Skip to main content
Sign in
Dansk Deutsch Nederlands

Implementation SSO - Microsoft

  • Updated

Please note: this article is part of SSO Implementation - Workspace & SSO Implementation - Mobile app.

An application must be created within the IdP. Within Microsoft Azure, it is an Enterprise application. You create a new Enterprise application with e.g. the name: ‘Springcast PRO - Workspace’. Then enable single sign-on via SAML2. Then the following fields can be filled in:

  1. Under ‘Basic SAML Configuration’:
    1. Identifier (Entity ID): the value under SSO settings if ‘SP Entity ID’ is specified. For example: https://work.springcast.app/saml2/<id>/metadata. See also PRO Workspaces & Mobile app
    2. Reply URL (Assertion Consumer Service URL): the value at SSO settings if ‘SP Reply URL (ACS)’. For example: https://work.springcast.app/saml2/callback
  2. Under ‘Attributes & Claims’:
    1. Required claim:
      1. Unique User Identifier (Name ID):
        1. Source: Attribute
        2. Source attribute: user.userprincipalname
    2. Additional claims:
      1. Add new claim:
        1. Name: email
        2. Source: Attribute
        3. Source attribute: user.userprincipalname
        4. Namespace: empty
      2. Add new claim:
        1. Name: first_name
        2. Source: Attribute
        3. Source attribute: user.givenname
        4. Namespace: empty
      3. Add new claim:
        1. Name: last_name
        2. Source: Attribute
        3. Source attribute: user.surname
        4. Namespace: empty
      4. Add new claim:
        1. Name: name
        2. Source: Attribute
        3. Source attribute: user.displayname
        4. Namespace: empty
      5. Add a group claim:
        1. Which groups associated with the user should be returned in the claim: Security groups
        2. Source attribute: Group ID
        3. Customize the name of the group claim
          1. Name (required): groups
        4. Optional: you can filter on groups.

This then looks like this:

SSO - Microsoft Azure Enterprise application with SAML2

You can do additional settings within the new application, such as setting assignment required. We leave this to you.

Setting up SSO

Within PRO Workspaces, you can enable SSO under ‘People & access’. After this, you can manage the SSO settings. This also contains the ‘SP Entity ID’ and ‘SP Reply URL (ACS)’ that you need to create the Enterprise application.

Settings

The following fields must be filled in:

  1. Metadata: the value in the Enterprise application under ‘Microsoft Entra Identifier’.
  2. ACS: the value that appears in the Enterprise application at ‘Login URL’.
  3. Entity ID: the value in the Enterprise application under ‘Microsoft Entra Identifier ’.
  4. Certificate: download the base64 certificate and open it with a text editor.

Role mapping

Using the role mapping, you can automatically link users to the roles in the workspace. Enter the Group IDs of the role in the IdP - do not use names, since Microsoft does not provide us with this information - they only sent the Group ID(s). See also Groups.

Related articles