SSO Example with Microsoft Azure (IdP)

by David Moczygemba

Process Overview

A Single Sign On (SSO) allows site users to access the Wisetail Learning Management System (LMS) site without having to type local usernames and passwords. The LMS is configured to trust the identity providing system (IdP) that the user has already authenticated against. 

Both the Wisetail site and Microsoft Azure support Security Assertion Markup language version 2 (SAML2) to facilitate the single sign-on capability. Wisetail refers to these generically as SSOs while the Azure Portal uses the term Enterprise Applications (SAML).

The technical part of the process starts with Wisetail Technical Support creating the SSO object with a Service Provider (SP) role within the Wisetail site and sending the client the related metadata xml file. The client creates an Enterprise Application of the SAML2 type within their Azure portal and uses the "Upload metadata file" option to load the Wisetail site's information. The client then uses the "Federation Metadata XML" download option within the newly created Enterprise Application in the Azure portal to download and send the corresponding metadata file back to Wisetail Technical Support for loading into the site. Once activated, users that have authenticated against the client's Azure AD and have access to the Azure Enterprise Application can be sent securely to the Wisetail site without having to log in again.


Technical Process Steps

  1. Wisetail Technical Support will create the site SSO and send the client a metadata file. The client will then access their Microsoft Azure Portal, Enterprise applications > All applications and select New Application.Screenshot 2023-08-17 at 3.49.51 PM.png
  2. The Wisetail SSO is not in the Azure Gallery so the client will select the create your own application option.Screenshot 2023-08-17 at 3.55.35 PM.png
  3. Name the new application and select the Integrate any other application (Non-gallery) option. Then click the blue Create button at the bottom right of the page.Screenshot 2023-08-17 at 3.59.01 PM.png
  4. The client will then be on the new Enterprise Application's overview screen. Select the Single sign-on option in the left panel.
  5. On the single sign-on page, select SAMLScreenshot 2023-08-17 at 4.14.29 PM.png
  6. On the single sign-on page, once SAML is selected, select Upload metadata file. This is where the client will upload the metadata file Wisetail sent them and establishes half of the trust link.Screenshot 2023-08-17 at 4.10.00 PM.png
  7. Once the metadata file is uploaded, the configuration information in the metadata file Wisetail sent will appear in a pane to the right of the screen. Select Save to save the information.Screenshot 2023-08-17 at 4.22.38 PM.png
  8. The information saved in the previous step will now appear in the Basic SAML Configuration section. The client will then use the Federation Metadata XML download link to download the Azure AD metadata file for the new Enterprise Application and send the downloaded file to Wisetail to complete the trust link. Screenshot 2023-08-17 at 4.26.44 PM.png
  9. By default, the Azure AD application will use the user.userprincipalname property for the Unique User Identifier which will then be passed to the Wisetail site as the SAML NameID value. By default, the Wisetail site SSO is configured to use the NameID value to uniquely locate an existing LMS account via either a profile field value such as email or the username. The user.userprincipalname value may or may not be desirable as the match on. Some clients use email addresses or employee id values to uniquely match existing Wisetail site accounts instead. If changes are desired, they may be done in the Attributes & Claims section by selecting which Azure AD property value will be used as the Unique User Identifier value to match on (lookup) to existing Wisetail site account profiles.
  10. The Attributes & Claims section may also be used to map additional user characteristics to pass along to the Wisetail site to populate user profile fields. By default, Azure AD sends givenname, name, and surname as seen below. Additional attributes may be configured to map to profile fields in the Wisetail site such as titles, locations, and job roles which can then be used in permissioning content and access levels. Note that in the example below the Unique User Identifer (Name ID) value has been changed from pulling the value from user.userprincipalname (the default) to user.mail property. This is optional but may or may not be desirable.Screenshot 2023-08-17 at 4.43.21 PM.png
  11. Once attributes and claims are set correctly in the Azure portal and coordinated with Wisetail technical support for proper attribute to profile field mapping and the Wisetail site SSO is activated, the client should be able to use the blue test button at the bottom of the Single sign-on screen of the Microsoft Azure portal to test the configuration.


Article is closed for comments.