Prerequisites:
An existing Azure Active Directory instance with at least one user or user group already defined that you would like to utilize SSO with.
Silo Admin Console access for the org you wish to setup SSO with.
A8 Admin Console
Define your vanity URL e.g. mitchmurray (fictional customer) by editing your Org name.
Enable SAML
Download the SP Encryption Certificate SP_cert.crt to your computer.
Do not hit save, leave page open.
Microsoft Azure Portal
Open Azure Active Directory / Enterprise Application
New Application / Non-gallery application
Supply a display name e.g. Authentic8 Silo
Optionally upload our logo file
Click Single sign-on / SAML / Edit (pencil icon)
Identifier (Entity ID): SP Entity ID e.g. https://getsilo.com/sso/saml/mitchmurray/login
Reply URL: SP Post Back URL e.g. https://getsilo.com/sso/saml/mitchmurray/login
Relay State: 2
Click Save / Properties then back to Single sign-on
Click the pencil to edit User Attributes & Claims
Click the … next to ...name for user.userprincipalname, click delete
Click the pencil to edit Name identifier value. Choose Source attribute: user.mail.
Click Save
Click the pencil to edit SAML Signing Certificate
Click the three dots next to the certificate, download Base64 certificate.
Change Signing Option to Sign SAML response.
Recommended - Enable Token encryption (Preview)
Click Token encryption (Preview)
Upload the SP_cert.crt then click Add
Click the … next to the Thumbprint and choose Activate token encryption
Required - Assign Users
Click Users and groups / Add user
Follow the wizard to select a user group or a single user, click Select / Assign.
A8 Admin Console
Transfer the following information from the Azure Portal Single Sign On
Idp Issuer: Azure AD Identifier e.g. https://sts.windows.net/abc123/
IdP Login URL: Azure AD Login URL e.b. https://login.microsoftonline.com/abc123/saml2
IdP Signing Certificate: Upload the Azure AD SAML Signing Certificate (Base64).
Click Save.
Validating
Click Validate from Single sign-on in the Azure Portal Application. You should see “Azure AD successfully issued a token (SAML response) to the application (service provider).”
Errors
PERMISSIONDENIED: FAILED TO PARSE SAML IDP TOKEN: 'NONETYPE' OBJECT HAS NO ATTRIBUTE 'ATTRIB'
Ensure you have set your Signing Option to Sign SAML response
Failed to Parse SAML Token
Ensure that the user you are trying to sync exists in Silo and Azure AD with the same email address
It may be necessary to upload your IdP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.
User Not Found
Your user may not be provisioned with their email address in Azure matching their Silo username.
You may need to update nameidentifier to user.localprincipalname depending on your Azure AD configuration
*Note: Authentic8 makes no warranty on third-party software. We assume no responsibility for errors or omissions in the third-party software or documentation available. Using such software is done entirely at your own discretion and risk.
Screenshots of the Authentic8 Customer Success Test Environment
Please contact Support if you have any additional questions and/or require further information.