SSO Configuration: Microsoft Azure

Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the popular identity provider (IdP) Microsoft Azure for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with Microsoft Azure.

Important: These instructions are specific to a ‘hybrid’ Active Directory (AD) environment, consisting of both cloud-based and on-premises infrastructure, which is synchronised via the ‘Microsoft Azure Active Directory Connect’ app. Hence, instructions for an all cloud-based AD solution might differ.

Prerequisites

  • Admin access to cloud-based Azure Active Directory (Azure AD)
  • ‘Application Administrator’ administrative role assigned (Azure AD)
  • Admin access to on-premises Active Directory Users and Computers (Local AD)

Azure AD Configuration

Create an Application

1. Log into Azure AD: https://aad.portal.azure.com

2. Go to Applications → Enterprise applications

3. Click on the “New application” button

4. Click on the “Create your own application” button

5. Enter a (unique) name for the app + select the “Integrate any other application you don't find in the gallery (Non-gallery)” option, then click on the “Create” button

Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.

Configure SAML SSO

1. Go to Manage → Single sign-on

2. Click on the “SAML” method

3. In the “Basic SAML Configuration” section, click on the “Edit” button

4. Complete the following details (below), then click on the “Save” button:

  • Identifier (Entity ID)
    • Click on the “Add identifier” link
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/metadata/microsoft
  • Reply URL (Assertion Consumer Service URL)
    • Click on the “Add reply URL” link
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/microsoft
  • Sign on URL
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/microsoft

Attributes & Claims

1. In the “Attributes & Claims” section, click on the “Edit” button

2. Action the following (below) to the existing claims that are auto-generated:

  • emailaddress
    • Click on this claim (to edit)
    • In the ‘Name’ field, replace the current value with email
    • In the ‘Namespace’ field, delete the current value
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, select the applicable identifier value you wish to use

Tip: You can use any applicable source attribute you wish to be the identifier value. For the purposes of this article, we have used the (default) email address value (user.mail).

  • givenname
    • Click on this claim (to edit)
    • In the ‘Name’ field, replace the current value with firstName
    • In the ‘Namespace’ field, delete the current value
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, leave the current value (user.givenname)
  • name
    • Click on the 3-dot menu, then click on the “Delete” option
    • In the confirmation prompt that appears, click on the “OK” button
  • surname
    • Click on this claim (to edit)
    • In the ‘Name’ field, replace the current value with lastName
    • In the ‘Namespace’ field, delete the current value
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, leave the current value (user.surname)

If amended correctly, you should be left with something like this:

Important: To ensure correct functionality, all attribute names must be entered exactly as specified.

Note: The value under the 'Required claim' section cannot be removed. However, it is not required anyway and will be ignored.

3. Action the following (below) to create new (additional) claims:

  • groupUuids
    • Click on the “Add new claim” button
    • In the ‘Name’ field, enter groupUuids
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, select one of the extension attribute values

Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute1 to enter a Group UUID value into.

  • countryUuids
    • Click on the “Add new claim” button
    • In the ‘Name’ field, enter countryUuids
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, select one of the extension attribute values

Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute2 to enter a Coutry UUID value into.

  • areaUuids
    • Click on the “Add new claim” button
    • In the ‘Name’ field, enter areaUuids
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, select one of the extension attribute values

Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute3 to enter an Area UUID value into.

  • storeUuids
    • Click on the “Add new claim” button
    • In the ‘Name’ field, enter storeUuids
    • Click on the ‘Choose name format’ section (to expand), then action the following (below):
      • In the ‘Name format’ drop-down, select the “Unspecified” option
    • In the ‘Source attribute’ drop-down, select one of the extension attribute values

Tip: You can use any available extension attribute you wish to be used for this particular value. For the purposes of this article, we have used user.extensionattribute4 to enter a Store UUID value into.

Important: The attributes you choose to use must be available for selection in your enterprise app, as well as for editing in your users' properties. Hence the reason we have used the (default) extension attributes.

Once finished, you should be left with something like this:

Important: To ensure correct functionality, all attribute names must be entered exactly as specified.

Note: The value under the 'Required claim' section cannot be removed. However, it is not required anyway and will be ignored.

SAML Certificates

1. Under the ‘SAML Certificates’ section, action the following (below):

  • Under the ‘Certificate (Base64)’ field, click on the “Download” link

Important: Keep this information handy, as it will be required in later steps.

Set up Enterprise App Name SSO

1. Under the ‘Set up Enterprise App Name SSO’ section, action the following (below):

  • Under the ‘Login URL’ field, click on the copy (double page) icon
  • Under the ‘Azure AD Identifier’ field, click on the copy (double page) icon

Important: Keep this information handy, as they will be required in later steps.

Assign Users/Groups to App

1. Go to Manage → Users and groups

 

2. Click on the “Add user/group” button

3. Under the ‘’ section, click on the “None selected” link

4. In the text field, enter the name of a user or group you wish to add to the role, then click on the result that appears (to add)

5. Repeat step 4 to assign the app for all applicable users/groups

6. Click on the “Select” button (when finished)

7. Click on the “Assign” button (to save)

Local AD Configuration

Assign UUID Values

Whilst a majority of the AD-related SSO details are configured within Azure AD (cloud-based), some values, relating to group & location UUID data, can only be entered in your Local AD (on-premises). This is because Azure AD does not allow you to create custom attributes/claims that are available in both the enterprise app and user properties - which is a requirement.

Follow these instructions to assign applicable group, country, area and/or store UUID values (related to your World Manager platform), these in your Local AD.

1. Log into your Domain Controller server

2. Open the 'Active Directory Users and Computers' (ADUC) tool

3. Find + open the properties of a user you wish to configure UUID data for

4. Click on the ‘Attribute Editor’ tab

Tip: If you cannot see the ‘Attribute Editor’ tab, close the user's properties, then go to View → Advanced Features. Wait for the ADUC tool to reload, then continue (again) from step 3.

5. Action the following (below):

  • Group UUIDs
    • Find + double-click on the msDS-cloudExtensionAttribute1 attribute (to edit)
    • In the ‘Value’ field, enter a valid Group UUID value
    • Click on the “OK” button

Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.

  • Country UUIDs
    • Find + double-click on the msDS-cloudExtensionAttribute2 attribute (to edit)
    • In the ‘Value’ field, enter a valid Country UUID value
    • Click on the “OK” button
  • Area UUIDs
    • Find + double-click on the msDS-cloudExtensionAttribute3 attribute (to edit)
    • In the ‘Value’ field, enter a valid Area UUID value
    • Click on the “OK” button
  • Store UUIDs
    • Find + double-click on the msDS-cloudExtensionAttribute4 attribute (to edit)
    • In the ‘Value’ field, enter a valid Store UUID value
    • Click on the “OK” button

Note: You can view these extension attribute values within Azure AD. To do so, access a user's account, click on the ‘Properties’ tab, then click on the “View” link under the Extension attributes field. If you cannot see the “View” link, then it's likely these fields are not included in the sync via the ‘Azure AD Connect’ app (which they should be). 

6. Click on the “Apply” + “OK" buttons (to save)

7. Repeat steps 3 through 6 to assign UUID values for all applicable accounts

UUID Data Requirement

To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:

Role(s) Group UUID Country UUID Area UUID Store UUID
World Manager      
National Manager    
Area Manager    
General Manager, Store Manager, Employee    

To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.

World Manager Configuration

Contact Support

All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:

  • SAML Certificate (Base64) file
  • ‘Login URL’ value
  • ‘Azure AD Identifier’ value

Note: These values are from the 'SAML Certificates' and 'Set up Enterprise App Name SSO' sections that you were previously instructed to download/copy.

for: adm;

Was this article helpful?
0 out of 0 found this helpful