Azure AD - SAML Setup
Guide for setting up SSO with Azure AD using SAML
Last updated
Guide for setting up SSO with Azure AD using SAML
Last updated
The Azure AD SSO integration allows for a centralized and secure login process for businesses that utilise Azure AD as their identity provider.
Azure AD relies on Enterprise Applications to configure SSO
On the top right, press the account preferences icon and select account settings from the drop-down menu
From the menu on the left, select SSO Config to bring up the SSO Configuration screen
Azure AD uses SAML as the way to integrate their identity platform with Hava. From the two choices ('SAML' and 'OIDC') select SAML
You should be presented with a screen showing you two sections, Identity Provider, and Service Provider. In this case the Identity Provider is represented by Azure AD and the Service Provider is Hava.
Take note of the details in the Service Provider section, as we will use these when setting up Azure AD.
In the Azure Portal, go to the Azure Active Directory service, and select Enterprise applications from the menu on the left side
Click the create application button on the top of the screen to start the process for setting up a new Enterprise application.
Have is not set up with an easy integration with Azure AD yet (this is coming soon), so we have to create our own application. Press the 'Create your own application' button on the top of the page
A pane will open on the right side of the screen asking you to name the application and select one of 3 choices of what you are looking to do with the application.
enter hava.io as the name
Select Integrate any other application you don't find in the gallery (Non-gallery) from the choices
Click Create on the bottom of the pane
This will create the application for you and bring you to the resource in Azure AD once it has completed.
On the menu on the left, select Single sign-on to open the single sign-on configuration page.
Select SAML as the single sign-on method
You should see a page asking you to fill in details to Set up Single Sign-On with SAML
In the Basic SAML configuration box, press edit and fill in the details that you took note of earlier in the Hava SAML setup page (Service Provider)
Map the values like this:
| Azure AD Name | Hava Name |
|---|---|
Identifier (Entity ID) | Issuer (Entity ID) |
Reply URL (Assertion Consumer Service URL) | Assertion Consumer Service URL |
Sign on URL | Login URL |
Relay State (Optional) | n/a |
Logout Url | n/a |
When adding the Reply URL and the Sign on URL, please add a / before the ? in the url. Azure AD requires this to map urls correctly.
https://app.hava.io/users/auth/saml/callback?id=<id>
to
https://app.hava.io/users/auth/saml/callback/?id=<id>
Once this is complete, press save on the top of the screen and go back to the Single sign-on screen by pressing the X in the top right corner
Attributes are used to map user details between Azure AD and Hava. We need to change the Unique User Identifier to be email, rather than the default of userprinciplename.
Press the edit button, then click on the Unique User Identifies to modify the source attribute
Change it to user.mail
In the 3rd box, download the Certificate (Base 64) to your machine and open it in a text editor to be ready for the next stage
The 4th box contains the values for setting up the SAML configuration for the Identity Provider in Hava.
Copy the values from the 4th box into the form in Hava using these mappings
| Hava Value | Azure AD Value |
|---|---|
Identity Provider Entity ID | Azure AD Identifier |
Identity Provider SSO URL | Login URL |
Last step before testing is to insert the downloaded certificate into the text area. Make sure to copy the whole content of the file, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines
Press save.
On the bottom of the SSO config page in Hava there is a button to enable SAML. Once this is done, you are ready to test your SSO login from Azure AD.
Test this in a private browser window to make sure there is no cookies that cause you to be logged in automatically
