Steps for Configuring SAML Authentication with Azure AD
If your organization uses Microsoft’s Azure Active Directory (Azure AD), follow this detailed procedure to set up the SAML protocol. This process has four parts:
A. Preparing the Client Portal
C. Configuring SAML in Azure AD
D. Configuring SAML in the Client Portal
A. Preparing the Organization’s Client Portal
-
Go to the Settings tab in your organization’s Client Portal.
-
Make sure all domain names needed for SAML authentication have been added and verified. If you need to add one, see the instructions provided in the Domain Names section.
-
12
-
Go to the SAML Authentication and Provisioning section.
-
Begin Step 1 of the configuration process as indicated on the screen. Select Microsoft as your identity provider (ID Provider).
-
Select the domain name or names that are involved in the authentication process.
-
Click Next.
-
3456
- On the next screen, Step 2: SAML Configuration, download the XML metadata file. Leave this window open and start preparing Azure AD in a new browser window.
-
7
B. Preparing Azure AD
-
In your Azure portal, go to the Enterprise applications section. You can access it quickly by typing the first few characters of the section name in the search bar.
-
1
-
-
Click New application.
-
2
-
-
On the next page, click Create your own application.
-
Name the application (ex. Client Portal - Druide).
-
Select Integrate any other application you don’t find in the gallery (Non-gallery).
-
Click Create. Application creation can take several minutes.
-
3456
- Once the application has loaded, indicate which users can use it: all users (A) or only some (B).
A) For all users
Go to Properties (A1) and set Assignment required to No (A2).
A1A2Click Save and close the panel.
B) For certain users only
Go to Users and groups (B1) and click Add user/group (B2).
B1B2Click the names of the desired users (B3), then the Select button (B4).
B3B4Finally, click Assign (B5).
B5
All preparations in Azure AD are now complete and you can begin SAML configuration.
C. Configuring SAML in Azure AD
-
In the application you just created in Azure AD, go to the Single sign-on tab.
-
Select the SAML tile.
-
12
-
-
Click Upload metadata file.
-
Select the metadata file you downloaded earlier from the Client Portal (section A, step 7).
-
Click Add.
-
345
- Click Save in the next panel, then close it.
-
6
-
Tip — You can also configure the data manually (see detailed instructions).
Note — If Microsoft asks whether you would like to do a test now or later, choose later.
- Go to the next block, Attributes & Claims, and click Edit.
-
7
-
Tip — If you do not use Azure AD, you can find the required attributes in the SAML configuration overview.
-
Next, click Unique User Identifier (Name ID) to make changes to the claim.
-
8
-
-
Click Choose name identifier format and change the format to Persistent.
-
Change the source attribute to user.objectid.
-
910
Important — You must do one final verification in Attributes & Claims. Make sure that your configuration of the claim emailaddress (set to the attribute user.mail by default) contains an email address. If this is not the case, use another attribute such as user.userprincipalname, which usually corresponds to the user’s email address.
-
Click Save and close the panel.
-
Go to the next block, SAML Certificates, and click Edit.
-
12
-
-
Select Sign SAML response and assertion in the signing options.
-
Click Save, then close the panel.
-
1314
-
-
Download the Certificate (Base64) file.
-
Download the Federation Metadata XML file.
-
1516
SAML configuration in Azure AD is now complete. Keep this window open in case you need to configure SAML manually in the Client Portal.
D. Configuring SAML in the Client Portal
- Return to the Client Portal window and go to Step 2: SAML Configuration. Click Upload a file and select the XML metadata file you just downloaded from Azure AD.
-
1
-
Important — You can also configure the data manually (see detailed instructions).
-
It is recommended you assign a resource person to receive technical details in case of login or configuration issues.
-
Click Next.
-
23
- If your organization has one or more active subscriptions to Antidote Web, choose how you would like to manage Antidote Web access. You have three options:
Manual managementChoose this option to activate SAML authentication without automatically granting access to Antidote Web. You can grant users access to Antidote Web from the Users tab in the Client Portal.
Impose access to Antidote Web upon loginChoose this option to automatically grant access to Antidote Web to all users who log in with SAML authentication. If your organization has multiple subscriptions, specify which one should be used. If a user already has access to another subscription, their subscription will be changed the next time they log in.
Grant Antidote Web access to users who do not have access upon logging inChoose this option to grant Antidote Web access to users who do not already have it. For example, this option is useful if your organization already has a subscription, and you want new users to have access to a different subscription than those who already hold one.
Note — If you intend to set up automated provisioning later, please note that the Antidote Web access management settings defined by that configuration will override the options described here. Learn more >
- Click Next once you have made your choice.
-
45
-
On the next screen, click Try logging in. The result of the test will appear in a new window, confirming a successful connection or providing an error report if the connection fails.
-
Finally, click Activate SAML authentication.
-
67