Enable Single Sign On via Azure AD using SAML

This article describes the procedure for configuring single sign-on via Azure AD using SAML integration with Resolution Intelligence Cloud.

Security Assertion Markup Language (or SAML) is an open authentication standard that allows for the secure exchange of user identity information from one party to another. SAML enables SSO, a technology that allows for a single user login to work across multiple applications and services.

You can sign on with a single click without having an existing account in Resolution Intelligence Cloud. This document explains the detailed procedure to set up a SAML connection in both Azure AD and Resolution Intelligence Cloud.

Important: Refer to this article for details on how to reset MFA for a specific user if the user lost an MFA-enabled device.

Prerequisites

• Admin role in both Resolution Intelligence Cloud and Azure AD.
• Resolution Intelligence Cloud admin must have a role that can configure SAML identity providers.

Configuring SAML connection in Azure AD

1. Login to Azure portal (https://portal.azure.com)
2. Navigate to Home -> Azure Active Directory
3. Click Enterprise Applications from the left menu

4. Click New application, then click Create your own application.

5. Enter a name for your app

6. Select Integrate any application you don’t find in the gallery(Non-gallery)

7. Click Create at the bottom of your screen.
A new from appears on the screen

8. From the left menu, click Single Sign On

9. Under Single Sign On method, click SAML tile

10. Follow the steps according to your specific region:

US Region:
If login URL is https://app.netenrich.com

1. 1. In the identifier (Entity ID), type urn:auth0:prod-netenrich:customernamesaml
       NOTE: For “customername”, type your company name
   2. In the Reply URL (Assertion Consumer Service URL) field, type https://auth.netenrich.com/login/callback
   3. In Sign on URL field, type https://auth.netenrich.com
   4. In Logout URL field, type https://auth.netenrich.com/logout

India Region:

If login URL is https://in-app.netenrich.com

1. 1. In the identifier (Entity ID), type urn:auth0:prod-in-netenrich:customernamesaml
       NOTE: For “customername”, type your company name
   2. In the Reply URL (Assertion Consumer Service URL) field, type https://in-auth.netenrich.com/login/callback
   3. In Sign on URL field, type https://in-auth.netenrich.com
   4. In Logout URL field, type https://in-auth.netenrich.com/logout

EU Region:

If login URL is https://eu-app.netenrich.com

1. 1. In the identifier (Entity ID), type urn:auth0:prod-netenrich:customernamesaml
      NOTE: For “customername”, type your company name
   2. In the Reply URL (Assertion Consumer Service URL) field, type https://eu-auth.netenrich.com/login/callback
   3. In Sign on URL field, type https://eu-auth.netenrich.com
   4. In Logout URL field, type https://eu-auth.netenrich.com/logout

11. Click Save.
A form with configuration details appears on the screen

Note: Please note the following details to use later while configuring SAML integration in Resolution Intelligence Cloud

• • Certificate (Base64)
  • Identifier (Entity ID)
  • Login URL
  • Azure AD Identifier
  • Logout URL
  • App Federation metadata URL
  • Download Certificate in Base64 format

Adding Users/Groups

After you have configured the SAML connection, you can add one or more users or groups to provide access to the newly configured application.

To add users or groups,

1. From the left menu, click Users and Groups
2. Click Add user/group at the top of your screen
3. Enter username or group name
4. Click Save

Configuring SAML connection in Resolution Intelligence Cloud

To configure SAML connection,

1. From Resolution Intelligence Cloud home screen, click Configurations --> Authentication in the left menu
2. Click Setup Provider under the SAML tile
   A New SAML Connection form appears
3. Enter the following fields and click Create at the bottom of screen

Field	Description
Connection name	Logical identifier for your connection; it must be unique. Once set, this name can't be changed. For connection name type the name in below format. customernamesaml NOTE: For “customername”, type your company name
Sign in URL	Login URL that you have noted down from Azure App SAML settings
X509 Signing Certificate	Select the certificate that you have downloaded from Azure App SAML settings
Sign out URL	Logout URL that you have noted down from Azure App SAML settings
User ID Attribute	Copy below URL for User ID Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Sign Request Algorithm	Optional
Sign Request Digest Algorithm	Optional
Protocol Binding	Optional
Identity Provider Domains	Enter a list of trusted domains with which you want to be identified as identity providers. These are the domains that user accounts have. Examples: user login is user@contoso.com, enter contoso.com. If there are multiple domains, then enter all the domains as comma-separated list.
Multifactor Authentication	Multi-Factor Authentication (MFA) can be toggled on or off at any point during or after setting up the Single Sign-On (SSO) Connection. It is important to note that MFA functionality is exclusive to the SSO connection and applies solely to users logging in via the domain specified under "identity provider domains." By default, MFA is disabled. To activate it, tick mark the checkbox labelled "Enable MFA while user login."

4. You have established SAML connection successfully

Invite User with SSO Integration

1. For users to be able to login using SSO, they must be re-invited using the SSO connection.
2. An existing Owner or Global Admin user with local authentication logged in, add a new user with Owner role by enabling the newly created SSO integration in Resolution Intelligence Cloud.

3. A newly invited user will be redirected to Azure AD for authentication.

4. For existing users with local authentication, users must be deleted and re-invited using an SSO connection."