SSO: Azure AD

This article describes how to configure Azure AD as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Azure AD as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Azure AD credentials.

To follow this process, you must be able to add applications to your Azure AD and be a workplace administrator in your digital workplace.

Sections in this article:

Configuring an Azure AD single sign-on application

Adding the Igloo Software application

  1. Go to your Microsoft Azure portal.
  2. At the top of the page, select  Show portal menu, and then select Azure Active Directory.
  3. In the left navigation panel, select Enterprise applications.
  4. Above the list of applications, select New application.
  5. In the Search application text box, enterIgloo Software.
  6. Select Igloo Software from the search results.
  7. (Optional) In the Name text box, enter a more descriptive name for the application.
  8. Select Create.

Configuring single sign-on for the Igloo Software application

  1. Go to the Igloo Software application that you've created.
  2. In the left navigation panel, under Manage, select Single sign-on.
  3. Select SAML as the single sign-on method.
  4. In theBasic SAML Configuration panel, select Edit.
  5. Configure these Basic SAML Configuration options as follows and then select Save:
    • Identifier: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
    • Select the checkbox next to the Identifier URL that you entered to make it the default identifier.
    • Reply URL: Enter your digital workplace URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
    • Sign on URL: Enter your digital workplace URL (e.g., https://customercare.igloosoftware.com). 
    • (Optional) Logout Url: Enter your digital workplace URL with /saml.digestlogout appended to it (e.g., https://customercare.igloocommunities.com/saml.digestlogout).
  6. In the SAML Signing Certificate panel, next to Certificate (Base64), select Download. You will need this when configuring single sign-on in your digital workplace.
  7. In the Set up panel, copy the following values; you will need these when configuring single sign-on in your digital workplace: 
    • Login URL
    • Logout URL

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure the settings as described in the Configuration settings table below.
  6. Select Save.
Setting Description
Connection Name Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button.
IdP Login URL

Copy and paste the Login URL URL from the Azure set-up instructions into this field.

IdP Logout URL Copy and paste the Logout URL from the Azure configuration instructions into this field.
Logout Response and Request HTTP Type Select POST.
Logout Final Redirect URL Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
Binding Type

Select POST.

Public Certificate

Copy and paste the Certificate (Base64) from the Azure set-up instructions into this field. You will need to open the certificate file using a text editor.

Identity Provider

Select Other.

Identifier Type

Select Email Address.

Identifier Path

Enter:

/samlp:Response/saml:Assertion/saml:Subject/saml:NameID

Session Index Path

Enter: /samlp:Response/saml:Assertion/saml:AuthnStatement[@Name="SessionIndex"]

Email Path

Enter emailaddress. This is the default claim name that is associated with user.mail in Azure. 

First Name Path

Enter givenname. This is the default claim name that is associated with user.givenname in Azure. 

Last Name Path

Enter surname. This is the default claim name that is associated with user.surname in Azure.

Drift Time

Enter 5.

User creation on Sign in

Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace.

Options include:

  • Create a new user in your site when they sign in (Users will be added to manage members on sign in)
  • Do not create new users when they sign in (Users not in manage members will be denied access)

When creating new users in your digital workplace this way, they will be created with the following details:

  • First Name (from First Name Path)
  • Last Name (from Last Name Path)
  • Email Address (from Email Path) 
  • CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier) 
  • Membership to the All Members group.

If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

Sign in Settings

Select how users sign in to your workplace.

Options include:

  • Use SAML button on "Sign in" screen
  • Redirect all users to IdP

For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.

Configuration settings

Verifying that single sign-on is set up correctly

Adding a test user to the Igloo Software application in Azure

  1. In Azure, Go to the Igloo Software application that you've created.
  2. In the left navigation panel, under Manage, select Users and groups.
  3. Select Add user/group.
  4. Under Users, select None Selected.
  5. In the search box on the Users panel, enter the user's name.
  6. Select the user from the list of search results, and then select Select.
  7. Select Assign.

Adding the same test user as a member of your digital workplace

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Manage Members.
  4. Select Add Members.
  5. Add the user as follows:
    • First Name: Enter the first name of the user.
    • Last Name: Enter the last name of the user.
    • Email: Enter the user's email. This email address should match the user's user.userprincipalname value in Azure.
    • Password: Enter a password for the user. This password is for Igloo Authentication. You are required to enter a value in this field even if you only intend to sign in. 
    • Confirm Password: Re-enter the user's Igloo Authentication password.
    • System Groups: Do not select any other groups to add the user to.
    • Regular Groups: Do not select any other groups to add the user to.
  6. Select Create Member.

Using the test user to sign in to your workplace with Azure single sign-on

In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign in box, select Use: {your connection's name} to go to your IdP.

While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.

Troubleshooting issues

Incorrect IdP Login URL

If you see a "page can't be found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you have entered in this field matches the Login URL in Azure AD. You can find this value in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection.

Incorrect Identifier (Entity ID) and or Reply URL

If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates "Misconfigured application", either the Identifier (Entity ID) or the Reply URL (Assertion Consumer Service URL) for the connection in Azure AD may be incorrect. Verify that these values are your digital workplace's domain with /saml.digest appended to it. You can configure these values in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection. 

Public certificate issues

The following are issues that can occur with the public certificate:

  • Invalid format: On your digital workplace's SAML Configuration page, if you click Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
  • Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Azure is expecting.

To resolve these issues, verify that the public certificate in your digital workplace matches that of your application in Azure. You can find the Certificate (Base64) in Azure AD on the Single Sign-on page of the Enterprise Application configured for this connection. 

Workplace membership

Not being a member of a digital workplace can result in the following:

  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
  • If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "The user account was not found. Please contact an administrator", it's possible that you signed in with an account that is not or has even been a member the digital workplace.

In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.

Azure AD membership

If, after entering your Azure AD credentials, you are redirected to a Microsoft page with the error "Sorry, but we’re having trouble signing you in." and the message indicates that "the signed-in user is not assigned a role", you have not been assigned to the application in Azure AD. You can configure who is assigned to the application in Azure AD on the Users and groups page of the Enterprise Application configured for this connection. 

Additional resources