Overview
This document will help you configure Azure Active Directory (Azure AD) with ObservePoint to enable Single Sign-On (SSO).
Note: There are several steps that need to take place before you can start configuring Azure Active Directory for SSO - please refer to the SSO Setup help document.
Configuration
When setting up SSO, you will have a metadata file containing parameters to complete the setup process. If you haven't received this file or are just starting the SSO process, you will want to see the Getting Started with SSO help document. The metadata file right now only includes a login URL. Suppose you attempt to use this file without a SAMLRequest query parameter. In that case, it will result in an error message on Microsoft's login screen mentioning the absence of that specific query parameter.
The instructions below will help you successfully configure SSO after you have setup a custom app in Azure for ObservePoint.
Generating a Login URL with the SAMLRequest Query Parameter
Note: If you haven't created an Azure AD application, you will need to create one before proceeding through this document. You can learn how to create an Azure AD application by reading this help document.
1. Log into Azure and go to the SSO configuration page for the ObservePoint app that you've created:
Azure Portal > Azure Active Directory > Enterprise Applications > ObservePoint > Single sign-on
2. The configuration is laid out by Microsoft vertically in 5 steps. Note that the Identifier is a name that your organization will come up with and the reply URL will be specific to your organization.
When configuring Attributes & Claims, Azure assigns a default name.
See the example screenshot below.
It is essential to follow ObservePoint's expectations of claims mapping to authenticate successfully. You will need to use the claim names below.
| IDP Directory / Source Attribute | ObservePoint Claim Name |
First/Given name | → |
|
Last/Family/Surname | → |
|
Email address | → |
|
3. To generate a required Login URL, click test to see if SSO is working.
4. After "Test" is clicked, it will open a panel with another button labeled "Test sign-in." Click that one too:
5. A new tab should open, taking you to a sign-in page for the application. The Login URL should have the following format:
https://login.microsoftonline.com/{guid}/saml2?SAMLRequest=<....>
The ?SAMLRequest=<...>
portion of the URL is the portion that Microsoft added, and it contains your application's unique encoded details so that you can log in successfully.
Once you have configured the settings in Azure AD and generated this login URL, download and send Azure's metadata file and the login URL you generated to your ObservePoint representative.
After ObservePoint has received the new metadata file and the login URL. ObservePoint will finalize the configuration, and we will be ready to test with you. This is usually discussed on an email thread or over a video call.