Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the popular identity provider (IdP) Microsoft Azure for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with Microsoft Azure.
Important: These instructions are specific to a ‘hybrid’ Active Directory (AD) environment, consisting of both cloud-based and on-premises infrastructure, which is synchronised via the ‘Microsoft Azure Active Directory Connect’ app. Hence, instructions for an all cloud-based AD solution might differ.
Prerequisites
- Admin access to cloud-based Azure Active Directory (Azure AD)
- ‘Application Administrator’ administrative role assigned (Azure AD)
- Admin access to on-premises Active Directory Users and Computers (Local AD)
Azure AD Configuration
Create an Application
1. Log into Azure AD: https://aad.portal.azure.com
2. Go to Applications → Enterprise applications
3. Click on the “New application” button
4. Click on the “Create your own application” button
5. Enter a (unique) name for the app + select the “Integrate any other application you don't find in the gallery (Non-gallery)” option, then click on the “Create” button
Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.
Configure SAML SSO
1. Go to Manage → Single sign-on
2. Click on the “SAML” method
3. In the “Basic SAML Configuration” section, click on the “Edit” button
4. Complete the following details (below), then click on the “Save” button:
-
Identifier (Entity ID)
- Click on the “Add identifier” link
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/metadata/microsoft
-
Reply URL (Assertion Consumer Service URL)
- Click on the “Add reply URL” link
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/microsoft
-
Sign on URL
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/microsoft
- In the text field, enter:
Attributes & Claims
1. In the “Attributes & Claims” section, click on the “Edit” button
2. Action the following (below) to the existing claims that are auto-generated:
-
emailaddress
- Click on this claim (to edit)
- In the ‘Name’ field, replace the current value with
email
- In the ‘Namespace’ field, delete the current value
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, select the applicable identifier value you wish to use
Important: You can only use a valid email address as the identifier value.
-
givenname
- Click on this claim (to edit)
- In the ‘Name’ field, replace the current value with
firstName
- In the ‘Namespace’ field, delete the current value
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, leave the current value (
user.givenname
)
-
name
- Click on the 3-dot menu, then click on the “Delete” option
- In the confirmation prompt that appears, click on the “OK” button
-
surname
- Click on this claim (to edit)
- In the ‘Name’ field, replace the current value with
lastName
- In the ‘Namespace’ field, delete the current value
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, leave the current value (
user.surname
)
If amended correctly, you should be left with something like this:
Important: To ensure correct functionality, all attribute names must be entered exactly as specified.
Note: The value under the 'Required claim' section cannot be removed. However, it is not required anyway and will be ignored.
3. Action the following (below) to create new (additional) claims:
-
groupUuids
- Click on the “Add new claim” button
- In the ‘Name’ field, enter
groupUuids
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, select one of the extension attribute values
Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute1
to enter a Group UUID value into.
-
countryUuids
- Click on the “Add new claim” button
- In the ‘Name’ field, enter
countryUuids
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, select one of the extension attribute values
Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute2
to enter a Coutry UUID value into.
-
areaUuids
- Click on the “Add new claim” button
- In the ‘Name’ field, enter
areaUuids
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, select one of the extension attribute values
Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute3
to enter an Area UUID value into.
-
storeUuids
- Click on the “Add new claim” button
- In the ‘Name’ field, enter
storeUuids
- Click on the ‘Choose name format’ section (to expand), then action the following (below):
- In the ‘Name format’ drop-down, select the “Unspecified” option
- In the ‘Source attribute’ drop-down, select one of the extension attribute values
Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute4
to enter a Store UUID value into.
Important: The attributes you choose to use must be available for selection in your enterprise app, as well as for editing in your users' properties. Hence the reason we have used the (default) extension attributes.
Once finished, you should be left with something like this:
Important: To ensure correct functionality, all attribute names must be entered exactly as specified.
Note: The value under the 'Required claim' section cannot be removed. However, it is not required anyway and will be ignored.
SAML Certificates
1. Under the ‘SAML Certificates’ section, action the following (below):
- Under the ‘Certificate (Base64)’ field, click on the “Download” link
Important: Keep this information handy, as it will be required in later steps.
Set up Enterprise App Name SSO
1. Under the ‘Set up Enterprise App Name SSO’ section, action the following (below):
- Under the ‘Login URL’ field, click on the copy (double page) icon
- Under the ‘Azure AD Identifier’ field, click on the copy (double page) icon
Important: Keep this information handy, as they will be required in later steps.
Assign Users/Groups to App
1. Go to Manage → Users and groups
2. Click on the “Add user/group” button
3. Under the ‘’ section, click on the “None selected” link
4. In the text field, enter the name of a user or group you wish to add to the role, then click on the result that appears (to add)
5. Repeat step 4 to assign the app for all applicable users/groups
6. Click on the “Select” button (when finished)
7. Click on the “Assign” button (to save)
Local AD Configuration
Assign UUID Values
Whilst a majority of the AD-related SSO details are configured within Azure AD (cloud-based), some values, relating to group & location UUID data, can only be entered in your Local AD (on-premises). This is because Azure AD does not allow you to create custom attributes/claims that are available in both the enterprise app and user properties - which is a requirement.
Follow these instructions to assign applicable group, country, area and/or store UUID values (related to your World Manager platform), these in your Local AD.
1. Log into your Domain Controller server
2. Open the 'Active Directory Users and Computers' (ADUC) tool
3. Find + open the properties of a user you wish to configure UUID data for
4. Click on the ‘Attribute Editor’ tab
Tip: If you cannot see the ‘Attribute Editor’ tab, close the user's properties, then go to View → Advanced Features. Wait for the ADUC tool to reload, then continue (again) from step 3.
5. Action the following (below):
-
Group UUIDs
- Find + double-click on the
msDS-cloudExtensionAttribute1
attribute (to edit) - In the ‘Value’ field, enter a valid Group UUID value
- Click on the “OK” button
- Find + double-click on the
Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.
-
Country UUIDs
- Find + double-click on the
msDS-cloudExtensionAttribute2
attribute (to edit) - In the ‘Value’ field, enter a valid Country UUID value
- Click on the “OK” button
- Find + double-click on the
-
Area UUIDs
- Find + double-click on the
msDS-cloudExtensionAttribute3
attribute (to edit) - In the ‘Value’ field, enter a valid Area UUID value
- Click on the “OK” button
- Find + double-click on the
-
Store UUIDs
- Find + double-click on the
msDS-cloudExtensionAttribute4
attribute (to edit) - In the ‘Value’ field, enter a valid Store UUID value
- Click on the “OK” button
- Find + double-click on the
Note: You can view these extension attribute values within Azure AD. To do so, access a user's account, click on the ‘Properties’ tab, then click on the “View” link under the Extension attributes field. If you cannot see the “View” link, then it's likely these fields are not included in the sync via the ‘Azure AD Connect’ app (which they should be).
6. Click on the “Apply” + “OK" buttons (to save)
7. Repeat steps 3 through 6 to assign UUID values for all applicable accounts
UUID Data Requirement
To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:
Role(s) | Group UUID | Country UUID | Area UUID | Store UUID |
---|---|---|---|---|
World Manager | ✅ | |||
National Manager | ✅ | ✅ | ||
Area Manager | ✅ | ✅ | ||
General Manager, Store Manager, Employee | ✅ | ✅ |
To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.
World Manager Configuration
Contact Support
All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:
- SAML Certificate (Base64) file
- ‘Login URL’ value
- ‘Azure AD Identifier’ value
Note: These values are from the 'SAML Certificates' and 'Set up Enterprise App Name SSO' sections that you were previously instructed to download/copy.