- An existing Azure Active Directory instance with at least one user or user group already defined that you would like to utilize SSO with.
- Silo Admin Console access for the org you wish to setup SSO with.
A8 Admin Console
- Define your vanity URL. Under the user’s tab, select the “Edit Orgs” button, then provide a vanity URL.
- Enable SAML from within the policies section of the Silo Admin Console.
- Download the SP Encryption Certificate SP_cert.crt to your computer.
- Do not hit save, leave page open.
Microsoft Azure Portal
- Open Azure Active Directory I Enterprise Application
- Select Create Your Own Application
- Supply a display name e.g. Authentic8 Silo.
- Select “Any other Application you don’t find in the gallery, then Select “Create”.
- Click Single sign-on, then Select SAML, then Select Edit within the Basic SAML Configuration box
- Under Entity ID select “Add Identifier”.
- Grab the SP Entity ID from the Silo Admin Console and enter it in the Azure Identifier field.
- Select “Add Reply URL” and copy the SP Post Back from the Silo Admin Console and paste it here.
- Copy the Silo Access Portal URL from the Silo Admin console and set it as the value for the “Sign on URL”
- If you are going to exclusively use the Web client set the relay state to 4, any other combination set the relay state to 2.
- Select Save.
- If needed, Select Edit within SAML-based Sign-on Box 2: Attributes & Claims.
Note: Azure’s Required Claim Unique User Identifier (Name ID) defaults to the Value of user.userprincipalname [nameid-format:emailAddress]. This required claim value must match the Silo User’s Username field. Change this mapping only if a different identifier is needed for the Silo Username field (e.g. Azure’s user.employeeid field should be used instead of email). Save if changes were made.
- Under the required claim select the ellipsis next to the value and change the Source Attribute to User.mail, then select Save.
- Edit SAML Signing Certificate
- Change the Signing Option to Sign SAML response. Then select “Save”
- In the SAML Signing Certificate box download the Base64 certificate and save it for use in the Silo Admin console.
Recommended - Enable Token Encryption
- Select “Token encryption” from the left-hand column
- Upload the SP_cert.crt you downloaded from the Silo Admin console, then click Add
- Click the ... next to the Thumbprint and choose Activate token encryption
Required - Assign Users
- Click Users and groups and then a Add user.
- It is important that the email address and username in the Silo Admin console match the email address in Azure, if these are different Authentication will fail.
- Follow the wizard to select a user group or a single user, click Select I Assign.
A8 Admin Console
Transfer the following information from the Azure Portal Single Sign On
- Copy the Azure AD Identifier from box 4 on the “SAML Based Sign On Screen” and paste it into the IDP Issuer field in the Silo Admin Console.
- Copy the Azure AD Login URL from Box 4 on the “SAML Based Sign On” screen and paste it into the lDP Login URL field in the Silo Admin Console.
- Upload the Azure AD SAML Signing Certificate (Base64). To the Silo Admin Console
- Click Save.
- Click Validate from Single sign-on in the Azure Portal Application. You should see "Azure AD successfully issued a token (SAML response) to the application (service provider)."
PERMISSIONDENIED: FAILED TO PARSE SAML IDP TOKEN: 'NONETYPE' OBJECT HAS NO ATTRIBUTE 'ATTRIB'
- Ensure you have set your Signing Option to Sign SAML response
Failed to Parse SAML Token
- Ensure that the user you are trying to sync exists in Silo and Azure AD with the same email address
- It may be necessary to upload your lDP Signing Cert to the Silo Admin Console in Unix Line Format. Open the cert in Notepad++ or similar, click Edit, EOL Conversion, Unix LF.
User Not Found
- Your user may not be provisioned with their email address in Azure matching their Silo username.
- You may need to update nameidentifier to user.localprincipalname depending on your Azure AD configuration
*Note: Authentic8 makes no warranty on third-party software. We assume no responsibility for errors or omissions in the third-party software or documentation available. Using such software is done entirely at your own discretion and risk.
Please contact Support if you have any additional questions and/or require further information.