Single Sign-On (SSO) is a user authentication service that enables users to use one set of login credentials, such as name and password, to access multiple applications. The Dynamic Signal platform offers SAML 2.0 Single Sign-On (SSO) to provide seamless user registration and logon flow. Microsoft Azure is one of the common SSO providers used by clients.
To set up Azure SSO for your Community, see the sections below.
Prerequisites
Before starting your SSO configurations, please contact your Customer Success Manager (CSM) to enable SSO for your Community.
Integration Test
After you have completed your Azure SSO setup, see SSO Test Integration for instructions on how to test your integration.
Set Up Azure SSO
To get started you need to create a new enterprise application in Azure Active Directory. Select the Dynamic Signal app from the Azure Marketplace gallery. Once the application is created, you need to go to the Single Sign-On section to make the proper configurations for SSO.
To set up Azure SSO, complete the following steps.
- Log on through your Azure portal, go to Azure Active Directory and click Enterprise Applications.
- To add a new application, click + New Application.
- Search for Dynamic Signal in the search field under gallery applications and enter a name in the Name field.
- Click Add to create the application. The app may take a few seconds to be added.
- Click 2. Single Sign-On in the Getting Started region to navigate to the SSO section.
- Click SAML when selecting a single sign-on method to begin to configure the application.
- Click Edit in the Basic SAML Configuration section.
-
In the 1. Basic SAML Configuration section, you need to enter the following URLs from your Dynamic Signal community (Example Community URL: https://caseytest.voicestorm.com):
- Identifier (Entity ID): https://caseytest.voicestorm.com
- Reply URL: https://caseytest.voicestorm.com/User/SsoResponse
- Sign on URL: https://caseytest.voicestorm.com
-
Click Save
noteIf you need to reference the SSO metadata XML file from the Dynamic Signal Manager app, log on to the app with an account that has Manager privileges. Click the hamburger button at the top left and select Manage Community. If you do not have Manager permissions in the Dynamic Signal app, contact your Customer Success Manager.
In the Dynamic Signal Manager app, go to Admin > Registration > Single Sign-On. From that admin screen you will have the ability to download the Dynamic Signal SSO metadata.
- Once you have the correct URLs in the Basic SAML Configuration section, navigate to the 2. User Attributes & Claims section.
- By default, Azure recommends using User Principal Name (UPN) as the unique identifier for users. If you use UPN for uniquely identifying users in your SSO environment, then no updates are needed to this section.
noteThe default Azure setup uses 5 claims. The Unique User Identifier claim will come through the header of the SAML assertion to identify what user is signing in to the platform. The Additional claims are used to assign user attributes in the Dynamic Signal platform.noteIf you need a different unique identifier for users, then update the Unique User Identifier claim to the attribute that uniquely identifies users in your SSO environment. You should also remove the user.userprincipalname from the Additional claims section and add an additional claim for the attribute used for uniquely identifying users.
noteBy default, the Dynamic Signal platform uses email address as the unique identifier for users. If you are not going to use email address as the User Identifier, follow the instructions in step 14 to update the unique identifier (screenshot example follows Azure default setup and uses UPN as the unique identifier). - Once you complete the User Attributes & Claims section, proceed to the 3. SAML Signing Certificate section. Export/download metadata from Azure application to configure SSO settings in the Dynamic Signal platform. You can find the SSO metadata from your Azure application by opening the App Federation Metadata Url in a browser window or downloading the Federation Metadata XML.
-
Navigate to the Single Sign-On page in the Dynamic Signal platform. (You can find this page in the Dynamic Signal Manager app by going to Admin > Registration > Single Sign-On.)
- Copy the signing certificate from your Azure SSO metadata into the Identity Provider Certificate section in the Single Sign-On page of the Dynamic Signal manager app. You will find the certificate between the <X509Data><X509Certificate> and </X509Data></KeyInfo></KeyDescriptor> tags in the Metadata XML file downloaded in the above step.
- Copy the SingleSignOnService Binding Location from your Azure SSO metadata into the Identity Provider Service URL section in the Single Sign-On page of the Dynamic Signal manager app. You can find the URL in the <SingleSignOnService /> tag in the above Metadata XML file. Ensure that you use the URL for HTTP-POST method.
- Update the ID and Email Settings and Attribute Map in the Single Sign-On page of the Dynamic Signal manager app. Example screenshot uses the Azure default UPN attribute as the unique identifier.
- Once all the above steps have been completed, save all settings and enable SSO on the platform by selecting the Enable SSO check box.
Error Messages
When you see an Azure error screen and reference code when attempting to access your community, this means your Azure SSO user account hasn't been configured successfully and you will need to contact your internal IT helpdesk team for further assistance.
Azure Error Code Examples:
AADSTS50020 - Affected user's account from identity provider doesn't exist in your org's AD tenant and can't access application
AADSTS50105 - Affected user hasn't been granted access to DySi app
AADSTS90072 - Affected user's external account is not part of your org's AD tenant
Additional AADSTS error codes can be found in Microsoft Azure's documentation