Articles in this section

How to set up SSO with Azure AD - OpenID Connect

Avatar
Barbora Hodorová
Updated
Follow

About this article

This article explains how to set up Single Sign On for Templafy on your Azure AD. This article is relevant for and aimed at Client IT. 

Sections in this article:

 

Prerequisite

 
  • Global Administrator rights on your Azure AD

 

Setup guide

There are two ways of setting up Azure AD Open ID Application on your Azure tenant. As such, you can choose between:

It should be noted that:

 
  • Only standard set of claims are supported via this SSO App
  • The claim mappings are already pre-configured and cannot be edited
  • Should you want to use the expanded claim set or manage/determine which claims are sent to Templafy, you can opt in for SAML2 App on Azure AD instead.
  • Multi-factor authentication (MFA) with Duo Security is not supported with OpenID Connect (Only SAML2).
  • For OpenID, Templafy restricts the amount of AD groups to the first 999 groups that are send.

 

 

Creating the SSO App by completing a consent flow

  1. Click on the Templafy onboarding URL to initiate the setup: https://app.templafy.com/AzureADTenant/
  2. Click Sign Up
  3. Enter your Global Administrator credentials for Azure AD
  4. Press Accept in the consent dialogue.
  5. The Templafy App can now be found in your Azure AD under Enterprise applications
  6. Congratulations! You have now completed the setup on your side.

 

Adding the Templafy App manually from the Gallery

  1. Log in to https://portal.azure.com/ 
  2. Navigate to Azure Active Directory --> Enterprise Applications
  3. Click New Application
  4. From the Gallery search for Templafy OpenID Connect

     

    mceclip1.png

     

  5. Add the suggested App into your directory by clicking Sign up for Templafy OpenID Connect 

     

    mceclip1.png

     

  6. You shall be then redirected to https://app.templafy.com/AzureADTenant/ to complete the setup
  7. Congratulations! You have now completed the setup on your side.

 

 
  • Now that your task is completed, let your Templafy Implementation Partner finalise the SSO setup on Templafy's side of things by emailing the Domain Hint and TenantID to them or support@templafy.com

 

 

Permissions granted to our Azure AD Enterprise Application

Originally we were using Azure AD Graph APIs to be able to read the user's data, group names and apps from Azure AD. Since then Microsoft has decided to move away from Azure AD Graph APIs and introduced a new set of APIs under the name of Microsoft Graph APIs. The old (Azure AD Graph) APIs have been deprecated. Azure AD Graph has been on a deprecation path since June 30, and will be retired in the near future. 

With that in mind, we have now added the same permission set we have always required, originating from Microsoft Graph API.  When consenting to the application, you will be prompted to grant approval to the same permissions listed twice. One permission set coming from the Azure AD Graph and the other from Microsoft Graph.

mceclip0.png


What are those permissions?

 
  • Read directory data (Application Level)
  • Sign in and read user profile (Delegation Level)

 

Read directory data

  • Allows the app to read data in your company or school directory, such as users, groups, and apps.

 

Sign in and read user profile

  • Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

 

Can I restrict access to Templafy?

Templafy Open ID Connect by default allows all users residing in your Azure AD to successfully authenticate to Templafy. Should you want to restrict access to Templafy to only subset of users in your organization, you can follow instructions outlined in the below support article.

 

Related articles

 

 

Related articles

Comments

0 comments

Article is closed for comments.