BlueFletch Enterprise
  • BlueFletch Enterprise
  • Product Guides
    • BlueFletch Launcher
      • Configurable Layouts
        • Layouts
        • Orientation Options
        • Criteria
        • Widgets
        • Implied Groups
        • Kiosk Mode
        • Persistent Foreground App
        • Password Protected Applications
        • Quick Start Applications Folder
        • Layout Custom Actions
        • Replacement Values
        • Assets Manager
      • Theming
        • Configure Theme
        • Site-Specific Theming
        • Custom Field Display
      • Site Information Service
      • Custom Intents
        • Standard Android Intents
        • Platform Actions
        • Filtering
        • Technical Guide
      • Security and Safety
        • Clear App Data on Logout
        • Application Enabler
        • Disable Packages
        • Key Management
        • NFC Enable/Disable
        • Secure Notifications
        • Wi-Fi UI Settings Enable/Disable
        • Motion Activated Device Lock
        • Unique Login
        • Local Admin Password
        • Device Remote Lock
      • Device Loss Prevention
        • Low Battery Mode
        • Luggage Tag Mode
        • Secure Device Mode
      • Launcher Provider SDK
      • Load Configurations via QR Code Scan
      • Getting Started
      • Technical Guide
      • Release Notes
    • Authentication and SSO
      • Features
        • Secondary Authentication
          • PIN
          • Face Recognition
          • NFC Tag
          • Barcode
          • Alternate Secondary Authentication
      • Technical Guide
        • LDAP
        • AppAuth/OIDC
        • Okta (Session)
        • MSAL
        • ADFS 3.0/2012 Using ADAL
      • Release Notes
    • Support Application
      • Features
        • Events to Splunk
        • Logs to Azure
        • External Configuration Support
        • Application Usage History
        • Generating RxLogger Log Files
      • Technical Guide
        • Event Information
        • Event Examples
      • Support Installer
      • Getting Started
      • Release Notes
    • Device Finder
      • Features
        • Device Details
        • Device Status
        • View Site Devices
      • Technical Guide
      • Getting Started
      • Release Notes
    • Browser
      • Features
        • Custom Scripts
        • FIDO2 / Webauthn Support
        • URL AllowList and BlockList
      • Technical Guide
        • Configuring Browser
        • All Configuration
        • Available Intents
        • APIs and Page Actions
      • Release Notes
    • Chat
      • Features
      • Technical Guide
      • Getting Started
      • Release Notes
    • Playbook Agent
      • Features
      • Getting Started
      • Release Notes
    • Portal
      • Login & Logout
      • Navigation & Account Settings
      • Support Agent
        • Home
        • Device Details
        • Dashboards
        • Cards
        • Event Explorer
        • Reports
      • Enterprise Launcher
        • Creating a Configuration
        • Sending a Notification
        • Managing Sites
      • Playbook MDM
        • Playbooks
        • Plays
        • Devices
        • Deployment Groups
        • Zebra StageNow
      • EMM Console
        • Overview
        • Setup
          • Enroll Org in EMM
          • Policy Management
          • Provisioning
          • Device Management
          • Installing Playbook in EMM
        • Troubleshooting
          • Device Issues
          • Policy Issues
      • Chat Manager
        • Overview
        • Chat Roles
        • Chat Channels
        • Chat Audio Transcription
        • Message Logs
      • Admin
        • Organization
        • Single Sign On
          • Azure Setup
          • Okta Setup
          • Google Workspace Setup
          • Portal Setup
        • Users
        • Roles
          • Overview
          • Predefined Roles
          • Permissions
          • Manage Roles
        • Downloads
        • Agents
        • Key Management
          • Overview
          • API Keys
          • Device Keys
          • Device Restrictions
          • Allowed IP Addresses
        • Enterprise
        • Audit Logs
      • Event Forwarding
      • Remote Control
      • Getting Started
      • Release Notes
    • Other Applications
      • Messaging
        • Features
        • Technical Guide
        • Release Notes
      • Keyboard
        • Features
        • Technical Guide
          • How to: Set Keyboard as default
        • Release Notes
      • Bluetooth
        • Features
        • Release Notes
      • Voice Chat
        • Features
        • Release Notes
      • Device Remote Control
        • Features
        • Technical Guide
        • Release Notes
      • Device ID
        • Features
        • Technical Guide
        • Release Notes
      • Suite Installer
        • Technical Guide
        • Release Notes
      • Accessibility Enabler
        • Release Notes
      • EPM Plugin
        • Features
        • Technical Guide
        • Release Notes
    • Workforce Identity
  • Technical Documentation
    • Updating License Key
    • Commonly Reported Issues
    • Deploying BlueFletch Enterprise
      • Android 10 and 11
      • MDMs
        • Workspace One (VMWare AirWatch)
        • SOTI
        • Microsoft Intune
          • Microsoft Intune + Playbook
      • From Portal to Playbook Agent
Powered by GitBook
On this page
  1. Product Guides
  2. Portal
  3. Admin
  4. Single Sign On

Azure Setup

SSO - Identity Provider Setup

PreviousSingle Sign OnNextOkta Setup

Last updated 2 months ago

For organizations using Microsoft Azure Active Directory (AD) as their identity provider and access management service, it is simple and scalable to create users for the BlueFletch Portal website using single sign-on (SSO) through SAML. The BlueFletch Portal can be configured within an organization's Azure Portal as a SAML enterprise application. The resulting metadata should be provided back to BlueFletch to complete the configuration.

Once SSO is configured for the BlueFletch Portal, users who are allowed to access the BlueFletch Portal can login to a new Portal account with their Azure-managed username, and they will be authenticated by Azure AD.

Configuring SSO with Azure

  1. Login to your Azure Portal at .

  2. Navigate to Azure Active Directory page.

  3. Select Enterprise applications from the panel of Manage options on the left.

  4. Press New Application and Create your own application.

  5. Setup the enterprise application with:

    • Identifier (Entity ID): "saml.[organization's login domain for Azure]" (e.g. saml.bluefletch.com)

    • Reply URL (Assertion Consumer Service URL): "https://ems.bluefletch.com/__/auth/handler"

    • Sign on URL: "https://ems.bluefletch.com"

  6. In Attributes & Claims, set the following values to enable email logins to auto-generate BlueFletch Portal user accounts: Required claim:

    • Unique User Identifier (Name ID)

      • Type: "SAML"

      • Value: "user.userprincipalname"

    Additional claims:

    • EmailAddress

      • Type: "SAML"

      • Value: "user.mail"

    • FirstName

      • Type: "SAML"

      • Value: "user.givenname"

    • LastName

      • Type: "SAML"

      • Value: "user.surname"

      Note: For each Additional claim, the claim name is case sensitive and the namespace field should be blank/empty.

  7. If mapping Azure , add a group claim named "Groups" (Portal's code checking for this variable is case-sensitive, so be sure it is spelled with a capital "G"). To add a group claim:

    1. Press Add a group claim.

    2. For groups to be returned in the claim, select "All groups".

      1. In its documentation, Azure recommends that larger organizations use the "Groups assigned to the application" option to avoid issues due to its per-token group number limit. For more information, consult: .

    3. Select "Group ID" or "sAMAccountName" as the source attribute.

      1. Use "Group ID" if using Entra/Azure Active Directory cloud service.

      2. Use "sAMAccountName if using an on-premise Active Directory.

    4. Customize the name of the group claim and name it "Groups".

    5. Select the checkbox to expose the claim in JWT tokens.

    6. Press Save.

  8. Retrieve from Azure AD to use in , or provide back to BlueFletch:

    • Federation Metadata XML

    or all of the following:

    • Certificate in Base64

    • Login URL

    • Azure AD Identifier

https://portal.azure.com
https://docs.azure.cn/en-us/entra/identity-platform/optional-claims?tabs=appui#configure-groups-optional-claims
Portal Setup
groups to Portal roles
Attributes & Claims settings in Microsoft Azure AD
Use sAMAccount only with on-premise Active Directory of the correct version
Customize group claim