All Collections
User management and billing
Configuring single sign-on (SSO) with Azure AD
Configuring single sign-on (SSO) with Azure AD

This article provides instructions for configuring single sign-on (SSO) for your organization if you use Azure AD.

Samuel Smolkin avatar
Written by Samuel Smolkin
Updated over a week ago

Note: Single sign-on is available only on qualifying plans. If you would like to know whether your plan supports SSO, please contact [email protected].

Setup

In this step, you add an Amazon Cognito user pool as an application in Azure AD to establish a trust relationship between them.

To add new application in Azure AD

  1. Log in to the Azure Portal.

  2. In the Azure Services section, choose Azure Active Directory.

  3. In the left sidebar, choose Enterprise applications.

  4. Choose New application.

  5. On the Browse Azure AD Gallery page, choose Create your own application.

  6. Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery), as shown in Figure 1. Choose Create.

    Figure 1: Add an enterprise app in Azure AD

    Figure 1: Add an enterprise app in Azure AD

    It will take few seconds for the application to be created in Azure AD, then you should be redirected to the Overview page for the newly added application.

    Note: Occasionally, this step can result in a Not Found error, even though Azure AD has successfully created a new application. If that happens, in Azure AD navigate back to Enterprise applications and search for your application by name.

  7. On the Getting started page, in the Set up single sign on tile, choose Get started, as shown in Figure 2.

    Figure 2: Application configuration page in Azure AD

    Figure 2: Application configuration page in Azure AD

  8. On the next screen, select SAML.

  9. In the middle pane under Set up Single Sign-On with SAML, in the Basic SAML Configuration section, choose the edit icon.

  10. In the right pane under Basic SAML Configuration, replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) you copied previously. In the Reply URL (Assertion Consumer Service URL) field, enter the Reply URL you copied previously, as shown in Figure 3. Choose Save.

    Figure 3: Azure AD SAML-based Sign-on setup

    Figure 3: Azure AD SAML-based Sign-on setup

    Identifier (Entity ID): urn:amazon:cognito:sp:eu-west-1_990dPQ8mS Reply URL (Assertion Consumer Service URL): https://ond-prod.auth.eu-west-1.amazoncognito.com/saml2/idpresponse

  11. Scroll down to the SAML Signing Certificate section, and download the Federation Metadata XML.

Attributes mapping requirements

O&D requires these attributes to be mapped correctly:

  • emailaddress

  • name

The first user to sign in using SSO will be set as the Super Admin in O&D. Afterwards, new users signing in will be assigned the Member role. User roles can be changed by Super Admin and Admin users in O&D from the Settings > Organization > Members page.

Claim name

Value

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

<email address>

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

<full name>

Note: The value field should be linked to the relevant source attribute.

Actions

  • Send a Federation Metadata XML to your Office & Dragons point of contact.

  • Once your O&D contact has confirmed that SSO is active for your organization, try signing in with SSO. Remember, the first user to sign in using SSO will be set as the Super Admin.

  • Change your organization's name in Office & Dragons from Settings > Organization > General before inviting more users to sign in.

Did this answer your question?