SAML2 federated identity integration

Using Azure AD?

Before continuing, if you are using Azure AD, then a better way might be using: Azure AD Enterprise Application integration (SSO/Office365).

The SAML2 integration is capable of enabling Single sign-on (SSO) with the Azure Active Directory (Azure AD) or ActiveDirectory Federation Services (AD FS) of your company.

Introduction

Before we start we give a short introduction of the SAML2 integration:

As being an integration there are two systems involved, which need to be configured:

  • The Identity Provider (IdP), being Azure AD or AD FS:
    The IdP must be configured to trust the GoBright Platform as Service Provider, and claims have to be configured.

    Please note: for enabling SAML in Azure AD, you need Azure AD Premium P1 or higher, for SAML in AD FS there is no extra requirement.

  • The GoBright Platform being the Service Provider (SP):
    The SAML integration has to be created as an ‘Integration’ of type ‘SAML’ in the portal, whereas you need to configure the details of the the IdP.
    You can have one SAML integration in a GoBright environment.

When configured you can also auto create users, so that users which are unknown to the system will automatically be created after successful SAML-based sign-on.

Step 1: Create the SAML integration in the GoBright Portal

Integrations are configured in the Admin center. Login to GoBright with your admin account and click on the switch button on the top right corner.

Within the Admin center you can click on the ‘Integrations’ at the top.

users_integration.png

Here you can ‘Add’ a new integration. Give the integration a name, set the ‘External system’ to ‘SAML’, and save.

Now you will see more details, for now you need to copy the following:

  • Relying party identifier / Entity Id
  • Reply URL (Assertion Consumer Service URL)

You will need these two in the next step.

You can now proceed to step 2, the other details in this screen will be filled in step 3.

Step 2: Configure the IdP

Now you need to configure the IdP, select the IdP you are using below, and follow the steps in one of our next articles:

When you have finished this step, please proceed to Step 3 below.

Step 3: Configure the SAML integration in the GoBright portal

In step 2 you have configured the IdP, and as a result you will have 3 pieces of information:

  • Single Sign-on service url
  • Single Logout service url
  • Token-signing certificate

Now you need to configure the last steps in the GoBright portal:

  • Go back to the GoBright portal, log in with a manager user if you we’re not already
  • Go to Settings > Integrations
  • Open the ‘SAML’ integration that was created in step 1.
  • Now fill the fields with the related data:
    • Single Sign-on service url
    • Single Logout service url
    • Token-signing certificate
  • The ‘Related Exchange / Office365 integration’ should be set to the Exchange/Office365 configuration that is configured in the portal and where these users are having there mailboxes.
  • For enabling automatic user creation please refer to ‘step 4’ below.
  • The ‘direct login url’ is a link you can publish on, for example, your intranet. This link will automatically refer to the configured SAML integration and do a direct login. If a user wants to login without a ‘direct login url’ he can go to www.gobright.com, choose ‘Login’ and enter it’s emailaddress. Based on the email address the login process will be started.

Step 4: Enabling automatic user creation

To enable automatic user creations, there are two steps involved:

  1. Configure the SAML integration with automatic user creation enabled, and choose the default role for automatic created users.
  2. The platform needs to know which company domains are related to your environment, for example: ‘@company.com’.

    Please provide these domains to GoBright via the request form.
    Supply the following in your request: your organization, the domains you want to use for automatic user creation.
    Please request this via this form.

    When provided GoBright will configure this, and provide you with feedback.

Troubleshooting

Troubleshooting AD FS

When the SAML process does not work, or gives unexpected errors, the easiest way to review what problems there might be is the Windows Event Log.

  1. Login to your AD FS server
  2. Start Event Viewer (run Administrative Tools > Event Viewer)
  3. Select in the left-hand treeview: Applications and Services Logs > AD FS > Admin
  4. Probably you will see the issues right away in the topmost items, but if you don’t see it, you can use the ‘Find’ options in the right-hand ‘Actions’. Then search for the term ‘SAML’.

AD_FS_EventViewer_1.png

This article comes from the Help Center of GoBright.

View original article

FAQ

Ask us anything! Find the answers to the most frequently asked questions here.

Browse the FAQs

Help Center

A goldmine for all IT and Facility Managers. Dive into the technical stuff concerning our products and solutions.

Visit the Help Center

Newsletter

Wanna stay informed of all developments within the smart office and our new features? Subscribe now.

Subscribe now