Azure AD SAML Setup

Learn how to configure a connection to Azure AD via SAML

Erik Pelletier avatar
Written by Erik Pelletier
Updated over a week ago

Introduction

Each SSO Identity Provider requires specific information to create and configure a new connection. And often, the information required to create a connection will differ by Identity Provider (IdP).

To create an Azure AD SAML connection within DebtBook, you'll need the Login URL and Azure AD Identifier from your organization's Azure AD instance.


What You'll Need

You'll need a DebtBook account with the Admin role assigned to access the Single Sign-On settings page and adjust the Account Security settings to force all users to use SSO for authentication.

You will also need access to your organization's Azure AD instance and the ability to create a new SAML application that can be assigned to one or more users/groups in your organization. This will enable you to provide the information requested on the Single Sign On Settings page within DebtBook.

Normally, this information will come from a member of your organization's IT Management or Security teams.


What DebtBook Provides

DebtBook provides the ACS URL and IdP URI (Entity ID) to enable the setup of a non-gallery SAML application within Azure AD. A basic Metadata.xml file is also available for download to upload these URLs into Azure without having to type or copy/paste.

The ACS URL is the location an Identity Provider redirects its authentication response to. In Azure AD’s case, it needs to be set when configuring the SAML application within Azure AD.

Specifically, the ACS URL will need to be set as the “Reply URL (Assertion Consumer Service URL)” in the “Basic SAML Configuration” step of the Azure AD “Set up Single Sign-On with SAML” steps.

The Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that DebtBook will be the party performing SAML requests to your organization's Azure AD instance.


Create SAML Application in Azure AD

1. Log in to your Azure AD Instance to get started

2. Select Enterprise Applications and choose the option to create a + New Application

3. Specify DebtBook as the name for the new application and under “What are you looking to do with your application?”, select “Integrate any other application you don’t find in the gallery (Non-gallery)”, then select “Create”.

4. Select your new application from the directory listing to being SAML Configuration

5. Select “Single Sign On” from the “Manage” section in the left sidebar navigation menu, and then “SAML”

6. Click the Edit icon in the top right corner of the first step "Basic SAML Configuration"

Upload the Metadata file from DebtBook or input the IdP URI (Entity ID) as the “Identifier (Entity ID)”. Input the ACS URL as the “Reply URL (Assertion Consumer Service URL)”.

7. Configure Attributes and Claims by clicking the Edit icon in the top right corner of the second step "Attributes & Claims". DebtBook user names are in email address format so your principal name must follow the same format or you have to change the Name Identifier Format to Email Address and the source attribute to user.mail (or similar).

Make sure the following attribute mapping is set:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givenname

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuser.userprincipalname

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname

8. Add Users to SAML Application or determine if an assignment is required

All users must have an account set up in DebtBook in order to access the application. This enables us to easily support email/password and Single Sign-On seamlessly.

9. Obtain Identity Provider details to input into DebtBook Single Sign-On Settings

10. Download SAML Signing Certificate, open it in a text editor, and copy the certificate

11. Add values for the Login URL, Azure AD Identifier, and Certificate to DebtBook's Single Sign-On Settings page and Test Connection

12. Once the connection has been verified, you will be able to Enable it for your organization as a login method

Did this answer your question?