Articles in this section

How to setup SSO with Microsoft Entra ID - SAML2

Updated

This article describes how an organization can set up SSO on Microsoft Entra ID using the SAML2 protocol.

  Prerequisites

  • Global Administrator rights on your Microsoft Entra ID tenant.

Single Sign-On Configuration

  1. Navigate to https://portal.azure.com/.

      Note

    If you are using a Microsoft test account, make sure to create a Microsoft 365 Enterprise Demo Content Tenant account.
  2. Navigate to Microsoft Entra ID --> Enterprise Applications.
  3. Click the plus sign next to New application.
  4. In the Gallery use the search function to find Templafy SAML2.
  5. Click on the app and click Create.
  6. Wait for the app the be added to your directory, then navigate to the Single sign-on section of the application.
  7. Click SAML to enable SAML2 protocol.
    mceclip2.png
  8. Under Basic SAML Configuration, click Edit.
  9. Add the information according to Templafy's Metadata below, then click Save.

      Note

    Templafy's Metadata should be used according to the cluster of your Templafy tenant.
Metadata URL

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services

East US (Production 2):
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services

East Australia (Production 3):
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services

Canada (Production 4):
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 5):

https://templafyprod5.auth.templafy.com/auth/saml2/auth-services
Identifier (Entity ID) https://auth.templafy.com/auth/saml2/auth-services
Reply URL

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services/Acs

East US (Production 2):
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services/Acs

East Australia (Production 3):
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services/Acs

Canada (Production 4):
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 5):
https://templafyprod5.auth.templafy.com/auth/saml2/auth-services/Acs
Sign on URL https://CLIENTSUBDOMAIN.hive.templafy.com or https://CLIENTSUBDOMAIN.templafy.com
Hash function to use for digital signing at IdP SHA-256
User Identifier mail

User Attributes & Claims

The following claims are preconfigured in the SAML2 application:

Name Namespace Source attribute
emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.mail
upn http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.userprincipalname
givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.givenname
surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.surname
streetaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.streetaddress
city http://schemas.templafy.com/2016/06/identity/claims user.city
postalcode http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.postalcode
stateorprovince http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.state
country http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.country
nameidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.userprincipalname

  Important

If end-user userprincipalname and emailaddress differ, change the nameidentifier source attribute mapping to user.mail. If SCIM is enabled, ensure the same update is applied on the mappings under Provisioning.

  Note

  • country data must contain a standard two-letter region code (ex. FR, JP, SZ)
  • Ensure there are no line breaks in claims sent to Templafy, as they will cause SAML2 authentication to fail.

Additional claims can be configured within the application using the steps below.

  Note

15 additional custom claims may be configured within the SAML2 application.
  1. Under Single sign-on --> User Attributes & Claims, click Edit.

    mceclip5.png

  2. Click Add new claim and fill in the name, namespace, and Source attribute according to the tables below:

The following claims must be reconfigured with the updated namespaces below. Please delete the existing claims and configure them net new.

Name Namespace Source attribute
jobtitle http://schemas.templafy.com/2016/06/identity/claims user.jobtitle
department http://schemas.templafy.com/2016/06/identity/claims user.department
phonenumber http://schemas.templafy.com/2016/06/identity/claims user.telephonenumber
facsimilenumber http://schemas.templafy.com/2016/06/identity/claims user.facsimiletelephonenumber

The following claims are not included by default, but comprise suggested/common claims:

Name Namespace Source attribute
displayname http://schemas.templafy.com/2016/06/identity/claims user.displayname
mobilephone http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.mobilephone
preferredlanguage http://schemas.templafy.com/2016/06/identity/claims user.preferredlanguage
companyname http://schemas.templafy.com/2016/06/identity/claims user.companyname
customclaim1 http://schemas.templafy.com/2016/06/identity/claims user.<optional value>
customclaim15 http://schemas.templafy.com/2016/06/identity/claims user.<optional value>

  Note

If displayname is not added, userprincipalname will be used as the Display Name in Templafy.

Group Claims

In order to send AD Groups to Templafy, Group Claims must be configured.

  1. Click Add a group claim.
  2. Select what type of groups shall be returned in the claim.

      Note

    It is recommended to select Groups assigned to the application to limit the number of groups sent to Templafy.

     

  3. Under Advanced options, make sure Customize the name of the group claim and Emit groups as role claims are checked.
  4. Click Save.

  Note

  • Group claims are by default sent with their Group ID, but it is possible to send the friendly name of a group by selecting sAMAccountName as the source attribute.
    • Using sAMAccountName has the Microsoft pre-requisite that groups must be synchronized from an on-premises Active Directory using Microsoft Entra Connect Sync 1.2.70.0 or above. Please note that this setting will result in only clear names being received on the Templafy side and Group IDs will not be received anymore.
  • SAML2 has a hard cap of 149 group claims.

Assign Users/Groups to the Application

By default, the Templafy SAML2 app requires users to be assigned before they can successfully authenticate into Templafy.

  1. Within the SAML2 app, select Users and groups.
  2. Click Add user/group.

If you would like to disable the default restriction access to Templafy, you can set Assignment required to No under Properties.

  Note

If Assignment required is set to No, all users, including potential guest accounts, may have access to the application.

Congratulations! You have now completed the setup on your side. 

  Note

Now that your task is completed, please email the App Federation Metadata Url to your Templafy Implementation Partner so they can finalize the SSO setup on Templafy's side.

saml2_metadata.png

Related to

SSO SAML2 Microsoft Entra ID
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.