In this article we will discuss how to integrate Azure AD for single sign-on. The information below is intended for IT professionals. We will discuss integration requirements, configuration, what information you will need, how to configure Safelink and Azure AD and how to assign users and groups.
If you are experiencing any trouble with your SSO please contact your IT department or Safelink Support.
A subscription to Azure that includes Azure Active Directory (Azure AD). We will redirect your users to AD in order to authenticate them as part of a Single Sign-On (SSO) login.
Users that need to access Safelink must have email addresses defined in Azure AD.
All user email addresses must belong to domains that Azure AD considers to be verified and enabled for email. If this is not the case, Azure AD will not include these email addresses in its SAML responses, and authentication will fail.
To allow Safelink to authenticate against Azure AD, settings need to be added in both the Azure management portal, and also within Safelink by the Safelink Support Team. Instructions for doing your part are shown below.
Please note that we are in the process of adding Safelink to the Azure application gallery, at which point these instructions will be updated. In the meantime, Safelink can be added as an Unlisted Application.
Information you will need
Note that in each case below, “clientname” must be replaced with the client name given to you by us, and "safelinkhostname" must be replaced with the fully qualified internet domain name of your Safelink deployment, which might be at a shared or a custom domain.
Identifier (aka. “Entity ID”, or "issuer"):
Even if you have a custom domain name, you should still use the above value.
Reply URL (aka. “ACS URL”):
The following instructions are a summary of the relevant sections of this guide:
Sign into the Azure management portal using your Azure Active Directory administrator account.
Browse to the Azure Active Directory > [Your Directory] > Enterprise applications section, select New Application, and then chose the All category.
Choose the All category and then click Non-gallery Application.
Enter Safelink as the name for the application and continue. You should see confirmation that the application has been added, and be taken to the Enterprise Application panel for the new Safelink application.
Click Single Sign-on.
When asked how you would like users to sign on, choose SAML-based Sign-on.
Enter the Identifier and Reply URL. These are shown in the “Information you will need” section above.
Tick the Show advanced URL settings box.
Enter the Sign on URL value. This is also included the “Information you will need” section above.
In the User Attributes section, chose the User Identifier to be user.mail.
Tick the View and edit all other user attributes tickbox
Use the Add Attribute button to add four new claims. In each case, leave the Namespace blank:
Attribute name: “email” (type this directly)
Attribute value: user.mail (choose this from the dropdown box)
Attribute name: “first_name” (type this directly)
Attribute value: user.givenname (choose this from the dropdown box)
Attribute name: “last_name” (type this directly)
Attribute value: user.surname (choose this from the dropdown box)
Attribute name: “title” (type this directly)
Attribute value: user.jobtitle (choose this from the dropdown box)
Optionally, use Add Attribute again to define a secret value or phrase that is known only to your organisation. The value you choose here is used as input to our encryption key generation routines and improves the security of your data. The value returned here can be different for each user or can be the same for all users, but for any given user, it must remain unchanged forever. If you choose to add this claim, it is critically important that you record the value you choose so that future administrators can recreate this setup. If this claim is supplied but later lost, permanent data loss may occur.
Attribute name: “user_secret”
Attribute value: “your secret value”
Under the SAML Signing Certificate section of the form, you should be given an opportunity to download a certificate. Use the Certificate (Base64) download option to do so.
Copy/paste the certificate thumbprint into an email for later reference; this is a 40 character long hexadecimal string, which will look something like this: AB123456FEDCBA2345CDEF6789ABCD1234ABCD01
Tick the Make new certificate active tickbox.
Click the Configure Safelink link at the bottom of the form to continue.
You will reach a screen that allows you to download a certificate, and shows you an SAML Entity ID, a Single Sign-On Service URL and a Single Sign-Out URL.
Please send, via email to firstname.lastname@example.org, the following information:
The SAML Entity ID
The Single Sign-On Service URL
The Single Sign-Out URL
The certificate thumbprint
The downloaded certificate
A list of all email domains (usually just one) for the users that will authenticate, eg. @mycompany.com
Press Save (shown above the form).
We will respond with confirmation that the configuration has been applied.
When this is complete, proceed to assign users and groups as described below.
Assign users and groups
Before users can access Safelink via Azure AD, you will need to “assign” them to the Safelink application.
Within the Azure management portal, go to Azure Active Directory > [Your Directory] > Enterprise applications > All Applications section and choose Safelink.
Choose the Users and Groupsoption and click Add User.
Select a user, group or role to assign to Safelink, and click Assign.
Published on: 01 / 07 / 2020