SSO Configuration for Beamery

The following steps are to enable single sign-on for Azure AD accounts with the Beamery production and Sandbox systems

Prerequisites :

• Azure administrator or Global Administrator privileges
• Access to a secure file transfer (Excluding Zoom, Dropbox or other third party file transfer system)
• Beamery admin support to upload Metadata and certificates into Beamery system
• SAML configuration identifiers supplied by the external party/provider

Steps

Step 1: Access Azure AD to create SSO application

• • Browse to https://aad.portal.azure.com
  • Select ‘Enterprise Application’
  • Select ‘ + New application’
    
    
  • Select ‘ + Create your own application’
  • Enter the name of the application using the naming convention
    “DDIE – “ + System name + “SSO” + Instance e.g. “DDIE – Beamery SSO sandbox”
    
    

Step 2: Assign Users to access this SSO

1. 1. • In the AAD portal select ‘Enterprise Applications’ and search for the name of the application used above
        
      • Select ‘User and groups’, the current members will be displayed
      • To delete a user , select the name and click on ‘Remove’
      • To add a user of group, select ‘+ Add user/group’
      • Click on ‘None Selected’
      • Use the search box to find and select user names or group names, once complete click on ‘Select’
      • Once all users and group have been selected, click on assign

Step 3: Setup Single sign-on

• In the AAD portal, open the enterprise app and select ‘Single Sign-on’
  

• Choose the SO method required, for this example ‘SAML’ is the default

• Basic SAML configuration

  • Select ‘Edit’ in the SAML config section
    
  • The two mandatory values are ‘Entity ID’ and ‘Assertion Consumer Service URL’
    
  • To update select ‘Add Identifier’ and enter the provided Entity ID and select 'Add reply URL' and enter Assertion Consumer Service URL from the beamery metadata
    
    • There are optional configuration URLs for sign-on, relay and logout
  • Select ‘Save’ once complete
    
    
    
• Attribute & Claims configuration
  • The default attributes are displayed and generally no change is required. In the event where the 3^rd party requires a specific metadata attribute, this can be added or an existing one updated
  • Select ‘Edit’ in the ’Attributes & Claims’ section

• • To add the required attribute ‘emailAddress’ (note the capital ‘A’), select ‘+ Add new claim’
  • Type Name as ‘emailAddress’ and Namespace as ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims’
  • In the ‘source attribute’ section select the dropdown and choose ‘user.mail’

• • Select ‘Save’ to complete
    
    
• Export SAML Metadata and certificates
  • In the ‘SAML sign Certificate ‘ section, select download beside ‘Federation Metadata XML’

• • Save the file to a secure location and arrange to transfer the file to the 3rd party using a secure method. Do not use 3^rd party ‘dropbox’ or similar.
  • The 3rd party may also require the ‘certificate (Base64)’ file, download and transfer as per above.
  • Once the 3^rd party have installed the files, the SSO should now be available for testing.

Step 4: Testing SSO

1. • Either use the inbuilt ‘Test option

or use a URL provided by the 3^rd party

1. • You will be prompted to enter your login ID, then the system should automatically connect without a password prompt
     Note: you must use a login ID that is included in the ‘Assigned User to Access SSO’ section, secondary login may not prompt for a login ID as the details are now cached.
   • It is recommended that you use the ‘Test’ option initially, if there is an error then a more detailed message will be provided