Prerequisites


  • An existing Azure Active Directory instance with at least one user or user group already defined that you would like to utilize SSO with.
  • Silo Admin Console access for the org you wish to setup SSO with.


A8 Admin Console

  1. Define your vanity URL. Under the user’s tab, select the “Edit Orgs” button, then provide a vanity URL.
  2. Enable SAML from within the policies section of the Silo Admin Console.
  3. Download the SP Encryption Certificate SP_cert.crt to your computer.
  4. Do not hit save, leave page open.

    

Microsoft Azure Portal


  1. Open Azure Active Directory Enterprise Application
  2. Select Create Your Own Application 
  3. Supply a display name e.g. Authentic8 Silo.
  4. Select “Any other Application you don’t find in the gallery, then Select “Create”.
  5. Click Single sign-on, then Select SAML, then Select Edit within the Basic SAML Configuration box
  6. Under Entity ID select “Add Identifier”.
  7. Grab the SP Entity ID from the Silo Admin Console and enter it in the Azure Identifier field.
  8. Select “Add Reply URL” and copy the SP Post Back from the Silo Admin Console and paste it here.
  9. Copy the Silo Access Portal URL from the Silo Admin console and set it as the value for the “Sign on URL”
  10. If you are going to exclusively use the Web client set the relay state to 4, any other combination set the relay state to 2.
  11. Select Save.
  12. If needed, Select Edit within SAML-based Sign-on Box 2: Attributes & Claims.  
    Note: Azure’s Required Claim Unique User Identifier (Name ID) defaults to the Value of user.userprincipalname [nameid-format:emailAddress]. This required claim value must match the Silo User’s Username field. Change this mapping only if a different identifier is needed for the Silo Username field (e.g. Azure’s user.employeeid field should be used instead of email). Save if changes were made.
  13. Under the required claim select the ellipsis next to the value and change the Source Attribute to User.mail, then select Save.
  14. Edit SAML Signing Certificate
  15. Change the Signing Option to Sign SAML response. Then select “Save”
  16. In the SAML Signing Certificate box download the Base64 certificate and save it for use in the Silo Admin console.

 

Recommended - Enable Token Encryption

  1. Select “Token encryption” from the left-hand column
  2. Upload the SP_cert.crt you downloaded from the Silo Admin console, then click Add
  3. Click the ... next to the Thumbprint and choose Activate token encryption


Required - Assign Users

  1. Click Users and groups and then a Add user.  
  2. It is important that the email address and username in the Silo Admin console match the email address in Azure, if these are different Authentication will fail.
  3. Follow the wizard to select a user group or a single user, click Select Assign.


A8 Admin Console


Transfer the following information from the Azure Portal Single Sign On

 

  1. Copy the Azure AD Identifier from box 4 on the “SAML Based Sign On Screen” and paste it into the IDP Issuer field in the Silo Admin Console.
  2. Copy the Azure AD Login URL from Box 4 on the “SAML Based Sign On” screen and paste it into the lDP Login URL field in the Silo Admin Console.
  3. Upload the Azure AD SAML Signing Certificate (Base64). To the Silo Admin Console
  4. Click Save.


Validating


  1. Click Validate from Single sign-on in the Azure Portal Application. You should see "Azure AD successfully issued a token (SAML response) to the application (service provider)."


Errors


PERMISSIONDENIED: FAILED TO PARSE SAML IDP TOKEN: 'NONETYPE' OBJECT HAS NO ATTRIBUTE 'ATTRIB'

 

  • Ensure you have set your Signing Option to Sign SAML response

 

 

Failed to Parse SAML Token

 

  • Ensure that the user you are trying to sync exists in Silo and Azure AD with the same email address
    • It may be necessary to upload your lDP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.

 

 

User Not Found

 

  • Your user may not be provisioned with their email address in Azure matching their Silo username.
  • You may need to update nameidentifier to user.localprincipalname depending on your Azure AD configuration

 

 

*Note: Authentic8 makes no warranty on third-party software. We assume no responsibility for errors or omissions in the third-party software or documentation available. Using such software is done entirely at your own discretion and risk.



Additional Notes  

Please contact Support if you have any additional questions and/or require further information.