In this article you will be guided through the set-up necessary to achieve SAML 2.0 logins with eloomi and your Microsoft Azure Active Directory environment.
​
All the steps to set-up an SSO with Microsoft Azure Active Directory have been described below.

Important note:

Go to the Azure Active Directory - Microsoft Entra or Microsoft Azure Portal

To set up SSO with eloomi we need to add a Custom Enterprise app.

In Azure Portal: in the Sidebar under the Manage tap > Enterprise Applications

In Microsoft Entra: in the Sidebar > Azure Active Directory > Applications > Enterprise applications

Now click on New Application

In the Browse Azure AD Gallery tap, click Create your own application.

Input the name of the app in the field What's the name of your app? in this example we will use eloomi.

After naming the app, we need to choose what type of app we would like to create.

In this case we need to select: Integrate any other application you don't find in the gallery (Non-gallery)

Click Create

With the new application created, you can fill in the necessary details.

In the Sidebar > Single sign-on

On the Single sign-on tap, hit SAML.

On the Set up Single Sign-On with SAML tap, Click Edit

In the Basic SAML Configuration tap, we need to configure a few things.

click Add identifier Input your eloomi URL followed by /saml2/metadata like this: https://your_domain.eloomi.com/saml2/metadata

click Add reply URL Input your eloomi URL followed by /saml2/acs like this: https://your_domain.eloomi.com/saml2/acs

In the Sign on URL box input your eloomi URL followed by /sso/log-in like this: https://your_domain.eloomi.com/sso/log-in

Click Save.

Now that we are back on the Set up Single Sign-On with SAML tap, we need to download the Certificate (Base64) file.

After downloading the Metadata file. We need to Copy the 3 URLs in 4 Set up

Login URL: https://login.microsoftonline.com/XXXX

Azure AD Identifier: https://sts.windows.net/XXXX

Logout URL: https://login.microsoftonline.com/XXXX

Open the downloaded certificate with Notepad and copy

-----BEGIN CERTIFICATE-----

<THE COPY PASTED CERTIFICATE>

-----END CERTIFICATE-----

Now back in eloomi, go to Admin > Settings > SSO Details.

SSO HOST > "Login URL" found in 4 Set up in Azure AD

SSO Entity ID > "Entity ID" found in 4 Set up in Azure AD

SSO LOGIN SERVICE >

SSO LOGOUT SERVICE > "Logout ID" found in 4 Set up in Azure AD

SSO LOGIN TYPE > Email

SSO LOGIN ATTRIBUTE > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

SSO NAMEID FORMAT > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

SSO AUTHNCONTEXT > False

SSO REDIRECT UNAUTHORIZED REQUESTS > Yes

Certificate > paste the copied Base64 certificate from 3 SAML Signing Certificate

The SSO Redirect Unauthorized Requests defines whether an initial load to https://your_domain.eloomi.com should directly redirect to the SSO Identity provider.

If this is set to NO. You will have to navigate to https://your_domain.eloomi.com/sso/log-in to initiate the SSO login.
If this is set to YES. You may circumvent the SSO login by navigating to https://your_domain.eloomi.com/login

When done filling in the details, save the settings by pressing Update SSO

Testing the SSO login can be achieved by navigating to: https://your_domain.eloomi.com/sso/log-in

Please make sure Activation Method from platform admin > settings > company details are set to "Instant", so users are not sent an activation email.

To implement IDP-initiated logouts from eloomi, you will need to add this endpoint: https://your_domain.eloomi.com/sso/logout to your IDP.

For technical support on SSO configuration or errors, please raise a ticket at helpdesk.eloomi.com, including the error message and screenshot and steps taken before the challenge arose.