Configuring Single Sign-On Authentication With Azure Active Directory

Learn how to configure Single Sign-On using SAML protocol in Azure Active Directory to authenticate users to your Staffbase platform.

In this article, you will learn how to set up Single Sign-On (SSO) using the SAML protocol in Azure Active Directory (Azure AD). SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.

SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

  • You have an Azure AD tenant.
  • You have one of the following permissions to configure provisioning in Azure AD:
    • Application Administrator
    • Cloud Application Administrator
    • Global Administrator

Creating an Enterprise Application

You need to create an enterprise application in Azure AD to set up SSO.

Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform. If you want to configure SCIM for user provisioning, you are able to use a single enterprise application for both SSO and SCIM for your user management.
  1. In Microsoft Azure, under Azure services, click Azure Active Directory.
    Azure AD Directory
  2. Navigate to Enterprise applications.
  3. Click New application.
  4. Click Create your own application.
    The Create your own application dialog opens.
    Create Your Own Application
  5. Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application.
  6. Select Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.
    You have created an application to authenticate users using SSO.

Assigning Users

After creating the enterprise application, you can decide on which Azure AD users need access to the Staffbase platform using SSO.

Staffbase recommends adding a few users initially to test that everything works as expected.
  1. In the enterprise application you created, click Users and groups.
    Users and Groups

The Users and groups page opens.

  1. Click Add user/group.

    Add User

  2. Click None Selected.
    The Users and groups dialog opens.

  3. Search for the user or group you want to add and click Select.

    Search User

  4. Click Assign.
    You have assigned users or groups to the application.

Setting up SSO With SAML

Once you have created the application, you need to define the SAML protocol.
Learn how the Microsoft identity platform uses the SAML protocol.

Select SAML Method

  1. In the enterprise application, navigate to Overview.
  2. Under Set up single sign on, click Get Started.
    Set up SSO
  3. Select SAML as the single sign-on method.
    SAML

The Set up Single Sign-On with SAML page opens.

To continue the setup process, you will need to work closely with the Staffbase Support team. First, contact the team and inform them that you're setting up SSO with Azure AD. You will receive the information needed to proceed with the setup and have to provide them with the information listed below.

Exchange Information With Staffbase Support

To continue setting up SSO with SAML, you need to:

Receive Information From Staffbase

You will receive the following to complete the SSO setup:

  • Reply URL (Assertion Consumer Service URL): The Reply URL directs Azure AD where to send its SAML Response after authenticating a user.
  • Identifier (Entity ID): The Identifier acts as a unique identifier for your Staffbase platform domain in Azure AD.

Provide Staffbase Your Enterprise Application Details

Provide the following information to Staffbase:

  • App Federation Metadata Url
You can copy App Federation Metadata Url from Set up Single Sign-On with SAML page under ​​the SAML Signing Certificate section.
App Federation Metadata URL
For now, you can ignore the warning that you need to complete Step 1 before adjusting the other Steps. You will get the details in order to complete the other steps after you provide all the required information to Staffbase Support.
  • Your Azure AD session lifetime
If the session lifetime is not configured, you are using the default session lifetime. Learn more here.
Staffbase recommends disabling persistent browser sessions, as they could lead to sign-in issues for users with older sessions. Notify your Staffbase Support team if it cannot be disabled.
  • On-demand provisioning with SSO
    If you want to use SSO for on-demand provisioning, you need to configure additional fields for SAML Claims. You need to inform the Staffbase Support team the following information, so that they add it to their system:
    • The profile field you would like the field mapped to
    • Any additional claims you have added
Staffbase recommends to keep on-demand provisioning with other user management strategies separate. For example, if you are already using CSV import or User API for onboarding your users, you do not need on-demanding provisioning with SSO.

Complete the SSO Configuration

After receiving the information from Staffbase, you can complete the SSO configuration.

Step 1: Basic SAML Configuration

  1. In the Set up Single Sign-On with SAML page, click Edit under Basic SAML Configuration.
    Basic SAML Configuration
  2. Enter the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) you received from Staffbase.

Step 2: Attributes & Claims

  1. Under SAML Signing Certificate, click Edit.
    The Attributes & Claims page opens.
    Attribute And Claims
You can modify a claim and adjust its values according to your business requirements.
At minimum, you need the following claims configured:
  • Unique User Identifier (Name ID)
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
The Unique User Identifier (Name ID) value and the identifier in your Staffbase platform must match for each user using SSO.
If you want to use a different value from the one already in place for your users in your Staffbase platform, you will need to update the user identifiers in your Staffbase platform first. In such a case, ensure that all future user management also includes these new identifiers.
  1. Click Add new claim.
    The Manage claim dialog opens.
    Manage Claims
You need to add a new claim only if you want to use SSO for on-demand provisioning.
  1. Provide a name and assign a Source attribute for the claim.

Step 3: SAML Signing Certificate

The values are auto-filled based on your enterprise application and Azure AD tenant.

Step 4: Set up

The values are auto-filled based on your enterprise application and Azure AD tenant.

Step 5: Test single sign-on

  1. Under Test single sign-on, click Test.
  2. Select a way to test sign in and click Test sign in. The sign in page opens for you to test.
  3. Ensure the sign in functions as expected.

Assigning All Users

After testing the SSO authentication works as expected, you can add all users in Azure AD to the enterprise application.

  1. In the enterprise application you created, click Properties.

  2. Set Assignment required? to No.

    AssignAllUsers

  3. Click Save.

You have configured and enable SSO for your Staffbase platform.

Additonal Helpful Information