About the article
Even though most organizations opt-in for setting up Single Sign On (SSO) on AzureAD by onboarding Templafy OpenID Connect Application, there is a possibility to select a Gallery Application that supports SAML2 protocol instead. This article describes how an organization can set up SSO on Azure AD utilizing SAML2 protocol and how are the two Gallery Apps different.
You will find the following main sections in this support article:
- Difference between OpenID Connect and SAML2
- Templafy's Metadata
- Single Sign-On (Basic SAML) configuration
- User Attributes & Claims
- Can I restrict access to Templafy?
Prerequisite
|
Difference between OpenID Connect and SAML2
Unlike OpenID Connect, SAML2:
|
Templafy's Metadata
Use the below metadata in your Azure AD application
Templafy OneTemplafy One is the original Templafy platform, all new customers will use Templafy Hive (above) |
|
Metadata URL |
https://app.templafy.com/AuthServices |
Identifier (Entity ID) |
https://app.templafy.com/AuthServices |
Reply URL |
https://app.templafy.com/AuthServices/Acs |
Sign on URL |
https://CLIENTSUBDOMAIN.templafy.com |
Hash function to use for digital signing at IdP |
SHA-256 |
User Identifier |
Single Sign-On (Basic SAML) configuration
- With your Global Admin credentials login to https://portal.azure.com/
- If you are using a Microsoft test account, make sure to create a Microsoft 365 Enterprise Demo Content Tenant account.
- Navigate to
Azure Active Directory
-->Enterprise Applications
- Click the plus sign next to
New Application
. - In the Gallery use the search function to look up
Templafy SAML2
- Click
Add
- Wait for the App the be added to your directory and then navigate to
Single sign-on
section of the Application - Click
SAML
to enable SAML2 protocol - Under
Basic SAML Configuration
, click theedit
symbol - Add the information according to Templafy's Metadata section of the article and click
Save
.
User Attributes & Claims
- Under
User Attributes & Claims
, click theedit
symbol - Click
Add new claim
- Write
displayname
in the Name field - Copy over
http://schemas.templafy.com/2016/06/identity/claims
into Namespace - Choose
Attribute
as Source - Select
user.displayname
as Source attribute - Hit
Save
- Continue to do so in a similar manner to set up all claims (you want us to receive) based on the below table:
Name |
Namespace |
Source attribute |
emailaddress |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.mail |
nameidentifer |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.userprincipalname |
givenname | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | user.givenname |
surname |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.surname |
displayname |
http://schemas.templafy.com/2016/06/identity/claims |
user.displayname |
streetaddress |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.streetaddress |
city |
http://schemas.templafy.com/2016/06/identity/claims |
user.city |
postalcode |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.postalcode |
stateorprovince |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.state |
country |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.country |
jobtitle |
http://schemas.templafy.com/2016/06/identity/claims |
user.jobtitle |
department |
http://schemas.templafy.com/2016/06/identity/claims |
user.department |
phonenumber |
http://schemas.templafy.com/2016/06/identity/claims |
user.telephonenumber |
mobilephone |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
user.mobilephone |
facsimilenumber |
http://schemas.templafy.com/2016/06/identity/claims |
user.facsimiletelephonenumber |
preferredlanguage |
http://schemas.templafy.com/2016/06/identity/claims |
user.preferredlanguage |
companyname |
http://schemas.templafy.com/2016/06/identity/claims |
user.companyname |
customclaim1 |
http://schemas.templafy.com/2016/06/identity/claims |
user.<optional value> |
customclaim2 |
http://schemas.templafy.com/2016/06/identity/claims |
user.<optional value> |
customclaim3 |
http://schemas.templafy.com/2016/06/identity/claims |
user.<optional value> |
Group Claim
- Click
Add a group claim
- Select what type of groups shall be returned in the claim
- Keep the
Group ID
as the source attribute - Make sure
Customize the name of the group claim
andEmit groups as role claims
are checked - Hit
Save
|
Can I restrict access to Templafy?
Templafy SAML2 App by default requires Users to be assigned to this App before they can successfully authenticate to Templafy. Should you want to disable the restriction access to Templafy, you would need to set User assignment required
to No
. Should you want to restrict access to Templafy to only subset of users in your organization, you can follow instructions outlined in the below support article.
Please note, if User assignment required
is set to No
all users, including potential guest accounts, may have access to the application.
Congratulations! You have now completed the setup on your side.
|
Comments
0 comments
Article is closed for comments.