How to setup SSO with Azure AD-SAML2

 About the article

Even though most organizations opt-in for setting up Single Sign On (SSO) on AzureAD by onboarding Templafy OpenID Connect Application, there is a possibility to select a Gallery Application that supports SAML2 protocol instead. This article describes how an organization can set up SSO on Azure AD utilizing SAML2 protocol and how are the two Gallery Apps different.

You will find the following main sections in this support article: 

• Difference between OpenID Connect and SAML2
• Templafy's Metadata
• Single Sign-On (Basic SAML) configuration
• User Attributes & Claims
• Can I restrict access to Templafy?

 

Prerequisite

Global Administrator rights on your Azure AD No line breaks in the AD claims sent to Templafy. Line-breaks are common in AD claims such as a street name or address, they will cause SAML2 authentication to fail

 

Difference between OpenID Connect and SAML2

Unlike OpenID Connect, SAML2: 

Does not require any special permissions to be granted to our App Offers more freedom when setting up the claims/mappings Allows for 15 extra (custom) claims (only in Templafy Hive, not Templafy One) on top of the standard ones to be configured and passed onto Templafy in the SAML2 response Has a hard cap of 149 group claims. If more groups are needed please default to the OpenID Connect protocol. More information can be found at Microsoft. SAML2 only returns the "country" claim if it is present and the value of the field is a standard two-letter country / region code, such as FR, JP, SZ, DE etc. More information can be found at Microsoft.

 

Templafy's Metadata

Use the below metadata in your Azure AD application

Templafy Hive
Metadata URL	Prod0: https://templafyprod0.auth.templafy.com/auth/saml2/auth-services West Europe: https://templafyprod1.auth.templafy.com/auth/saml2/auth-services East US: https://templafyprod2.auth.templafy.com/auth/saml2/auth-services East Australia: https://templafyprod3.auth.templafy.com/auth/saml2/auth-services Canada: https://templafyprod4.auth.templafy.com/auth/saml2/auth-services
Identifier (Entity ID)	https://auth.templafy.com/auth/saml2/auth-services
Reply URL	Prod0: https://templafyprod0.auth.templafy.com/auth/saml2/auth-services/Acs West Europe: https://templafyprod1.auth.templafy.com/auth/saml2/auth-services/Acs East US: https://templafyprod2.auth.templafy.com/auth/saml2/auth-services/Acs East Australia: https://templafyprod3.auth.templafy.com/auth/saml2/auth-services/Acs Canada: https://templafyprod4.auth.templafy.com/auth/saml2/auth-services/Acs
Sign on URL	https://CLIENTSUBDOMAIN.hive.templafy.com or https://CLIENTSUBDOMAIN.templafy.com
Hash function to use for digital signing at IdP	SHA-256
User Identifier	mail

 

Templafy One Templafy One is the original Templafy platform, all new customers will use Templafy Hive (above)
Metadata URL	https://app.templafy.com/AuthServices
Identifier (Entity ID)	https://app.templafy.com/AuthServices
Reply URL	https://app.templafy.com/AuthServices/Acs
Sign on URL	https://CLIENTSUBDOMAIN.templafy.com
Hash function to use for digital signing at IdP	SHA-256
User Identifier	mail

 

Single Sign-On (Basic SAML) configuration

1. With your Global Admin credentials login to https://portal.azure.com/
   1. If you are using a Microsoft test account, make sure to create a Microsoft 365 Enterprise Demo Content Tenant account.
2. Navigate to Azure Active Directory --> Enterprise Applications
3. Click the plus sign next to New Application.
4. In the Gallery use the search function to look up Templafy SAML2
   

    

   
   
   
5. Click Add
6. Wait for the App the be added to your directory and then navigate to Single sign-on section of the Application
7. Click SAML to enable SAML2 protocol
   
   
   
   
8. Under Basic SAML Configuration, click the edit symbol
   
   
   
   
9. Add the information according to Templafy's Metadata section of the article and click Save.
   
   

 

User Attributes & Claims

1. Under User Attributes & Claims, click the edit symbol
   
   
   
   
2. Click Add new claim
   
   
   
   
3. Write displayname in the Name field
4. Copy over http://schemas.templafy.com/2016/06/identity/claims into Namespace
5. ChooseAttribute as Source
6. Select user.displayname as Source attribute
7. Hit Save
   
   
   
   
8. Continue to do so in a similar manner to set up all claims (you want us to receive) based on the below table:

Name	Namespace	Source attribute
emailaddress	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.mail
nameidentifer	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.userprincipalname
givenname	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.givenname
surname	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.surname
displayname	http://schemas.templafy.com/2016/06/identity/claims	user.displayname
streetaddress	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.streetaddress
city	http://schemas.templafy.com/2016/06/identity/claims	user.city
postalcode	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.postalcode
stateorprovince	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.state
country	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.country
jobtitle	http://schemas.templafy.com/2016/06/identity/claims	user.jobtitle
department	http://schemas.templafy.com/2016/06/identity/claims	user.department
phonenumber	http://schemas.templafy.com/2016/06/identity/claims	user.telephonenumber
mobilephone	http://schemas.xmlsoap.org/ws/2005/05/identity/claims	user.mobilephone
facsimilenumber	http://schemas.templafy.com/2016/06/identity/claims	user.facsimiletelephonenumber
preferredlanguage	http://schemas.templafy.com/2016/06/identity/claims	user.preferredlanguage
companyname	http://schemas.templafy.com/2016/06/identity/claims	user.companyname
customclaim1	http://schemas.templafy.com/2016/06/identity/claims	user.<optional value>
customclaim2	http://schemas.templafy.com/2016/06/identity/claims	user.<optional value>
customclaim3	http://schemas.templafy.com/2016/06/identity/claims	user.<optional value>

 

 

Group Claim

1. Click Add a group claim
   
   
   
   
2. Select what type of groups shall be returned in the claim
3. Keep the Group ID as the source attribute
4. Make sureCustomize the name of the group claim and  Emit groups as role claims are checked
5. Hit Save

Group claims are by default send with their "Group ID". It is possible to send the friendly name of a group by selecting "sAMAccountName" as the source attribute. However, that comes with the Microsoft pre-requisite that groups must be synchronized from an on-premise Active Directory using AAD Connect Sync 1.2.70.0 or above. Please note that this setting will result in only clear names being received on the Templafy side and Group Object IDs will not be received anymore.

 

Can I restrict access to Templafy?

Templafy SAML2 App by default requires Users to be assigned to this App before they can successfully authenticate to Templafy. Should you want to disable the restriction access to Templafy, you would need to set User assignment required to No. Should you want to restrict access to Templafy to only subset of users in your organization, you can follow instructions outlined in the below support article.

Please note, if User assignment required is set to Noall users, including potential guest accounts, may have access to the application.

 

 

Congratulations! You have now completed the setup on your side. 

 

Now that your task is completed, let your Templafy Implementation Partner finalise the SSO setup on Templafy's side of things by emailing the URL from the App Federation  Metadata Url to them or support@templafy.com

 

 

Related articles

How to restrict access to a set of users/groups in Azure AD SAML2 authentication guide