If you are not able to set up SAML with your AzureAD subdscription level, you can still set up SSO using OpenId Connect: http://helpdesk.intuo.io/en/articles/3520567-google-azure-office365-sso-using-openid-connect
SAML Endpoint configuration:
Your SAML provider may send the following attributes:
- mail (email, mandatory)
- givenName (first name, mandatory)
- sn (last name, mandatory)
- businessCategory (department name, optional)
The above are all valid SAML attributes for us that make it possible to create a valid user on our system. To be on the safe side, the param names that your system needs to send are in italics, not in brackets.
IMPORTANT: If you are using Azure AD, these values are already configured.
Supported return values in your SAML authentication provider are as follows:
- Email: mail or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- First Name: givenName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last Name: sn or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- GUID/UUID/Unique user ID used on your system is automatically picked up from the Subject > NameID field in your SAML Response
Steps to enable SAML authentication (as a client)
If you are using AzureAD the please follow these instructions: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications
- Ask your contact at intuo to enable SAML authentication feature for you (or email firstname.lastname@example.org)
- As an admin user, navigate the following URL on your platform
settings/integrations/intuo, or click the cog icon in the bottom of the left column, then Integrations, then Intuo.
- Scroll to the SAML Authentication settings box, and enable the setting.
- Fill in the SAML metadata URL with the location of your metadata xml file. This URL looks like:
https://myserver.domain.com/FederationMetadata/2007-06/FederationMetadata.xml. As the XML is being generated on the fly, we need the URL and not the XML content in order to set up the SAML authentication for you.
- Fill in the Login button text with a friendly text you want to show on the landing page SAML button. e.g. SAML Authentication
- Click Save changes
- Sign out and you will see a button with the content from step 5 of this guide. Click it to test your SAML Single Sign On configuration.
Your SAML provider configuration
- Add https://ACME.intuo.io/auth/saml/metadata as the SAML endpoint metadata url, be sure to replace ACME with your intuo subdomain
- Add https://ACME.intuo.io/auth/saml/callback as the allowed callback URL in your system. As in the previous step, be sure to replace ACME with your intuo subdomain
In case you run into problems or have any other questions, do not hesitate to contact us at email@example.com.