Skip to main content

Azure AD SAML

Appcircle supports Azure AD as a SAML provider.

info

Only Enterprise accounts support SSO.

Enable SSO

SSO can only be enabled by the organization's administrator. To start, go to My Organization screen and click the Enable Login button under the APPCIRCLE LOGIN section.

Configure Appcircle and Azure AD

  • Select Setup SAML SSO Provider
  • Pick an alias and display name for your organization. Please pick a short and rememberable alias.

  • This screen will auto-generate an URL for the next step

  • Log in to Azure AD as an admin and navigate to Azure Services and then click Azure Active Directory.
  • Click Enterprise applications
  • Click New application.
  • Click Create your own application.
  • Give a name for your application and select Integrate another application you don't find in the gallery (Non-gallery) and click Create

Adding Users

You need to select users/groups in Azure AD to enable SSO. All members of your Appcircle organization must be added to Azure AD.

  • Select Users and groups and click Add user/group
  • Click Add Assignment, find the users from the list, and click Select
  • Finally, click the Assign button to confirm the assignment.

Configuring SSO

  • Click Single sign-on and select SAML
  • Click Edit button on Basic SAML Configuration section.
  • Add the Appcircle Redirect URL to Reply URL (Assertion Consumer Service URL) write https://auth.appcircle.io/auth/realms/appcircle for the Identifier (Entity ID) and select EmailAddress for the Name ID format.
  • Edit the attributes according to the below screenshot.
  • Instead of writing all the settings of SAML, you can download the settings file from Azure AD and upload it. Click the Download button next to the Federation Metadata XML link to download the XML file.
  • Go back to Appcircle, upload this XML file by clicking the button under Import SAML Configuration
  • Check all the settings on this page and confirm that Redirect and SSO URLs are imported correctly. You can check if the X509 Certificate is imported correctly as well. If you want to enter multiple certificates you can separate them by using a comma between them. Please be aware that you need to remove any new lines or file headers from this edit box. This edit box only accepts a long base64 encoded string.

  • The Group Attribute Name and Role Attribute Name fields are optional. Please refer to the SSO Mapping Documentation.

Testing SSO

  • When you connect your Identity Provider, please open a new incognito window and test the SSO integration.
  • Click the Continue with SSO button.
  • Enter the alias you picked.
  • You should first see the below confirmation screen.
  • After you confirmed account linking, you will get an email.
  • You can now access your account with SSO integration when you confirm the email.
  • After you enable the SSO, you can only log in to your account with the SSO link. Your old credentials won't work anymore.
caution

When you connect your Identity Provider, please open a new incognito window and test the SSO integration. Please only log off when you can log in with SSO credentials. If the connection doesn't work, you need to review your settings.

SSO Mapping

This step is optional and can be skipped if you do not plan to use SSO Mapping.

  • Log in to Azure as an admin and navigate to Azure Services and then click Microsoft Entra ID.
  • Navigate to Manage > Groups, and click on New Group.
  • Assign a proper name and description to the new group. Designate an owner and members to the group.
  • Navigate to Manage > App registrations. Select All applications to view a list of all your applications and locate your application.
  • Navigate to Manage > App Roles. Click on Create app role. Create a new app role as shown in the image below.
  • Navigate to Manage > API permissions and click on Add Permissions. Select My APIs and click on your application name.
  • Select permissions and click on Add permissions.
  • Navigate to Azure Services and then click Microsoft Entra ID. Click on Manage > Enterprise applications.
  • Click on your application.
  • Click on Assign users and groups.
  • Click on Add user/group.
  • Select users, groups and role. This process can be repeated as needed.
  • Navigate to Manage > Single sign-on. Click on Edit in Attributes & Claims section.
  • Click on Add a Group Claim. Select Groups assigned to the application and select Groups assigned to the application as source attribute. Then click on Save
  • Click on Add new claim. Enter name as roles and select user.assignedroles as source attribute. Then click on Save.
  • Go back to Appcircle, enter Group Attribute Name as http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and Role Attribute Name as roles.