This article explains how to activate SSO and automatic user provisioning via your Azure AD identity provider.
Connect to Azure AD vis SAML2.0
-
Authenticate to Azure Portal with an Account that has Admin privileges, then go to Manage Azure Active Directory.
-
Navigate to Enterprise Applications
-
Click "New Application" and select "Non-gallery application". Type a name and continue. (This might take a few moments to complete, so wait until you are directed to the application's screen)
- In the application's overview page there are 5 sections that allow for advanced settings of the newly created app.
- Start by clicking on section "2. Set up single sign on" and choose SAML. The other 4 sections are to be configured based on the internal structure, rules and permission for each organization, so these will not be covered by this guide.
- After that, click on section "1. Basic SAML Configuration" and click on Edit.
- In YAROOMS, go to Settings → Integrations → SAML 2.0 Authentication, and click on the Application Details tab.
-
Pair the values as follows:
-
Paste Entity ID (from Yarooms) in Identifier (Entity ID)
-
Paste ACS (Consumer) URL (from Yarooms) in Reply URL (Assertion Consumer Service URL)
-
Paste Relay State in Relay State
-
- SAVE the SAML Configuration settings.
-
Go to Azure and scroll to item #4:
-
Go back to YAROOMS and click on the Connection tab. The values in this section will be used in YAROOMS to configure the connection, as described below.
-
Copy the Azure AD Identifier value and paste it in Issuer URL field.
-
Copy the Login URL value and paste it in SAML Endpoint field.
- Go back to Azure and scroll to section "3. SAML Signing Certificate".
Download the certificate in Base64 format and paste its contents in the X.509 Certificate field (in YAROOMS).
- Set the Name ID Format field to emailAddress (see photo above, in blue).
- Next, go to Azure, scroll to section "2.User Attributes & Claims" and map the fields accordingly in YAROOMS. These attributes need to be manually mapped in YAROOMS as seen below.
- Start by clicking the Edit button.
-
From Additional Claims, add the correct Claim Name (⚠️not Value⚠️), to the YAROOMS Attributes Mapping section, in the IDP Field Name (see photos below).
- In YAROOMS, click "Save Connection Settings" and move to "User options" tab. This page allows to select the Location, Group and Role for newly provisioned users.
- For Dynamic mapping (Location, Groups), extra claims and attributes will have to be exported from Azure in the User object.
We have a default value for each dynamic mapping property. In case any mapping is missing, the user location, group, or role will fallback to the defined default value.
It is recommended not to choose Administrator or Supervisor groups for mapping, as all new users will have all the privileges of these groups.
-
Click "Save User options" and move to the last tab, "Application Details".
-
In YAROOMS click "Activate SAML 2.0 Integration" and complete the integration setup.
-
In Azure save the SAML configuration and complete the process. The settings can be checked by clicking the "Test" button in section #5.
For the new Azure Application to be properly used make sure users accounts intended to use the provisioning integration are assigned to the newly created application.
⚠️ Specific Guide for Dynamic GROUP MAPPING:
Go to the Azure Portal → Manage Azure Active Directory → Enterprise applications, click on the YAROOMS application that you created previously (in the photo below, it's named YAROOMS SAML), then on Single sign-on (from the left side menu).
After which, click on Edit, from the "2.Attributes & Claims" section.
There, you'll see a list with all the Claims. Copy the Claim NAME (not Value) and place it in the Directory field of your YAROOMS Group Mapping page.
Usually, it looks something like this (the photo below is just an example):
After having done that, your will be able to add the YAROOMS groups and map them with User Groups from Azure: SAML group name (you will need to copy-paste their name from your Azure environment).
After which, click on Edit, from the "2.Attributes & Claims" section.
There, you'll see a list with all the Claims. Copy the Claim NAME (not Value) and place it in the Directory field of your YAROOMS Group Mapping page.
Usually, it looks something like this (the photo below is just an example):
After having done that, your will be able to add the YAROOMS groups and map them with User Groups from Azure: SAML group name (you will need to copy-paste their name from your Azure environment).