SSO configuration Guide for Azure

Last Updated:

SSO Configuration for Beamery

The following steps are to enable single sign-on for Azure AD accounts with the Beamery production and Sandbox systems

Prerequisites :

  • Azure administrator or Global Administrator privileges
  • Access to a secure file transfer (Excluding Zoom, Dropbox or other third party file transfer system)
  • Beamery admin support to upload Metadata and certificates into Beamery system
  • SAML configuration identifiers supplied by the external party/provider


Step 1: Access Azure AD to create SSO application

    • Browse to
    • Select ‘Enterprise Application’
    • Select ‘ + New application’
    • Select ‘ + Create your own application’
    • Enter the name of the application using the naming convention
      “DDIE – “ + System name + “SSO” + Instance e.g. “DDIE – Beamery SSO sandbox”


Step 2: Assign Users to access this SSO

      • In the AAD portal select ‘Enterprise Applications’ and search for the name of the application used above
      • Select ‘User and groups’, the current members will be displayed
      • To delete a user , select the name and click on ‘Remove’
      • To add a user of group, select ‘+ Add user/group’
      • Click on ‘None Selected’
      • Use the search box to find and select user names or group names, once complete click on ‘Select’
      • Once all users and group have been selected, click on assign


Step 3: Setup Single sign-on

  • In the AAD portal, open the enterprise app and select ‘Single Sign-on
  • Choose the SO method required, for this example ‘SAML’ is the default

  • Basic SAML configuration

    • Select ‘Edit’ in the SAML config section
    • The two mandatory values are ‘Entity ID’ and ‘Assertion Consumer Service URL
    • To update select ‘Add Identifier’ and enter the provided URL from the 3rd party
    • repeat for Reply URL (note this can be the same as Identifier)
      • There are optional configuration URLs for sign-on, relay and logout
    • Select ‘Save’ once complete

  • Attribute & Claims configuration
    • The default attributes are displayed and generally no change is required. In the event where the 3rd party requires a specific metadata attribute, this can be added or an existing one updated
    • Select ‘Edit’ in the ’Attributes & Claims’ section


    • To add the required attribute ‘emailAddress’ (note the capital ‘A’), select ‘+ Add new claim’
    • Type Name as ‘emailAddress’ and Namespace as ‘’
    • In the ‘source attribute’ section select the dropdown and choose ‘user.mail’


    • Select ‘Save’ to complete

  • Export SAML Metadata and certificates
    • In the ‘SAML sign Certificate ‘ section, select download beside ‘Federation Metadata XML’


    • Save the file to a secure location and arrange to transfer the file to the 3rd party using a secure method. Do not use 3rd party ‘dropbox’ or similar.
    • The 3rd party may also require the ‘certificate (Base64)’ file, download and transfer as per above.
    • Once the 3rd party have installed the files, the SSO should now be available for testing.

Step 4: Testing SSO

    • Either use the inbuilt ‘Test option


or use a URL provided by the 3rd party

    • You will be prompted to enter your login ID, then the system should automatically connect without a password prompt
      Note: you must use a login ID that is included in the ‘Assigned User to Access SSO’ section, secondary login may not prompt for a login ID as the details are now cached.
    • It is recommended that you use the ‘Test’ option initially, if there is an error then a more detailed message will be provided