You can configure Microsoft Entra as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Microsoft Entra as well as your digital workplace. Once complete, users of your digital workplace can sign in to it using their Microsoft Entra credentials.
To follow this process, you must be able to add applications to your Microsoft Entra and be a workplace administrator in your digital workplace.
Sections in this article:
- Configure a Microsoft Entra single sign-on application
- Configure your digital workplace's single sign-on
- Verify that single sign-on is configured correctly
- Troubleshooting issues
Configure a Microsoft Entra single sign-on application
Add the Igloo Software application to Microsoft Entra
- Go to the Microsoft Entra Admin Center and sign in with your administrator credentials.
- In the left sidebar, select Entra ID to expand it, then select Enterprise apps.
- Select New application.
- Select + Create your own application.
- In the Search application text box, enter
Igloo Software. - Select Igloo Software from the search results.
- (Optional) In the Name text box, enter a more descriptive name for the application.
- Select Create.
Configure single sign-on for the Igloo Software application
- Go to the Igloo Software application that you've created.
- In the left navigation panel, under Manage, select Single sign-on.
- Select SAML as the single sign-on method.
- In the Basic SAML Configuration panel, select Edit.
- Configure these Basic SAML Configuration options as follows and then select Save:
-
Identifier: Select Add identifier and then select the textbox. Enter your digital workplace URL with
/saml.digestappended to it (e.g., https://customercare.igloosoftware.com/saml.digest). -
Reply URL: Select Add reply URL and then select the textbox. Enter your digital workplace URL with
/saml.digestappended to it (e.g., https://customercare.igloosoftware.com/saml.digest). - Sign on URL: Enter your digital workplace URL (e.g., https://customercare.igloosoftware.com).
-
Logout Url: (Optional) Enter your digital workplace URL with
/saml.digestlogoutappended to it (e.g., https://customercare.igloocommunities.com/saml.digestlogout).
-
Identifier: Select Add identifier and then select the textbox. Enter your digital workplace URL with
- In the SAML Certificates panel, next to Certificate (Base64), select Download. You will need this when configuring single sign-on in your digital workplace.
- In the Set up panel, copy the following values; you will need these when configuring single sign-on in your digital workplace:
- Login URL
- Logout URL
Configure your digital workplace's single sign-on
- Go to your digital workplace and sign in.
- On the Userbar, select
Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
- Configure the settings as described in the Configuration settings table below.
- Select Save.
| Setting | Description |
|---|---|
| Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
| IdP Login URL |
Copy and paste the Login URL from the Microsoft Entra configuration instructions into this field. |
| IdP Logout URL | Copy and paste the Logout URL from the Microsoft Entra configuration instructions into this field. |
| Logout Response and Request HTTP Type | Select POST. |
| Logout Final Redirect URL | Enter the URL of the location to which you want to send members when they log out. If left blank, members will be redirected to your digital workplace's homepage. |
| Binding Type |
Select POST. |
| Public Certificate |
Copy and paste the Certificate (Base64) from the Microsoft Entra configuration instructions into this field. Open the certificate file using a text editor to get this value. |
| Identity Provider |
Select Other. |
| Identifier Type |
Select Email Address. |
| Identifier Path |
Enter |
| Session Index Path |
Enter |
| Email Path |
Enter |
| First Name Path |
Enter |
| Last Name Path |
Enter |
| Drift Time |
Enter |
| User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If turned on, this option does not provide additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid creating duplicate user accounts. |
| Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |
Verify that single sign-on is configured correctly
Add a test user to the Igloo Software application in Microsoft Entra
- In Microsoft Entra, go to the Igloo Software application you created.
- In the left navigation panel, under Manage, select Users and groups.
- Select Add user/group.
- Under Users, select None Selected.
- In the search box above the Users panel, enter the user's name.
- Select the user from the search results list, and then choose Select.
- Select Assign.
Add the same test user as a member of your digital workplace
- Go to your digital workplace and sign in.
- On the Userbar, select
- Under Membership, select Manage Members.
- Select Add Members.
- Add the user as follows:
- First Name: Enter the first name of the user.
- Last Name: Enter the last name of the user.
- Email: Enter the user's email. This email address should match the user's user.userprincipalname value in Microsoft Entra.
- Password: Enter a password for the user. This password is for Igloo Authentication. You must enter a value in this field even if you only intend to sign in using SAML authentication.
- Confirm Password: Re-enter the user's Igloo Authentication password.
- System Groups: Do not select any other groups to add the user to.
- Regular Groups: Do not select any other groups to add the user to.
- Select Create Member.
Using the test user to sign in to your workplace withMicrosoft Entra single sign-on
In a private browser window, go to your digital workplace. Depending on how you have configured SAML, you will either be redirected to your IdP or arrive at the Igloo Authentication page. For the latter case, in the upper right corner of the Sign in box, select Use: {your connection's name} to go to your IdP.
While on your IdP's sign-in page, enter the credentials of your test user. If everything is configured correctly, you will be redirected back to your digital workplace and be signed in.
Troubleshooting issues
Incorrect IdP Login URL
If you see a "page can't be found" message after being redirected to your IdP, you may have entered an incorrect IdP Login URL on your digital workplace's SAML Configuration page. Confirm that the value you have entered in this field matches the Login URL in Microsoft Entra. You can find this value in Microsoft Entra on the Single Sign-on page of the Enterprise Application configured for this connection.
Incorrect Identifier (Entity ID) and or Reply URL
If, after entering your Microsoft Entra credentials, you are redirected to a Microsoft page with the error "Sorry, but we're having trouble signing you in." and the message indicates "Misconfigured application", either the Identifier (Entity ID) or the Reply URL (Assertion Consumer Service URL) for the connection in Microsoft Entra may be incorrect. Verify that these values are your digital workplace's domain with /saml.digest appended to it. You can configure these values in Microsoft Entra on the Single Sign-on page of the enterprise application configured for this connection.
Public certificate issues
The following are issues that can occur with the public certificate:
- Invalid format: On your digital workplace's SAML Configuration page, if you select Save and the page refreshes without your changes being saved, the Public Certificate may have an invalid format.
- Expired or Mismatched: If after signing in, you are brought back to your digital workplace's sign in page with the message "An error has occurred. Please try again and, if that fails, contact support" the public certificate in Igloo does not match what Microsoft Entra is expecting.
To resolve these issues, verify that the public certificate in your digital workplace matches that of your application in Microsoft Entra. The Certificate (Base64) in Microsoft Entra is found on the Single Sign-on page of the Enterprise Application configured for this connection.
Workplace membership
Not being a member of a digital workplace can result in the following:
- If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says "You do not have sufficient access to this area" and you don't have any navigation options, it's possible that the account you signed in with is not a member of the digital workplace but has been before.
- If you successfully sign in to your IdP but get redirected to a page in your digital workplace that says, "The user account was not found. Please contact an administrator," it's possible that you signed in with an account that is not or has not been a member of the digital workplace.
In both cases, verify that the email associated with the account you are trying to sign in with is associated with an account in the workplace's member directory.
Microsoft Entra membership
If, after entering your Microsoft Entra credentials, you are redirected to a Microsoft page with the error "Sorry, but we're having trouble signing you in." and the message indicates that "the signed-in user is not assigned a role", you have not been assigned to the application in Microsoft Entra. You can configure who is assigned to the application in Microsoft Entra on the Users and groups page of the Enterprise Application configured for this connection.