Set up SSO with Azure

This topic walks you through how to set up Single Sign-On (SSO) between the Alida platform and Azure.

Note:
  • In some cases, users may be prevented from signing in with their email and password. This occurs if the feature "SAML authentication" was enabled on your application instance, and it only affects new users created after the feature was enabled.
  • To set up auto-provisioning using a System for Cross-Domain Identity Management (SCIM), please contact Alida Technical Support or your Customer Success Manager.

Create an Azure application

In this part of the workflow, you are creating the application tile that SSO users will click to access the Alida platform.

  1. Log in to the Azure Portal.
  2. Under Azure services, click Enterprise applications.
  3. Click New application.
  4. Click Create your own application.
  5. Enter a name for the application, which will be the label on the SSO tile (for example, Alida).
  6. Select the option Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.

Start your Azure application configuration

After you create the application tile, you need to copy specific configuration values. You'll enter these values into Alida's SSO Setup page later.

  1. Click Manage > Single sign-on.
  2. Select SAML as the single sign-on method (if not previously selected).
  3. Copy the Microsoft Entra Identifier and store the value for later use.
  4. Click Certificate (Base64) > Download, open the .cer file in Notepad, and store the X.509 certificate for later use.

    Click the screenshot below to view a larger version.

Install Azure SSO on a community

Enter the Azure configuration values into Alida's SSO Setup page.

  1. Sign in to the Alida platform and switch to the desired community.
  2. Ensure that there's a user who matches the email of a potential SSO user (for example, bob.smith@example.com).

    This user must be part of the domain you added. This user must also be a user in the Alida community.

    For more information about adding new users to a community, see Add a user.

  3. Open Product Settings > SSO > Setup.
  4. Under Entity ID, enter the Microsoft Entra Identifier you stored earlier.
  5. Under X.509 Certificate, enter the X.509 certificate you stored earlier.
  6. Under Email claim, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
  7. Clear Unique ID claim, Username claim, and Use name ID for email.
  8. Click Save.
  9. Copy the Single Sign-On URL and store it for later use.
  10. Copy the Audience Entity ID and store it for later use.

    Click the screenshot below to view a larger version.

Add and verify a domain

Add the registered domain that your company owns and that you use for employees' email addresses.

  1. Open Product Settings > SSO > Domains.
  2. In the Add new domain field, type the domain value, select the Type (CNAME or TXT), and click Add Domain.
    For example, if a potential SSO user's email is bob.smith@example.com, you'd type example.com.
  3. From that domain's action menu, select Verify.
    Result:

    The domain's status changes to Verified.

    Click the screenshot below to view a larger version.

  4. Keep the browser tab that has the Alida Domains page open. Open a new browser tab to access your DNS server.
  5. Add the Prefix Key, Target Key, and TXT Lookup Key values from the Domains page to your DNS server.
    • Add the Prefix Key and Target Key values as CNAME type.
    • Add the TXT Lookup Key as TXT type.
    • Append the domain to the end of the value strings.
    Example

    Click the screenshot below to view a larger version.

  6. On the Alida Domains page, click Apply.
    Result: The domain status changes from Verified to Active.

    Click the screenshot below to view a larger version.

Complete your Azure application configuration

  1. Log in to the Azure Portal.
  2. Under Azure services, click Enterprise applications and open your application (for example, Alida).
  3. Click Manage > Single sign-on.
  4. Click Basic SAML Configuration > Edit.
  5. Under Identifier (Entity ID), enter the Audience Entity ID you stored earlier.
  6. Under Reply URL (Assertion Consumer Service URL), enter the Single Sign-On URL you stored earlier.
  7. Click Save.
  8. Click Attributes & Claims > Edit.
  9. Delete all existing Additional claims.
  10. Click Add new claim and create a new claim:
    • Name: email
    • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
    • Source: Attribute
    • Source attribute: user.mail

Assign a user to the Azure application

In order for SSO to work, the same user must exist in Azure (with the Alida application associated to that user) and in the Alida platform.

  1. Log in to the Azure Portal.
  2. Under Azure services, click Enterprise applications and open your application (for example, Alida).
  3. Click Manage > Users and groups.
  4. Click Add user/group.
  5. Click Users and groups > None Selected.
  6. Select the user you added in the panel (for example, bob.smith@example.com) and click Select.

    Click the screenshot below to view a larger version.

  7. Click Select a role > None Selected.
  8. Click User, then click Select.
  9. Click Assign.

Verify SSO login

  1. Ask the user you added (for example, bob.smith@example.com) to log in to MyApps using their credentials.
  2. The user clicks the application's tile (for example, Alida).
    Result: The community opens or they are able to switch to it.