Note: SAML is not recommended
We strongly suggest configuring Azure AD as an OAuth IdP when possible. With OAuth, users who authenticate using multi-factor authentication (MFA) in Azure AD will have their MFA session information sent back to HelloID. This eliminates additional, unnecessary MFA challenges. SAML does not support this functionality.
Introduction
This article will walk you through configuring Azure Active Directory (AD) to be your SAML Identity Provider within HelloID. This is useful if your organization uses Azure AD as a primary source of authentication to access online services. This will allow your organization's users to log into HelloID and other cloud applications with their Azure AD username and password.
Configure the Azure IdP
- On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers and click Create Provider. This will bring up the Identity Provider Catalog.
- Find the SAML - Generic IDP and click the Add button next to it.
- Enter the name and select an Icon (optional). Make note of the Consumer URL so that you can provide it to Azure in later steps. Enable JIT (just-in-time provisioning) if you so desire. Click Save to add the IdP to HelloID. We will come back to it later. View a complete configuration reference here.
- Log on to https://manage.windowsazure.com. On the left-side menu bar, select Azure Active Directory.
- Select your desired domain and then click App registrations.
- Click New application registration.
- Specify the Name (HelloID), select Web app / API as Application type and specify the HelloID portal URL as Sign-on URL. Click Create when finished.
- Once the application registration has been created, click Settings.
- Select the Reply URLs section.
- Delete the default reply URL.
- Add a new reply URL by pasting in the Consumer URL that you previously noted from HelloID. Click Save when you are finished.
- Select the Properties section.
- Change the App ID URI to the URL of your HelloID portal. Click Save when finished.
- Select the Required permissions section.
- Click on Windows Azure Active Directory. Enable the following permissions, then click Save. Note that these permissions require you to grant end users permission to use this new application--we will take care of that later.
- Sign in and read user profile
- Read all users’ basic profiles
- Read all users’ full profiles
- Read all groups
- Go back to Azure Active Directory in the main portal screen, then go to App registrations and click on Endpoints.
- Copy the Federation Metadata Document URL into a new browser window. A page of XML will appear.
- Highlight and copy the data within the X509Certificate tag.
- Go to the HelloID Administrator Dashboard and navigate to Settings > Certificates. Once there, click Import Certificate.
- Paste the X509 into the Certificate area. Add -----BEGIN CERTIFICATE----- to the beginning of the key and -----END CERTIFICATE----- to the end of the key. Click Save to continue.
- Navigate to Security > Authentication > Identity providers and edit the Azure Identity Provider that you created earlier. Click on its Configuration tab and fill out the following fields. You may configure other optional settings as desired.
- Login URL: Paste the SAML-P sign-on endpoint from Azure.
- Binding: Change this to HTTP-POST
- Request Certificate: Select the certificate that you imported earlier.
- Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
- Click Save to finish the configuration.
Add attribute mappings
By default, the attribute mapping for HelloID is set to only map the nameID attribute. However, since we are connecting to Azure AD, we want to map more attributes, such as first name, last name and user principal name (this is also the user's email address).
- Navigate to Security > Authentication > Identity Providers. Edit the the Azure AD IDP and click on Configure Mapping Set. When prompted, click Proceed.
- Click Change attributes.
- Add the following attributes and click Close when you are finished.
Display name Variable name Source field Object Identifier objectIdentifier Attributes.http://schemas.microsoft.com/identity/claims/objectidentifier UserPrincipalName userPrincipalName Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name First name firstName Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Last name lastName Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Display name displayName Attributes.http://schemas.microsoft.com/identity/claims/displayname
- Click Change mappings.
How are your Azure AD users created?
The mappings and identifier that are set from this point forward depend on how users accounts are created in your Azure AD environment. Please choose from the following selections:
Users are created by Azure AD Connect
Users are created manually or by HelloID
Users are created by Azure AD Connect
- Add the following mappings and click Close when you are finished.
User HelloID user {{user.userPrincipalName}} user.userName {{user.firstName}} user.firstName {{user.lastName}} user.lastName {{user.userPrincipalName}} user.contactEmail
- Click Set Identifier.
- Modify the identifier as necessary to match the configuration shown below, and click Close.
SAML Provided Data HelloID User {{user.userPrincipalName}} Username - Click the Save button to finish. The setup is complete.
Users are created manually or by HelloID
- Add the following mappings and click Close when you are finished.
User HelloID user {{user.userPrincipalName}} user.userName {{user.firstName}} user.firstName {{user.lastName}} user.lastName {{user.userPrincipalName}} user.contactEmail {{user.objectIdentifier}} user.immutableId
- Click Set Identifier.
- Modify the identifier as necessary to match the configuration shown below, and click Close.
SAML Provided Data HelloID User {{user.objectIdentifier}} Immutable ID - Click the Save button to finish.