Configure SAML 2.0 for Azure

Supported Features

  • Identity Provider Initiated Login
  • Just in time user provisioning

Configuration Steps

  1. Sign in to Tiled as an Account Admin
  2. Navigate to Account Settings.
  3. Under General Settings, scroll down to the Auto Provisioning 
  4. Select a required Default Role and Default Group for new users
    • NOTE: Users who are Just in time Provisioned into the Tiled account will receive the role and group specified in this step.
  5. Check the Enable Auto Provisioning box:

  6. Scroll down to the SAML Settings section.
  7.  Input and org domain
    • NOTE: The value that is input into this field will be used to generate our service provider metadata link as well as our service provider erentityID.
  8. Click Update Settings
  9. To build your Identity Provider Metadata XML use the above org domain and insert it into the below URL structure:{ORG DOMAIN}/metadata.xml
    • EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:
    • NOTE: This URL should now resolve to Tiled's service provider metadata, with this information you will have access to the following items needed to complete your set up in AZURE.
      • entity ID
      • X509 Certificate
      • Assertion Consumer Service URL

We can now add a new SAML application in Azure: 

  1. Sign in to the Azure portal as a cloud application admin, or an application admin for your Azure AD tenant.
  2. Navigate to Azure Active Directory > Enterprise applications and select the application from the list.
  3. Click New Application

  4. Select Non-Gallery Application
  5. Provide the application a Name
  6. Click ADD

  7. Select Set up Single Sign-On
  8. Select SAML
  9. Click the Pencil Icon to edit Basic SAML Configuration
  10. Copy and the entity ID from the Tiled metadata URL that you created in Step 9 and paste it in the Identifier (entity ID) field
  11. Copy and the Assertion Consumer Service from the Tiled metadata URL that you created in Step 9 and paste it in the Reply URL (Assertion Consumer Service URL) field
  12. Click Save

  13. In Azure Click the Pencil Icon to edit User Attributes & Claims

  14. Edit the Unique User Identifier and
  15. Set the name identifier format value to Email address
  16. Set the Source to Attribute
  17. Set the value of the Source Attribute to
  18. Click Save

  19. Under Additional Claims create claims rules to release the following claims
    Name Namespace Source Source attribute
    email (blank) attribute Or attribute containing the user's Public email address
    name (blank) attribute user.userprincipalname Or attribute containing the user's full name
  20. Copy the App Federation Metadata URL from the SAML Signing Certificate and open it in a new tab. Aleternitvley you can download Federation Metadata XML and open it in a text editor.

  21. Copy the Federation Metadata XML and Paste it into the Identity Provider Metadata XML section of Tiled
  22. Click Update Settings

The configuration is now complete you can assign users to the application in Azure and use their built-in test feature to ensure authenticate 

Common Errors

Response Error Potential Fix
{"type":"TypeError","status":500,"message":"Cannot read property '0' of undefined"}} Ensure the Additional Claims rules from step 19 are properly sending 'email'



Article is closed for comments.