This feature is only available for the price plan Enterprise.
Azure SSO setup guide
In this article you will learn how to configure SSO with Azure.
Create the Oneflow application in Azure
- Log in to the Azure portal with administrator permissions: https://portal.azure.com/.
- Press the menu icon on the top left of the page and select Azure Active Directory > Enterprise applications.
- Click New application.
- On the new application page, click Create your own application.
- Type “Oneflow” as the application name, and click the Create button at the bottom.
- The system will redirect you to the Oneflow application you have just created. Add users by clicking Users and groups on the left pane.
- Click Add user/group.
- Go back to the Oneflow application (in Enterprise applications) and click Single sign-on on the left pane.
- Download the Federation Metadata XML (third section).
- Gather the following fields from the file content you downloaded earlier:
- Step one - entityID.
Example :https://sts.windows.net/.../ - Step two - X509Certificate.
It is a long string. If there is more than one certificate, choose the first one.
Example: MIIDdDCCAlygA…
Example: MIIC8DCCAdigA... - Step three - Single Sign-On Service
(Attribute: Location)
Example: "https://login.microsoftonline.com/.../saml2"
Enable Single Sign-On in Oneflow
- Log in to your Oneflow account.
- Go to Marketplace.
- Click on Single sign-on > Enable (if disabled).
- Click Edit.
Configure Single Sign-On (SSO)
- Click on Edit
- Select an identity provider in the "Type" field.
- Specify SSO service URL (the ‘SingleSignOnService (Attribute: Location)’ field from the ‘Federation Metadata XML’ file).
- Specify Entity ID (the ‘entityID’ field from the ‘Federation Metadata XML’ file).
- Specify X.509 certificate (the ‘X509Certificate’ field from the ‘Federation Metadata XML’ file).
- Click Confirm in the top left corner.
Complete SSO configuration in Azure
After enabling the SSO in Oneflow, you need to note the information from the following fields of the Oneflow Single sign-on page.
- In Oneflow, go to Marketplace > Single sign-on:
- Identifier (Entity ID)
- Reply URL (Assertion Consumer Service URL)
- IdP login URL - In Azure, Enterprise applications, go to the Oneflow application and click Single sign-on on the left pane.
- Fill in the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL) fields that you obtained earlier on the Oneflow Single sign-on page.
- The SSO configuration is complete! Try to log in using the IDP login URL.
Configure group sync in Azure
NOTE You can configure groups between Azure and Oneflow in Oneflow, you need to contact your CSM or Support and request to enable enforce sso for your account. For more info please see this article.
To configure the group sync in Azure:
- Go to the Oneflow application in Enterprise applications and click Single sign-on on the left pane.
- In the User Attributes & Claims section, click Edit.
- Click Add a group claim.
- On the Group Claims right pane, select All groups.
- In the Advanced options section, select the following options:
- Customize the name of the group claim
- Click Save.
- Go to Users and groups.
- Create a group by clicking on Add user/group.
- Once the group is created, note the Object ID (you will need it later for syncing the group with a group in Oneflow).
- Log in to your Oneflow account.
- Go to Admin > Groups.
- Get the group name that has to be synced with the group in Azure (if the group does not exist, create it by clicking Create group).
- Create a support ticket with the title Azure SSO group sync and write the group information in the following format:
“<Azure Group Object ID>”: “<Oneflow group name>”
“<Azure Group Object ID 2>”: “<Oneflow group name 2>”
“<Azure Group Object ID 3>”: “<Oneflow group name 3>”
Example:
“21032101-2ee1-4091-be23-746d2d759c90”: “HR - Sweden”.
Configure group sync in Azure for more than 150 groups
To configure group sync in Azure for more than 150 groups:
- In Azure Enterprise applications, go to the Oneflow application and click Single sign-on from the menu on the left panel.
- In the User Attributes & Claims section, click Edit.
- If a group claim does not already exist, click Add a group claim.
- In the Group Claims pane, select Groups assigned to the application.
- In the Advanced options section, check the following options:
- Customize the name of the group claim
- Emit groups as role claims - Save.
- Follow step 4 of the Configure Group Sync in Azure chapter of this article to create groups in Azure and sync them with groups in Oneflow.