Setting up SSO with Microsoft Azure Active Directory
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication. You can configure ilert to use Azure AD as SAML provider for your users.
When starting with Azure AD Apps things can be a bit complicated and overwhelming. In this guide we take your from zero to your own Azure AD SAML App that integrates with ilert's SSO login.
Login to your Microsoft Azure Dashboard. Open the directory and create a new application.
From the seletion choose a non gallery application.
Enter a name and create the application.
.png?alt=media&token=a668c45a-3076-408d-a9bd-2b788ff76b2a)
Configure single sign on for your newly created application.
Choose SAML.
Configure the basic SAML Settings
.png?alt=media&token=b2a915a5-54dd-49f6-81b2-c9f6af31ea8a)
Log in to your ilert account as account owner, navigate to your Account Settings (cog right-side navigation) and click on the Single sign-on tab.
SSO with SAML requires your account to be on a Premium or Enterprise Plan.
Copy your SAML Endpoint URL and Audience Restriction values into the Azure AD SAML App Basic Configuation.
Save and close the basic SAML settings. Scroll a bit down and and copy the 3 values from your AD App, you will have to download the Certificate's Base64 representation and copy the value of its file into iLerts SSO settings certificate field.
.png?alt=media&token=1ec0fce3-a2db-49e8-9bf9-0b9aeeed8732)
Transfer the values to ilert's SSO settings.
.png?alt=media&token=01b57d7e-75e4-4523-8a63-74660a7b344f)
Save the the settings on both windows. SSO is now configured, however to make the login process work properly you will have to do 2 more things.
To ensure ilert gets passed the correct email of your users from Azure we have to adjust the SAML claim name.
Set the claim name source to
user.mail.
Save and close the modal.
%20copy.png?alt=media&token=6f857908-b58c-49a4-bea9-b82968482874)
You have now properly adjusted the SAML claim name of your app.
Right now both your ilert account and your Azure AD App are properly configured. However you have not yet added any users to your app, which means no one is able to login currently. Let's change that.
Go to your app's settings and click on Users and Groups.
Click on Users and select the users that should be able to login to your ilert account. Confirm the assignment afterwards.
Your users should now be able to login to ilert using their Azure AD accounts.
You can auto-provision users on their first SSO login by enabling the checkbox for Provision new users on first sso login in your ilert account's settings. This way user accounts will be automatically setup with the role User in ilert. Optionally, you can also pass in the user's role via custom SAML attributes. See below for more information.
Keep in mind that auto-provisioning new users will require your account to have enough seats booked.
You can optionally disable the login for username and password combinations on your ilert account and enforce users to use SSO by disabling the checkbox for Allow login with username and password in your ilert account's settings.
Besides the
NameID you may pass additional parameters for the user or the team to be automatically setup on the first login, please checkout our auto provisioning section.Last modified 10mo ago