This guide explains how to configure Microsoft Entra ID (formerly Azure Active Directory or Azure AD) for Single Sign-On (SSO) without automatic user provisioning. Users will log in with their Entra ID credentials, but their accounts will be managed in Axero.
To enable automatic user provisioning, see the Auto-Provisioning Setup Guide.
The following process will take 1-2 hours to complete. Before you start, ensure you have administrative access to your Entra portal and Axero site.
Log into Microsoft Entra as an administrator.
Navigate to Enterprise applications.
Click New application.
Click Create your own application.
Provide a name (for example, "Axero SSO"). Be sure the non-gallery option is selected.
Click Create to add the application.
Click Single sign-on and select SAML.
In the Basic SAML Configuration section, click Edit and enter the following details:
Identifier: Click Add identifier and enter your intranet's URL (for example, https://mycompany.communifire.com).
Reply URL: Click Add reply URL and enter your intranet's URL followed by /SAML/AssertionConsumerService.aspx (for example, https://mycompany.communifire.com/SAML/AssertionConsumerService.aspx).
/SAML/AssertionConsumerService.aspx
Sign-on URL: Enter your intranet's URL followed by /login (for example, https://mycompany.communifire.com/login).
/login
Click Save and close the side page.
Click Properties in the application menu.
Set Assignment required? to No to allow Entra ID users to log in without being assigned to the application. Click Save.
(Optional) Set Assignment required? to Yes to manually assign users and groups to your intranet. Click Save.
To manually assign users or groups:
Click Single sign-on in the application menu.
In the SAML Certificates section, click Edit.
Select Sign SAML response and assertion for the Signing Option. Select SHA-256 for the Signing Algorithm.
Find Federation Metadata XML and click Download. This SAML signing certificate is required to configure Axero in the next step.
Log in to your Axero site as a site administrator.
Navigate to Control Panel > System > Single Sign-On.
On the Settings tab, select Azure Active Directory as your authentication method.
Click Save.
Click Choose File to upload the Metadata XML file you downloaded in step 1.4.5.
SSO Login + Communifire Login allows users to log in with Entra ID or Axero credentials. See the instructions for adding a "Login via SAML" button to your login page before testing.
SSO Login Only allows Entra ID credentials only, and the login page will redirect users to the Entra ID login page. Note Only choose this option after you have confirmed that SSO works.
Follow the instructions for adding a "Login via SAML" button to your login page.
Log out of your Axero site, or open an Incognito or InPrivate window in your browser.
Go to your site's login page.
Log in via SSO. Note Ensure the user has been assigned to the application in Entra ID (see Step 1.3 Assign Users and Groups).
Three attributes are required and configured by default:
You may configure additional attributes and map them to profile fields in Axero to be updated every time a user logs in.
Navigate to Enterprise applications and select your SSO application.
Click Single Sign-on in the application menu.
In the Attributes & Claims section, click Edit.
Click Add new claim and add Name and Source attribute information for a new attribute.
Suggested attributes:
Note To synchronize managers and profile pictures, see Optional: Configure User Syncing.
Leave the Namespace field blank and click Save after entering the information for each attribute.
In Axero, navigate to Control Panel > System > Single Sign-On.
Click the Data Mapping tab.
For Type, select Azure Active Directory.
Click Add to add a new mapping. Ensure the property name is identical to the required name you entered in step 4.1.4. Select your site's corresponding profile field on the right. Note Data mappings are case-sensitive.
Log in via SSO to test mappings. Note Ensure the user has been assigned to the application in Entra ID (see Step 1.3 Assign Users and Groups).
Setting up user syncing enables you to automatically update user data at predefined times, without requiring users to log in. While this step is optional, it is required to synchronize managers and profile pictures and simplifies the management of user information without auto-provisioning.
Log into Microsoft Entra and navigate to App registrations.
Click All applications and select the application used for SSO.
Copy the Application (client) ID and save it for later.
Click API Permissions in the application menu.
Click Add a permission and select Microsoft Graph.
Under Microsoft Graph, choose Delegated permissions, then search for and select both Directory.Read.All and User.Read.All.
Under Microsoft Graph, switch to Application permissions and select both Directory.Read.All and User.Read.All.
Click Add permissions.
Click Grant admin consent. Click Yes to confirm.
Return to Enterprise applications and select the application used for SSO.
Click Permissions and Grant admin consent to apply permissions with an administrator account.
Navigate to App registrations.
Click Certificates & secrets.
Click New client secret.
Enter a description and an expiration date, and then click Add. Note Set a reminder to update the client secret in Entra and Axero before it expires.
Copy the client secret Value (not the Secret ID) and save it for the next step. This is the only time the password will be shown. If you lose it, you can generate a new client secret.
Log in to your Axero platform as a site administrator.
Select Enable user syncing and Sync profile pictures.
Enter the Application ID from step 5.1.3 and the client secret Password from step 5.2.6 into the respective fields.
Set the Syncing Day Interval and UTC Syncing Start Time to define the frequency and start time of syncing.
Click Update to apply the changes.
Go to System > System Properties.
Type "msgraph" in the filter.
Locate the UseMSGraphAPI system property and click the Edit button.
Click the Value button to enable.
Click Save to apply.
Log in via SSO to test.
Roles can be imported into Axero using attribute mapping. The Entra ID attributes represent roles, and the attribute values should be true or false. When a role attribute is true, the user is assigned the Axero role. When a role attribute is false, the Axero role is removed from the user. User roles are updated upon login only.
In Entra ID, create user attributes to represent distinct roles, assigning "true" or "false" as their values. This might involve generating and syncing new custom attributes for Active Directory users.
Navigate to Entra ID > Enterprise applications, select your app, then Single sign-on > Attributes & Claims and click Edit.
Choose Add new claim. For each role, enter a concise, space-free Name and select the corresponding attribute under Source attribute.
Click Save after each new claim and repeat for each role required.
Create new roles within Axero by going to Control Panel > People > Roles and selecting Add User Role. Define each role with a Name and Description, then Save.
Go to Control Panel > System > Data Mapping > Azure Active Directory.
Click Add and enter the following information:
Repeat this process for all roles created in Entra.
Click Update.
Due to Entra ID limitations, Axero cannot detect if a user is disabled in Entra. In these cases, you can deactivate users in Axero.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/101873/setup-guide-azure-ad-sso?locale=en-US%2525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252f1%2525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252f1%2525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252f1%2525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252f1
Your session has expired. You are being logged out.