Articles in this section

How to setup SSO with Microsoft Entra ID - SAML2

About this article

This article describes how an organization can set up SSO on Microsoft Entra ID utilizing the SAML2 protocol.

 

Prerequisites

 
  • Global Administrator rights on your Microsoft Entra ID tenant

 

Single Sign-On Configuration

  1. Navigate to https://portal.azure.com/
    • If you are using a Microsoft test account, make sure to create a Microsoft 365 Enterprise Demo Content Tenant account.
  2. Navigate to Microsoft Entra ID --> Enterprise Applications.

  3. Click the plus sign next to New application.

  4. In the Gallery use the search function to find Templafy SAML2.



  5. Click on the app and click Create.

  6. Wait for the app the be added to your directory, then navigate to the Single sign-on section of the Application.

  7. Click SAML to enable SAML2 protocol.

    mceclip2.png

  8. Under Basic SAML Configuration, click Edit.

    mceclip0.png

  9. Add the information according to Templafy's Metadata below, then click Save.
    • Templafy's Metadata should be used according to the cluster of your Templafy tenant.

Metadata URL

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services

Canada:
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services

West Europe (Production 5):

https://templafyprod5.auth.templafy.com/auth/saml2/auth-services

Identifier (Entity ID)

https://auth.templafy.com/auth/saml2/auth-services

Reply URL

West Europe (Production 0):
https://templafyprod0.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 1):
https://templafyprod1.auth.templafy.com/auth/saml2/auth-services/Acs

East US:
https://templafyprod2.auth.templafy.com/auth/saml2/auth-services/Acs

East Australia:
https://templafyprod3.auth.templafy.com/auth/saml2/auth-services/Acs

Canada:
https://templafyprod4.auth.templafy.com/auth/saml2/auth-services/Acs

West Europe (Production 5):
https://templafyprod5.auth.templafy.com/auth/saml2/auth-services/Acs

Sign on URL

https://CLIENTSUBDOMAIN.hive.templafy.com or https://CLIENTSUBDOMAIN.templafy.com

Hash function to use for digital signing at IdP

SHA-256

User Identifier

mail

 

User Attributes & Claims

The following claims are preconfigured in the SAML2 application:

Name

Namespace

Source attribute

emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims user.mail

userprincipalname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.userprincipalname

givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.givenname

surname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.surname

streetaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.streetaddress

city

http://schemas.templafy.com/2016/06/identity/claims

user.city

postalcode

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.postalcode

stateorprovince

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.state

country

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.country

 

 
  • country data must contain a standard two-letter region code (ex. FR, JP, SZ)
  • Ensure there are no line breaks in claims sent to Templafy, as they will cause SAML2 authentication to fail.

 

Additional claims can be configured within the application using the steps below.

 
  • 15 additional custom claims may be configured within the SAML2 application.
  1. Under Single sign-on --> User Attributes & Claims, click Edit.

    mceclip5.png

  2. Click Add new claim and fill in the name, namespace, and Source attribute according to the tables below:

The following claims must be reconfigured with the updated namespaces below. Please delete the existing claims and configure them net new.

Name

Namespace

Source attribute

jobtitle

http://schemas.templafy.com/2016/06/identity/claims

user.jobtitle

department

http://schemas.templafy.com/2016/06/identity/claims

user.department

phonenumber

http://schemas.templafy.com/2016/06/identity/claims

user.telephonenumber

facsimilenumber

http://schemas.templafy.com/2016/06/identity/claims

user.facsimiletelephonenumber

 

The following claims are not included by default, but comprise suggested/common claims:

Name

Namespace

Source attribute

displayname

http://schemas.templafy.com/2016/06/identity/claims

user.displayname

mobilephone

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

user.mobilephone

preferredlanguage

http://schemas.templafy.com/2016/06/identity/claims

user.preferredlanguage

companyname

http://schemas.templafy.com/2016/06/identity/claims

user.companyname

customclaim1

http://schemas.templafy.com/2016/06/identity/claims

user.<optional value>

customclaim15

http://schemas.templafy.com/2016/06/identity/claims

user.<optional value>

 

 
  • If displayname is not added, userprincipalname will be used as the Display Name in Templafy

 

Group Claims

In order to send AD Groups to Templafy, Group Claims must be configured.

  1. Click Add a group claim.

  2. Select what type of groups shall be returned in the claim.

  3. Under Advanced options, make sure Customize the name of the group claim and Emit groups as role claims are checked.

  4. Click Save.
 
  • Group claims are by default sent with their Group ID, but it is possible to send the friendly name of a group by selecting sAMAccountName as the source attribute.
    • Utilizing sAMAccountName has the Microsoft pre-requisite that groups must be synchronized from an on-premises Active Directory using Microsoft Entra Connect Sync 1.2.70.0 or above. Please note that this setting will result in only clear names being received on the Templafy side and Group IDs will not be received anymore.
  • SAML2 has a hard cap of 149 group claims.

 

mceclip9.png

 

 

Assign Users/Groups to the Application

By default, the Templafy SAML2 app requires users to be assigned before they can successfully authenticate into Templafy.

  1. Within the SAML2 app, select Users and groups.

  2. Click Add user/group.

 

If you would like to disable the default restriction access to Templafy, you can set Assignment required to No under Properties.

 

 

 
  • If Assignment required is set to No, all users, including potential guest accounts, may have access to the application.

 

Congratulations! You have now completed the setup on your side. 

 

 
  • Now that your task is completed, please email the App Federation Metadata Url to your Templafy Implementation Partner so they can finalize the SSO setup on Templafy's side.

 

saml2_metadata.png

 

 

Related articles

 
SSO SAML2 Microsoft Entra ID
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.