Introduction

This article will walk you through configuring Azure Active Directory (AD) to be your SAML Identity Provider within HelloID. This is useful if your organization uses Azure AD as a primary source of authentication to access online services. This will allow your organization's users to log into HelloID and other cloud applications with their Azure AD username and password.

Configure the Azure IdP

1. On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers and click Create Provider. This will bring up the Identity Provider Catalog.
   
2. Find the SAML - Generic IDP and click the Add button next to it.
   
3. Enter the name and select an Icon (optional). Make note of the Consumer URL so that you can provide it to Azure in later steps. Enable JIT (just-in-time provisioning) if you so desire. Click Save to add the IdP to HelloID. We will come back to it later. View a complete configuration reference here.
   
4. Log on to https://manage.windowsazure.com. On the left-side menu bar, select Azure Active Directory.
   
   
5. Select your desired domain and then click App registrations.
   
   
6. Click New application registration.
   
7. Specify the Name (HelloID), select Web app / API as Application type and specify the HelloID portal URL as Sign-on URL. Click Create when finished.
   
   
8. Once the application registration has been created, click Settings.
   
9. Select the Reply URLs section.
   
10. Delete the default reply URL.
    
11. Add a new reply URL by pasting in the Consumer URL that you previously noted from HelloID. Click Save when you are finished.
    
12. Select the Properties section.
    
13. Change the App ID URI to the URL of your HelloID portal. Click Save when finished.
    
14. Select the Required permissions section.
    
    
15. Click on Windows Azure Active Directory. Enable the following permissions, then click Save. Note that these permissions require you to grant end users permission to use this new application--we will take care of that later.
    • Sign in and read user profile
    • Read all users’ basic profiles
    • Read all users’ full profiles
    • Read all groups
      
16. Go back to Azure Active Directory in the main portal screen, then go to App registrations and click on Endpoints.
    
17. Copy the Federation Metadata Document URL into a new browser window. A page of XML will appear.
18. Highlight and copy the data within the X509Certificate tag.
    
19. Go to the HelloID Administrator Dashboard and navigate to Settings > Certificates. Once there, click Import Certificate.
    
20. Paste the X509 into the Certificate area. Add -----BEGIN CERTIFICATE----- to the beginning of the key and -----END CERTIFICATE----- to the end of the key. Click Save to continue.
    
21. Navigate to Security > Authentication > Identity providers and edit the Azure Identity Provider that you created earlier. Click on its Configuration tab and fill out the following fields. You may configure other optional settings as desired. 
    
    • Login URL: Paste the SAML-P sign-on endpoint from Azure.
    • Binding: Change this to HTTP-POST
    • Request Certificate: Select the certificate that you imported earlier.
    • Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
      
      
22. Click Save to finish the configuration.

Add attribute mappings

By default, the attribute mapping for HelloID is set to only map the nameID attribute. However, since we are connecting to Azure AD, we want to map more attributes, such as first name, last name and user principal name (this is also the user's email address).

1. Navigate to Security > Authentication > Identity Providers. Edit the the Azure AD IDP and click on Configure Mapping Set. When prompted, click Proceed.
   
2. Click Change attributes.
   
3. Add the following attributes and click Close when you are finished.

   Display name	Variable name	Source field
   Object Identifier	objectIdentifier	Attributes.http://schemas.microsoft.com/identity/claims/objectidentifier
   UserPrincipalName	userPrincipalName	Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
   First name	firstName	Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
   Last name	lastName	Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
   Display name	displayName	Attributes.http://schemas.microsoft.com/identity/claims/displayname

   
   
4. Click Change mappings.
   

How are your Azure AD users created?

The mappings and identifier that are set from this point forward depend on how users accounts are created in your Azure AD environment. Please choose from the following selections:

Users are created by Azure AD Connect

Users are created manually or by HelloID

Users are created by Azure AD Connect

1. Add the following mappings and click Close when you are finished.
   

   User	HelloID user
   {{user.userPrincipalName}}	user.userName
   {{user.firstName}}	user.firstName
   {{user.lastName}}	user.lastName
   {{user.userPrincipalName}}	user.contactEmail

   
   
2. Click Set Identifier.
   
3. Modify the identifier as necessary to match the configuration shown below, and click Close.
   

   SAML Provided Data	HelloID User
   {{user.userPrincipalName}}	Username

   
4. Click the Save button to finish. The setup is complete.

Users are created manually or by HelloID

1. Add the following mappings and click Close when you are finished.
   

   User	HelloID user
   {{user.userPrincipalName}}	user.userName
   {{user.firstName}}	user.firstName
   {{user.lastName}}	user.lastName
   {{user.userPrincipalName}}	user.contactEmail
   {{user.objectIdentifier}}	user.immutableId

   
   
2. Click Set Identifier.
   
3. Modify the identifier as necessary to match the configuration shown below, and click Close.

   SAML Provided Data	HelloID User
   {{user.objectIdentifier}}	Immutable ID

   
4. Click the Save button to finish.