Azure AD may be incorrect. Verify that these values are your digital workplace's domain with /saml.digest appended to it. You can configure these values in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection.
Public certificate issues
The following are issues that can occur with the public certificate:
- Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
- Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Azure is expecting.
To resolve these issues, verify that the public certificate in your digital workplace matches that of your application in Azure. You can find the Certificate (Base64) in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection.
Workplace membership
Not being a member of a digital workplace can result in the following:
- If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
- If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.
In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.
Azure AD membership
If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates that "the signed-in user is not assigned a role", you have not been assigned to the application in Azure AD. You can configure who is assigned to the application in Azure AD on the Users and groups page of the Enterprise Application configured for this connection.