Skip to main content

Azure AD SSO

Azure Active Directory (Azure AD) Single Sign-On (SSO) provides a seamless and secure way for users to access multiple applications using their Azure AD credentials. This integration streamlines the authentication process, enhances the user experience, and strengthens security within your organization. With Azure AD SSO, users no longer need to remember separate sets of credentials for each application.

Configure Settings in Azure AD Server

To configure Azure AD settings, follow these steps:

  1. Login to Microsoft Azure Server, and select Enterprise Applications.
  2. Click the New Application icon on the top.
  3. In the Browse Microsoft Entra Gallery page, select Create your own application button and in the Create your own application prompt, Select Integrate any other application you don't find in the gallery (Non-gallery) Application.
  4. Enter the application name (Example –SureMDM) and click Create.
  5. Admin will be navigated to the Application Overview screen. Select Set Up Single Sign on.
  6. Single Sign on Page will be displayed. Click SAML option. This will navigate you to SAML Based Sign On page. Now, enter the following details:
  • Entity ID: urn:42gears:suremdm:SAML2ServiceProvider
  • Reply URL: https:// (SureMDM Server Path)/console/ssoconsumer/(Account ID)
  • Sign on URL: https:// (SureMDM Server Path)/console/ssoconsumer/( Account ID)
note
  1. Admin should enter their SureMDM Server Path and Account ID into the above-mentioned URL.

It is very important to replace the Account ID with the Encrypted ID in Reply URL and Sign-on URL in the Azure portal, once the SSO is configured in the SureMDM console.

To get the encrypted account ID, follow these steps:

a. Navigate to the SureMDM Console > Account Settings > Enterprise Integrations > SAML Single Sign-On.

b. On the SAML Single Sign-On screen, locate the Assertion URL to get the Encrypted Account ID.

  1. Click Save and download the Certificate (Base 64) and Federation Metadata XML.

Configure Settings in SureMDM Web Console

These are the steps to Configure SAML in SureMDM:

  1. Navigate to SureMDM Web Console > Settings (icon located at the top right of the screen) > Account Settings > Enterprise Integrations > SAML Single Sign-On.

  2. Further, this prompt will have 2 sections:

    • a. SSO configuration
    • b. Dynamic Permission Assignment

  3. Under the SSO Configuration section, please configure the below-mentioned settings:

SettingsValues
Service IdentifierEnter the Service Identifier. This value is present under the EntityDescriptor tag, entityID property of metadata XML file. See step no.7, Configure settings in Azure AD server.
Sign on Service UrlEnter the Sign on Service Url. This value is present under <md:SingleSignOnService (node with HTTP-Redirect binding) > Location. Fetch these values from the certificate downloaded in step no.7, Configure settings in Azure AD server,
Logout Service UrlEnter the URL for logout. Generally same as Sign on URL.
SSO Service Provider NameSelect a SSO provider name from the drop-down name.
  1. Under the Dynamic Permission Assignment section, please click Add to Configure the Settings:
SettingsValues
AttributeUnder the Role Configuration, define the Attribute Name as Group. This will refer to the group attribute of the user. For steps on how to add Attributes, please click here (e.g., Attribute: Engineering, Value: QA).
ConditionSelect the conditions from the dropdown:
1. Contain
2. Equals
3. In
Note: The condition field defines how SureMDM matches the attribute value received from the SSO provider with the value specified in the rule.
ValueProvide the value that the group name must match (e.g., “Admin”, “Manager”, or any other relevant group identifier). The system will look for this value within the user’s group attribute to determine if the role should be assigned.
RolesSpecify the roles that should be dynamically assigned to the user when the Group attribute matches the specified value. For example, if the group contains "Admin", assign the Administrator role, or if the group contains "Manager", assign the Manager role.
Device Group SetChoose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Device Group Set Based Admin
Jobs/Profiles Folder SetChoose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Job Folder Set Based Admin.
note

If the Attribute or Value does not match the information provided by the IdP:

  • SureMDM assigns default permissions to the sub-user.

  • The user will not receive the intended custom role.

    Recommendation: Ensure that attributes and values are consistently configured between the IdP and SureMDM.

  • Deny Access - This option can be configured only in Default Permission and It determines whether a user should be denied access when the attribute and value conditions from the Identity Provider (IdP) do not match any of the configured roles.

    If Deny Access is enabled in the default permission and if the attribute and value from the IdP do not match any defined conditions (Contains, Equals, IN), SureMDM will not assign any role to the SSO user, resulting in denied access to the console.

  1. Upload the Certificate:
  • Click Upload Certificate to upload the downloaded certificate from Step 7.
  • Click OK.
    note

    The password field can be left empty.

  1. Click Save.

  2. To log in to the SureMDM Server through SSO, navigate to the SureMDM Login Page, click Sign In using SSO, then click on the Azure AD icon. Enter your Microsoft Entra (fka. AzureAD) login credentials or use the URL below to log in to the SureMDM server through SSO:

For example:

https://<SureMDM Server URL>/console/ssologin/(Encrypted Account ID)

note

Admins should enter their Server URL and Encrypted Account ID into the URL mentioned above.