Setting up single sign-on (Azure AD)

Setting up Single Sign-On (SSO) will require you accessing some technical information from the admin settings of your Identity Provider, you will likely need the assistance of the team that manages that system to get that information.

Alongside Azure AD, we support the following Identity Providers:

  • Google
  • Okta

Sharing information about your identity provider

To begin the setup of SSO for your organisation, the www.isms.online support team needs the following information from your Identity Provider, examples for Azure AD are below, where the unique part of the URL will be is represented as ”…”

  • The SSO target URL of your identity provider (this is the URL that your identity provider is accessed at.):
    • example: https://login.microsoftonline.com/
  • The certificate of your identity provider in Base 64
    • This is usually downloaded within your Identity Provider Settings
    • Please ensure this Certificate has not expired before sending it to us. You can check the expiry date of your Certificate here:

If your certificate has expired you must create a ‘New Certificate’ and then activate it by clicking the three dots and then selecting ‘Make Certificate Active’

1.How to find the identity provider information

1. Navigate to your applications manager in Azure AD, then select ‘New application’:

2. To add www.isms.online as an app, you will then need to select ‘Non-gallery application’, this will prompt you to name the new application, for this example we named it ‘www.isms.online’, you can then click ‘Add’


3. After creating your App, the first step is to add users and groups to it, simply click the first step in the Getting Started menu of your App Overview page:


4. Next, click to set up Single Sign-On, on the next page select the box that says SAML:


5. Scroll down to Steps 3 & 4, in these steps you will find the information www.isms.online requires to set up SSO, highlighted in red (Note: we need the entire URLs, not just the parts that are not blurred.)

 

In Azure AD:

SSO Target Url =  Login URL

Entity ID = Azure AD identifier

Note: Once you have the above information, please email it to support@www.isms.online so we can configure SSO on our end.

2. Mapping Attributes

For your SSO login to work, attributes in Azure AD need to be mapped correctly, inside the SSO settings for your www.isms.online app (apps> www.isms.online > Single Sign-On > SAML)

  1. Scroll down to Step 2, click ‘edit’
  2. Your attributes should be mapped in the following way:

  1. Next, you need to set the name identifier format to ‘persistent’. In the same page, click into the ‘Unique User Identifier (Name ID)’:
  • Also, set Source Attribute to ‘user.objectid’


3. Connecting your identity provider to the www.isms.online live environment

Once we have received information about your identity provider, we will inform you that your sub-domain for the www.isms.online live environment is accessible.

This will allow you to configure access to the www.isms.online live environment, by applying the following settings in Azure AD:

  • The Assertion Consumer Service (ACS) URL (this is the URL where www.isms.online will receive the response from the identity provider):

https://<ORGANISATION>.www.isms.online/sso/saml2

  • The Entity ID of the live instance of www.isms.online:

https://<ORGANISATION>.www.isms.online/sso/saml2/sp

This is where you need to apply the new settings, by clicking ‘edit’

4. Accessing www.isms.online via SSO

Organisations using SSO will access www.isms.online via a sub-domain. This is a change to how you access www.isms.online at the moment.

Rather than going to platform.www.isms.online, once SSO is activated you will be able to access the system at:

https://<ORGANISATION>.www.isms.online

This ensures that we can always redirect your users to the correct identity provider when they sign in or access the system for the first time.

New User Templates

SSO with www.isms.online comes with an exciting new feature, New User Templates!

This feature will allow you to provision a non-existing SSO user with work areas and access upon their initial login. This is great for admins that want to automate the process of assigning users work when they are created.

See here to find out how to utilise New User Templates.

To note:

  • Either the assertion, response or the assertion and response must be signed
  • SHA-1 & SHA-256 algorithms are supported for the signature and digest. We recommend the use of SHA-256 as best practice
  • SSO can be initiated from the service provider or the identity provider
  • Encrypted assertions are not supported

If you have any further questions following the completion of your setup, please don’t hesitate to contact the www.isms.online support team at support@www.isms.online