In this article you will be guided through the set-up necessary to achieve SAML 2.0 logins with eloomi and your Microsoft Azure Active Directory environment.
โ
All the steps to set-up an SSO with Microsoft Azure Active Directory have been described below.
Important note:
Please be aware that eloomi does not support user provisioning through SSO. You will be able to use our open API (contract add-on) to create users & update user information. Please be aware that we do not support SCIM.
We do not support multiple SSO connections to the same platform.
Setting up SSO using Microsoft Azure Active Directory
Go to the Azure Active Directory - Microsoft Entra or Microsoft Azure Portal
To set up SSO with eloomi we need to add a Custom Enterprise app.
In Azure Portal: in the Sidebar under the Manage tap > Enterprise Applications
In Microsoft Entra: in the Sidebar > Azure Active Directory > Applications > Enterprise applications
Now click on New Application
In the Browse Azure AD Gallery tap, click Create your own application.
Input the name of the app in the field What's the name of your app? in this example we will use eloomi.
After naming the app, we need to choose what type of app we would like to create.
In this case we need to select: Integrate any other application you don't find in the gallery (Non-gallery)
Click Create
Adding Details
With the new application created, you can fill in the necessary details.
In the Sidebar > Single sign-on
On the Single sign-on tap, hit SAML.
On the Set up Single Sign-On with SAML tap, Click Edit
In the Basic SAML Configuration tap, we need to configure a few things.
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL
click Add identifier Input your eloomi URL followed by /saml2/metadata like this: https://your_domain.eloomi.com/saml2/metadata
click Add reply URL Input your eloomi URL followed by /saml2/acs like this: https://your_domain.eloomi.com/saml2/acs
In the Sign on URL box input your eloomi URL followed by /sso/log-in like this: https://your_domain.eloomi.com/sso/log-in
Click Save.
Now that we are back on the Set up Single Sign-On with SAML tap, we need to download the Certificate (Base64) file.
After downloading the Metadata file. We need to Copy the 3 URLs in 4 Set up
Login URL: https://login.microsoftonline.com/XXXX
Azure AD Identifier: https://sts.windows.net/XXXX
Logout URL: https://login.microsoftonline.com/XXXX
Open the downloaded certificate with Notepad and copy
-----BEGIN CERTIFICATE-----
<THE COPY PASTED CERTIFICATE>
-----END CERTIFICATE-----
Settings in eloomi
Now back in eloomi, go to Admin > Settings > SSO Details.
SSO HOST > "Login URL" found in 4 Set up in Azure AD
SSO Entity ID > "Entity ID" found in 4 Set up in Azure AD
SSO LOGIN SERVICE >
SSO LOGOUT SERVICE > "Logout ID" found in 4 Set up in Azure AD
SSO LOGIN TYPE > Email
SSO LOGIN ATTRIBUTE > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SSO NAMEID FORMAT > urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SSO AUTHNCONTEXT > False
SSO REDIRECT UNAUTHORIZED REQUESTS > Yes
Certificate > paste the copied Base64 certificate from 3 SAML Signing Certificate
The SSO Redirect Unauthorized Requests defines whether an initial load to https://your_domain.eloomi.com should directly redirect to the SSO Identity provider.
If this is set to NO. You will have to navigate to https://your_domain.eloomi.com/sso/log-in to initiate the SSO login.
If this is set to YES. You may circumvent the SSO login by navigating to https://your_domain.eloomi.com/login
When done filling in the details, save the settings by pressing Update SSO
Testing
Testing the SSO login can be achieved by navigating to: https://your_domain.eloomi.com/sso/log-in
Important Note:
Please make sure Activation Method from platform admin > settings > company details are set to "Instant", so users are not sent an activation email.
To implement IDP-initiated logouts from eloomi, you will need to add this endpoint: https://your_domain.eloomi.com/sso/logout to your IDP.
For technical support on SSO configuration or errors, please raise a ticket at helpdesk.eloomi.com, including the error message and screenshot and steps taken before the challenge arose.