Single sign-on with Azure Active Directory

This is a guide to the integration between Synerise and Microsoft Azure Active Directory (Azure AD), which enables your users to authorize with their Azure AD accounts. The integration with Microsoft Azure AD is offered through the SAML 2.0 protocol.

Benefits

  • Centralized user management - With Azure AD, you get to administer users from one central place in your organization.

  • Increased security - The benefit of a single user account in many applications helps to maintain a single identity and credentials, so users don’t have to remember too many credentials. Authentication takes place only with Azure AD, with a single set of security-related policies regardless of the application.

  • Improved user experience - Your users only need to sign in once to use multiple applications. This approach ensures faster authentication, saves time and relieves users from remembering multiple credentials.

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription with permission to create Azure AD applications
  • At least one verified domain
  • User permissions to access Settings and perform Identity provider configuration in Synerise

Configuring SAML application in Microsoft Azure

The first step is to add the Synerise application to your Microsoft Azure AD account.

  1. Log in to Microsoft Azure Portal.
  2. Go to Azure Active Directory > Enterprise Applications.
  3. Select All applications and then click New application.
  4. In the Add from the gallery section, in the search box type Synerise AI Growth Operating System.
  5. From the results, select Synerise AI Growth Operating System and add the application.
    Result: Your application is added.
  6. On the Synerise AI Growth Operating System application integration page, go to Manage > Single sign-on.
    SAML-based SSO
    Configuration in the Microsoft Azure portal
  7. In the Basic SAML Configuration section, on the right side, click the Edit button.
  8. Obtain the value of the Service Provider Redirect URI field (you can find it in Synerise, go to Settings icon Settings > Access Control > Identity Providers), and enter this value in the following fields in Azure MD:
    • Reply URL (Assertion Consumer Service URL)
    • Sign on URL
  9. In SAML Signing Certificate, download Certificate (Base64).
  10. From Set up Synerise Growth Cloud, note down Login URL.
  11. Go to the Overview section in the Azure MD application and note down Application ID (it’s required in the further part of the integration process).

Configuring user assignment to the application

You can assign users to the Synerise application in several ways within Microsoft Azure depending on your needs. The configuration settings allow you to let all your users use Synerise or only the selected user groups/individuals.

  1. Log in to Microsoft Azure Portal.
  2. Go to Azure Active Directory > Enterprise Applications.
  3. Select the Synerise application.
  4. Go to the Properties section.
    • If you want to require assigning users to the app (unassigned users won’t be able to use the application, regardless of any further configuration), set User assignment required to Yes.
      Further procedure when you select Yes

      1. Go to Users and groups and click Add user.
      2. Select individual users or groups who will be granted access to the Synerise application.
      3. Confirm the selection by clicking Assign.

    • If you don’t want to assign users to the app, set the User assignment required to No.
      Results when you set No

      • All users and groups have access to the application.
      • If you want to grant access to specific user groups, you can map those user groups in Dynamic group assignment in Synerise.
      • If there was no role assignment mapping, whenever a user accesses the Synerise app, this user receives information about the lack of access and a request to contact Organization admin.

Configuring application access based on Azure AD security groups

Important: Perform this procedure only if you set the User assignment required to No in the Configuring user application assignment procedure.
Otherwise, omit it.

  1. Log in to Microsoft Azure Portal.

  2. Go to Azure Active Directory > Groups.

  3. Select the security groups you want to enable access for.

  4. Note down the Object Ids of the security groups for which you want to enable access to Synerise.
    In this example, access will be granted for three security groups:

    SAML-based SSO
    Example groups
    • SYN_ADMIN with Object Id: 9338ee1f-f662-48df-b286-7b93c9816e38) where we want to assign the PROFILE_ADMIN role in Synerise
    • SYN_MANAGER with Object Id: 1826c186-ec0d-4ac0-a939-53d964b0e157 where we want to assign the PROFILE_MANAGER role in Synerise
    • SYN_USER with Object Id: 731e7b07-604a-4ce5-b26e-e1a73c4e440f where we want to assign the PROFILE_USER role in Synerise
      WARNING: These are just example Object Ids. While performing the procedure, replace them with the actual IDs for your security groups.

  5. After noting down the IDs, go to Synerise (Settings icon Settings > Access Control > Identity Providers ) to the Just-in-Time provisioning section.

    1. Switch the Dynamic role assignment option on.
    2. Follow the instructions described here.

Configuring application access based on Synerise SAML app assignment

Important: Perform this procedure only if you set the User assignment required to Yes in the Configuring user application assignment procedure.
Otherwise, omit it.
  1. Log in to Microsoft Azure Portal.
  2. Go to Azure Active Directory > Enterprise Applications.
  3. Select the Synerise application (which was created in the Configuring SAML application in Microsoft Azure section).
  4. In the Overview section (which you’re currently in), select 1. Assign users and groups.
  5. Select Add user > Users and groups and select the groups you want to assign to the Synerise application.
  6. After assigning all users or groups, to confirm selection, click the Assign button.
  7. Continue the set up within Synerise as described in this step in Configuring Azure AD as an Identity Provider in Synerise.

Configuring group claims

In order to pass role or group claims within Microsoft Azure, you must:

  1. Log in to Microsoft Azure Portal.
  2. Go to Azure Active Directory > App registrations.
  3. Select the Synerise application (which was created in the Configuring SAML application in Microsoft Azure section).
  4. Go to Token configuration section.
  5. Click Add groups claim.
    • If you want to enable access to the application based on Active Directory security group assignment for users, click Security groups.
    • If you want to enable access to the application based only on groups assigned to the Synerise application, click Groups assigned to the application.
  6. Optionally, go to the SAML section and select Emit groups as role claims.
    • If you select it, the claim will use the following attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role
    • If you leave this checkbox unselected, the SAML integration will use the following attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups or http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
  7. Continue the configuration depending on your selection in step 5:
    • If you selected Security groups, continue to this procedure.
    • If you selected Groups assigned to the application, continue to this procedure.

Configuring Azure AD as an Identity Provider in Synerise

  1. Log in to Synerise.

  2. Select the workspace you want to configure single sign-on for.

  3. Go to Settings icon Settings > Access Control > Single Sign-On.

  4. In the General settings section:

    1. From the Authentication methods dropdown list, select the authentication method to the value of your choice. Read more information about it here.
      Tip: At the beginning, we suggest to set it to Allow signing in with both methods unless you have a separate account that’s in different domain than you will be setting up SSO for.
    2. In the Sign-in button label field, type the name that is displayed on the sign-in button, for example Sign in with Azure AD.

  5. In the Authentication settings section:

    1. From the Managed domains, select the domains you want to use for your SSO.
    2. Enable Use attribute containing email address instead of subject.
      Result: The Identity Provider email attribute text field appears.
    3. In the Identity Provider email attribute, enter the email attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (use it only for Azure AD integration).
    SAML-based SSO
    The result

  6. In the Just-in-Time provisioning section, follow the procedure described here.

    • If you kept the default role assignment:

      SAML-based SSO
      Filled in dynamic assignment settings

      Result: In this model, every authenticated person has a role (or roles) assigned according to the settings defined here regardless of any configuration on Identity Provider side and depending on setup in the Update user roles while signing in field.

    • If you selected dynamic role assignment:

      SAML-based SSO
      Filled in dynamic assignment settings

      Result: Every authenticated person has a role (or roles) assigned based on group/role mapping between Azure AD and Synerise depending on setup in the Update user roles while signing in field.

  7. In the SAML protocol settings section:

    1. In the Identity Provider Entity ID and SSO endpoint (https) fields, enter the Login URL obtained from the Microsoft Azure Portal (you copied the URL while performing step 11 in the Configuring SAML application in Microsoft Azure procedure).
    2. In the Identity Provider application ID field, paste the Application ID obtained from Microsotf Azure Portal (you copied the URL while performing step 12 in the Configuring SAML application in Microsoft Azure procedure).
    3. The Service Provider redirect URI is filled in by default (you used it in step 9 in the Configuring SAML application in Microsoft Azure procedure).
    4. Select Request signature and upload certificate downloaded from Microsoft Azure Portal (you downloaded it in step 10 in the Configuring SAML application in Microsoft Azure procedure).
    5. Optionally, set the Max Skew Clock to 10 seconds.
      Result:
      SAML-based SSO
      The result of configuring SAML settings in Synerise

  8. Next to the Identity Providers headline, click Apply.

Test SSO

After completing the Azure AD setup, test the integration.

  1. If you are logged in to Synerise, log out.
  2. Go here.
  3. Enter your email address.
  4. Click Continue.
  5. Click the Sign in with Azure AD (the text on the button depends on the value you entered in this step).
    Result: You will be redirected to Microsoft where you will be authenticated immediately if there is an active session or you will be asked to authenticate and as a result you’ll be redirected back to Synerise.
In case you can't authenticate

  • In the Synerise application, review the SAML setup for any typos or errors in the Just-In-Time provisioning configuration.

  • In Azure AD portal:

    1. Click Test this application.
      Result: You are automatically signed in to the Atlassian Cloud for which you can configure SSO.
      SAML-based SSO
      The result of configuring SAML settings in Synerise

  • Alternatively, Synerise is available in https://myapplications.microsoft.com/ if you didn’t set the Visible to users? option to No in the Enterprise application setup.

Congratulation! You signed in through Azure AD.

Note: When the process works as expected, you can switch the Authentication Mode setting, so only the SSO authentication method is allowed, excluding the option of authorizing through email and password.
😕

We are sorry to hear that

Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.

😉

Awesome!

Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.

Close modal icon Placeholder alt for modal to satisfy link checker