eRS supports single sign-on (SSO) logins through SAML 2.0. A SAML 2.0 identity provider (IDP) can take many forms, one of which is an Azure Active Directory. Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution and can be configured to be used as an Identity Provider for eRS.
To use Azure AD to log in to your eRS instance, you need the following:
- An active Azure AD subscription.
- Azure AD SAML Toolkit single sign-on (SSO) enabled subscription.
- Cloud Application Administrator/ Application Administrator access to Azure AD.
- An eRS Cloud instance and you must have subscribed to the 'Authentication Plus' module from the billing section.
After you meet these basic requirements, follow the steps below to add a SAML enterprise application to your Azure AD instance.
Step 1 - Add Azure AD SAML Toolkit from the gallery
To configure the integration of Azure AD SAML Toolkit into Azure AD, you need to add Azure AD SAML Toolkit from the gallery to your list of managed SaaS apps.
- Sign in to the Azure portal using either a work or a personal Microsoft account.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add a new application, select New application. In the Add from the gallery section, type Azure AD SAML Toolkit in the search box, select Azure AD SAML Toolkit from the results panel, and add the app.
- In the Form, name the application 'eRS' and click Create to add a new SAML Toolkit Application to your Azure AD instance.
Step 2 - Configure Azure AD SSO
Once the application is added, we can now configure it through its integration page which looks like the below:
- From the left navigation pane, find the Manage section and select Single sign-on. On the Select a single sign-on method page, select SAML.
- On the Set up single sign-on with SAML page, click the edit button for Basic SAML Configuration to edit the settings.
- On the Basic SAML Configuration section, fill in the following information and save it.
Identifier (Entity ID): https://app.eresourcescheduler.cloud/Zit5huIxEPe9bfEk
Reply URL: https://app.eresourcescheduler.cloud/login/saml/123456. Replace 123456 with your eRS Account ID. If you don't know your eRS account ID, visit the Account Details page in eRS.
Sign-on URL: Use the same URL as the Reply URL.
- On the Set up single sign-on with SAML page, click the edit button for Attributes & Claims Configuration to edit the settings.
- Modify SAML claims: Clear existing claims under the 'Additional claims' section and add claims as shown below. Make sure to use the same name for claims as shown in the below screenshot.
While adding a claim, use 'Attribute' as the source, as shown below:
- From the SAML Signing Certificate section, download the Certificate in base 64 format.
- From Set up eRS section, copy Login URL and Azure AD Identifier.
Step 3 - Configure eRS
After setting up Azure AD SSO, you need to configure your eRS account to authenticate using SAML. To enable Azure AD login for eRS, you will require the following information:
- SAML endpoint URL: This is the Login URL you copied in the previous step and will be used to send SAML requests from eRS to Azure AD.
- Identity Provider Identifier: This is the Azure AD Identifier that you copied in the previous step.
- Token Signing Certificate: The SAML signing certificate is used to sign SAML requests, responses, and assertions from the service to relying applications. Use the Base 64 certificate you downloaded in the previous steps, open it using any text editor and copy all its content.
Once you have these parameters, log in to your eRS account (with Admin privileges) and move to Authentication Settings in the Administration section. Click on the pencil icon to edit SAML configuration, enable the SSO and fill in the information.
Click on Save to confirm the configuration changes. You should now have a working Azure AD SSO implementation for eRS.
Step 4 - Assign User account to eRS
So far you have configured Azure AD and eRS for SAML authentication. Now you need to assign users to the eRS Enterprise application in Azure AD, to whom you want to give access to eRS.
- In the Azure Active Directory Admin Center, select Enterprise applications and select the eRS application that we created in the previous steps.
- In the left pane, select Users and groups, and then select Add user/group.
On the Add Assignment pane, select None Selected under Users and groups.
Search for and select the user that you want to assign to the application. For example,
- Click Select.
On the Add Assignment pane, select Assign at the bottom of the pane.
To check if Azure AD SSO login is working as expected, visit the SAML Login Page and enter your eRS Account ID to continue. It should redirect you to the Azure Sign-In page. Sign in as one of the users who was assigned the application access in the previous step. After a successful login, you will be redirected back to the eRS.
Important: When a user authenticates using SAML/SSO and logs into eRS for the first time, an entry for the user is created (if not already exist) with the default permission set applied. If the default permission set has not been configured, users will not have access to any data until their access rights are configured. You can create and mark permission set as default here.
You can also use the URL https://app.eresourcescheduler.cloud/login/saml/123456, replacing 123456 with your eRS Account ID, to directly reach the Azure login page after a successful SAML configuration.