Azure Setup
SSO - Identity Provider Setup
Last updated
SSO - Identity Provider Setup
Last updated
For organizations using Microsoft Azure Active Directory (AD) as their identity provider and access management service, it is simple and scalable to create users for the BlueFletch Portal website using single sign-on (SSO) through SAML. The BlueFletch Portal can be configured within an organization's Azure Portal as a SAML enterprise application. The resulting metadata should be provided back to BlueFletch to complete the configuration.
Once SSO is configured for the BlueFletch Portal, users who are allowed to access the BlueFletch Portal can login to a new Portal account with their Azure-managed username, and they will be authenticated by Azure AD.
Login to your Azure Portal at https://portal.azure.com.
Navigate to Azure Active Directory page.
Select Enterprise applications from the panel of Manage options on the left.
Press New Application and Create your own application.
Setup the enterprise application with:
Identifier (Entity ID): "saml.[organization's login domain for Azure]" (e.g. saml.bluefletch.com)
Reply URL (Assertion Consumer Service URL): "https://ems.bluefletch.com/__/auth/handler"
Sign on URL: "https://ems.bluefletch.com"
In Attributes & Claims, set the following values to enable email logins to auto-generate BlueFletch Portal user accounts: Required claim:
Unique User Identifier (Name ID)
Type: "SAML"
Value: "user.userprincipalname"
Additional claims:
EmailAddress
Type: "SAML"
Value: "user.mail"
FirstName
Type: "SAML"
Value: "user.givenname"
LastName
Type: "SAML"
Value: "user.surname"
Note: For each Additional claim, the claim name is case sensitive and the namespace field should be blank/empty.
If mapping Azure groups to Portal roles, add a group claim named "Groups" (Portal's code checking for this variable is case-sensitive, so be sure it is spelled with a capital "G"). To add a group claim:
Press Add a group claim.
For groups to be returned in the claim, select "All groups".
Select "Group ID" or "sAMAccountName" as the source attribute.
Use "Group ID" if using Entra/Azure Active Directory cloud service.
Use "sAMAccountName if using an on-premise Active Directory.
Customize the name of the group claim and name it "Groups".
Select the checkbox to expose the claim in JWT tokens.
Press Save.
Retrieve from Azure AD to use in Portal Setup, or provide back to BlueFletch:
Federation Metadata XML
or all of the following:
Certificate in Base64
Login URL
Azure AD Identifier