Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content. SAML enables cross-domain single sign-on, allowing users to access other sites without the need for re-authentication.
On visiting your intranet, users will be re-directed to the Azure Active Directory log in page.
Logging in with Communifire credentials
You can allow users to log in using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page. Users can either log in with Communifire credentials or click Login via SAML to sign in using Active Directory credentials.
On the mobile app, users will be re-directed to the Azure Active Directory log in page after entering the site URL.
Logging in to app with Communifire credentials
You can allow users to log in to the app using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page after entering the site URL. Users can either log in with Communifire credentials or click Active Directory Login to sign in using Active Directory credentials.
A user is created in Communifire when the user logs in for the first time. You can add users to Communifire before they log in using the methods below.
Bulk import users
Pre-populate users before Azure Active Directory setup or launch with Bulk Import Users . The Communifire usernames you create must match the usernames in Active Directory.
Add users in Control Panel > People > Manage People > Add User . The Communifire username you create must match the username in Active Directory.
You can use our REST API to import users.
Adding Communifire administrator accounts
If Communifire administrator accounts are created before Active Directory is set up and the Communifire usernames match Active Directory usernames, the administrator accounts will sync with the corresponding Active Directory accounts. If not, you will need to re-configure permissions for the admin Active Directory accounts and remove the previous Communifire administrator accounts.
Any data can be imported from Active Directory, as long as there are corresponding User Profile Fields in Communifire. Attribute mappings must be added to Control Panel > System > Single Sign On > Mapping. Enter the attribute name as the property name in Communifire. See the table below for common fields to import.
To import manager and user profile pictures into Communifire, set up User Syncing (see section below).
You can also use our REST API to import user data into Communifire.
User data is updated in Communifire every time a user logs in. When user syncing is set up, you can configure syncing settings in Control Panel > System > Single Sign On > User Syncing. Syncing Day Interval sets how frequently to sync data, in days. UTC Syncing Start Time sets when to start user syncing, in UTC time (hours:minutes). You can also sync all users immediately at anytime by clicking Sync Now.
Sync specific user
Start typing a name and select the user from the menu that appears.
When a user is disabled in Active Directory, this information is not sent to Communifire. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will prevent the user from logging in, but will retain their content.
To allow Communifire users to login via SSO, you need to have an Azure portal subscription. If you already have an Azure portal subscription, you can skip this section.
Communifire Azure AD App
Note: To enable user syncing, property names in Control Panel > System > Single Sign On > Data Mapping must be configured exactly as below.
When user syncing is enabled, the profile photo and manager are automatically synced. You can disable profile photo sync by setting ADSyncProfilePicture to false in Control Panel > System > System Properties .
Sync all users
Search for a user and select the user.
User syncing after a name or email change
After a user has a name or email change in Active Directory, you may see the exception "Invalid directory size." To fix this exception, have the user log out and log in again via Azure SSO. You can submit a request here to force log out all users.
You can exclude the manager field from user syncing if you need a different org chart structure in Communifire. Submit a private case here to request the AzureSyncManager system property to be added to your site.
Search for AzureSyncManager.
To disable manager syncing, set the value to false.
At https://login.microsoftonline.com/xxxxxx-d38a-4a87-8e6a-dffaab339740/saml2: "The signed in user 'firstname.lastname@example.org' is not assigned to a role for the application 'xxxxxx-d38a-4a87-8e6a-dffaab339740'."
Add the user to your enterprise application in Users and groups.
References: ComponentSpace Azure AD Integration Guide.pdf
Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory
Exception: "Password field missing" while syncing users
Enter the password for user syncing in Control Panel > System > Single Sign On.
Exception: "Application ID field missing" while syncing users
Enter the application ID for user syncing in Control Panel > System > Single Sign On.
Exception: "The remote server returned an error: (401) Unauthorized." while syncing users
In the Azure portal, generate a password for the app in App registrations. The key value will appear on save.
Exception: "Invalid directory size." while syncing users
Have the user log out and log in again via Azure SSO. You can submit a request here to force log out all users.
Exception: AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: xxxxxxxx-64c8-43a5-bd20-033dd4ce8441.
Make sure the service provider name in the saml.config file and the identifier (Entity ID) in Azure are the same.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/24742/azure-ad-sso