Loading ...

Azure AD SSO | Communifire Documentation

Home » communifire documentation » Wiki » Documentation » Login » Single Sign On (SSO) » Azure AD SSO
Communifire Documentation  Wiki
Public Space
Activity Stream Content
Version 79

Azure AD SSO

 /5
0 (0votes)

Communifire supports Azure Active Directory (AD) integration for for single-sign on (SSO). After integration, users can log into your intranet using their Azure AD credentials. User data can also be synced from Azure AD to Communifire.

This page covers information about Azure AD SSO, walks you through how to configure Azure AD SSO on your intranet, and provides solutions to common issues. For more information or assistance from the Axero team, submit a private case.

About Azure AD SSO

Login Experience

On visiting your intranet, users will be re-directed to the Azure Active Directory log in page.

Note: New users that login with Azure AD SSO are automatically approved. To prevent users from signing in from Azure AD SSO, you must remove them from the app in the Azure portal.

Logging in with Communifire credentials

You can allow users to log in using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page. Users can either log in with Communifire credentials or click Login via SAML to sign in using Active Directory credentials.

Return to top

Mobile App Login Experience

In the mobile app, users will be re-directed to the Azure Active Directory log in page after entering the site URL.

Logging in to app with Communifire credentials

You can allow users to log in to the app using Communifire credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Communifire login page after entering the site URL. Users can either log in with Communifire credentials or click Active Directory Login to sign in using Active Directory credentials.

 

Return to top

Importing Roles

Roles can be imported into Communifire using attribute mapping. Azure roles are imported into Communifire as top level Roles . The roles are assigned to or unassigned from users when they login.

See the Configure Roles Import section in the setup guide below for how to import Azure roles into Communifire.

Communifire uses System for Cross-domain Identity Management (SCIM) for auto-provisioning. When auto-provisioning is configured, Azure AD acts as the data source for Communifire users. New users are automatically created in Communifire without requiring a login, users are automatically deactivated in Communifire when removed in Azure, and changes are synced to Communifire. Azure AD SSO can be configured with or without auto-provisioning. Below is information about Azure AD SSO with and without auto-provisioning.

About Azure AD SSO with Auto-Provisioning

Adding Users

When you set up auto-provisioning, users are automatically created in Communifire when they are added in Azure Active Directory.

Return to top

Importing Data

Any data can be imported from Azure Active Directory, as long as there are corresponding User Profile Fields in Communifire. Attribute mappings must be added to Control Panel > System > Single Sign On > Data Mapping > SCIM.

To import user profile photos into Communifire, also set up user syncing (see the Configure User Syncing section below).

You can also use the REST API to import user data into Communifire.

Return to top

Syncing Data

User data is updated in Communifire every time a user logs in. When auto-provisioning is set up, user data is synced to Communifire every 40 minutes.

Notes:

  • To import profile photos into Communifire, also set up user syncing (see section below).
  • Due to Azure limitations, if a field is made empty in Azure, this will not be communicated to Communifire. The profile field in Communifire will retain the last value. You can manually remove the value by editing the user in Control Panel > People > Manage People.

Return to top

Disabled Users

When a user's sign in is disabled in Azure Active Directory, the user will be banned in Communifire.

When a user is deleted or removed from the Azure Active Directory app, the user will be banned in Communifire. Thirty days later, the user will be deleted. You can set whether deleted users' content will be deleted, reassigned to the system anonymous user, or reassigned to a specific user in Control Panel > System > Single Sign On > SCIM User Provisioning.

Return to top

About Azure AD SSO without Auto-Provisioning

Adding Users

A user is created in Communifire when the user logs in for the first time. You can add users to Communifire before they log in using the methods below.

Bulk import users

Pre-populate users before Azure Active Directory setup or launch with Bulk Import Users . The Communifire usernames you create must match the usernames in Active Directory.

Add users

Add users in Control Panel > People > Manage People > Add User . The Communifire username you create must match the username in Active Directory.

REST API

You can use our REST API to import users - REST API: Add User , REST API: Update User Profile Fields .

Adding Communifire administrator accounts

If Communifire administrator accounts are created before Active Directory is set up and the Communifire usernames match Active Directory usernames, the administrator accounts will sync with the corresponding Active Directory accounts. If not, you will need to re-configure permissions for the admin Active Directory accounts and remove the previous Communifire administrator accounts.

Return to top

Importing Data

Any data can be imported from Active Directory, as long as there are corresponding User Profile Fields in Communifire. Attribute mappings must be added to Control Panel > System > Single Sign On > Mapping > Azure Active Directory. Enter the attribute name as the property name in Communifire. See the table below for common fields to import.

Name Value
givenName user.givenname
surname user.surname
mail user.mail
jobTitle user.jobtitle
telephoneNumber user.telephonenumber
department user.department

To import manager and user profile photos into Communifire, set up user syncing (see section below).

You can also use our REST API to import user data into Communifire.

Return to top

Syncing Data

User data is updated in Communifire every time a user logs in. When user syncing is set up, you can configure syncing settings in Control Panel > System > Single Sign On > User Syncing:

  • Syncing Day Interval sets how frequently to sync data, in days.
  • UTC Syncing Start Time sets when to start user syncing, in UTC time (hours:minutes).

You can also sync all users immediately at anytime by clicking Sync Now.

How to sync a specific user

Start typing a name and select the user from the menu that appears.

Note: User syncing does not update user roles. Roles are updated on login only.

Return to top

Disabled Users

When a user is disabled in Active Directory, this information is not sent to Communifire. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will prevent the user from logging in, but will retain their content.

Return to top

Setup Guide

This guide walks you through how to enable Azure AD single sign-on in Communifire. Client-side setup is estimated to take 1-3 hours and Axero team setup is estimated to take 1 hour. The time to set up SSO can vary based on how long it takes to set up internal systems and to provide the Axero team with required information. The total time for setting up SSO may take up to 1-2 business days.

Once you complete the guide, Azure AD SSO will be active on your intranet. If you run into any issues, submit a case here for assistance.

Microsoft Azure Sign Up

To allow Communifire users to login via SSO, you need to have an Azure portal subscription. If you already have an Azure portal subscription, you can skip this section.

  1. Go to the Azure sign up page and click Sign up for a free account. You must be logged into an administrator account.
  2. Complete the signup process.

    After signing up, you will see the Microsoft Azure Dashboard.
  3. Click Azure Active Directory from the menu on the left.

Return to top

Configure Azure Active Directory with Auto-Provisioning

Note: To import profile photos into Communifire, you must also configure user syncing. Refer to the Configure User Syncing section below.

  1. In the Azure portal, go to Azure Active Directory > Enterprise applications.
  2. Click New application to add an application for your Communifire application.
  3. Select Non-gallery application.
  4. Enter a name for the application.
  5. Click Add.
  6. Click Single sign-on.
  7. Select SAML.
  8. Edit the Basic SAML Configuration settings.
  9. Enter your intranet's URL in the Identifier field.
  10. In Reply URL, enter your intranet's URL + /SAML/AssertionConsumerService.aspx. (e.g. https://your-community.com/SAML/AssertionConsumerService.aspx or https://yourcommunity.communifire.com/SAML/AssertionConsumerService.aspx)
  11. In Sign on URL, enter your intranet's URL + /login. (e.g. https://your-community.com/login or https://yourcommunity.communifire.com/login)
  12. Click Save.
  13. Close the blade.
  14. Edit User Attributes & Claims.
    Note: If you don't need to import any attributes beyond the properties available in auto-provisioning, you can skip adding user attributes and proceed to step 19.
  15. Delete the additional attributes.

  16. Click Add new claim.
  17. Enter the following values. Leave the namespace field blank.

    Name Value
    givenName user.givenname
    surname user.surname
    mail user.mail
    jobTitle user.jobtitle
    telephoneNumber user.telephonenumber
    department user.department

    Additional optional attributes:

    Name Value
    companyName user.companyname
    streetAddress user.streetaddress
    city user.city
    state user.state
    postalCode user.postalcode
    country user.country
    employeeId user.employeeid

    Example: 

  18. Close the blade.
  19. Edit the SAML Signing Certificate.
  20. Next to Signing Option, select Sign SAML response and assertion.
  21. Click Save.
  22. Close the blade.
  23. Download the Metadata XML file to get the SAML signing certificate.
  24. Click Provisioning.
  25. Click Get started.
  26. Set the provisioning mode to Automatic.
  27. In Tenant URL, enter your intranet's URL + /api/scim/v2. (e.g. https://myintranet.com/api/scim/v2 or
    https://myintranet.communifire.com/api/scim/v2)
  28. In Communifire, go to Control Panel > System > Single Sign On.
  29. Expand the SCIM User Provisioning section.
  30. Copy the Bearer token.
  31. In Azure Active Directory, paste the bearer token in Secret Token.
  32. Click Test Connection to test the connection.
  33. Once the connection is confirmed, click Save.
  34. Refresh the page.
  35. Click Edit attribute mappings.
  36. Expand the Mappings section.
  37. Click Provision Azure Active Directory Groups.
  38. Set to No.
  39. Click Save.
  40. Click Yes.
  41. Close the blade.
  42. Click Provision Azure Active Directory Users.
  43. Click the mailNickname to externalId mapping to edit it.
  44. Set the Source attribute to objectId.
  45. Click OK.

    Note: Below is a list of the default SCIM attributes. Attributes marked with an asterisk are mapped to corresponding Communifire profile fields by default and don't need to be configured. You can add custom attributes to import additional user data.
    • givenName *
    • familyName *
    • middleName
    • honorificPrefix
    • honorificSuffix
    • nickName
    • title *
    • organization *
    • department *
    • division
    • photos *
    • manager *
    • phoneNumbers *
    • streetAddress *
    • locality * 
    • region *
    • country *
    • postalCode *
    • employeeNumber
    • costCenter
    • userType
  46. (Optional) Add mappings for custom attributes:
    1. Check Show advanced options.
    2. Click Edit attribute list for customappsso.
    3. At the bottom of the attribute list, enter new attributes. Example:
    4. Click Save.
    5. Click Add New Mapping and configure the mapping:
      • Mapping type: Select Direct.
      • Source attribute: Select the Azure AD attribute.
      • Target attribute: Select the outgoing attribute.
      • Match objects using this attribute: Select No.
      • Apply this mapping: Select Always.
        Example:
    6. Click OK to save the mapping.
    7. Once all mappings have been added, click Save.
  47. Click Users and groups.
  48. Click Add user.
  49. Search for a user or group.
  50. Click the user or group.
  51. Click Select.
  52. Click Assign.
  53. Click Provisioning.
  54. Click Start provisioning.

Return to top

Configure Single Sign-On in Communifire
  1. In Communifire, go to Control Panel > System > Single Sign On.
  2. Select Azure Active Directory.
  3. Click Save.
  4. Upload the metadata XML file downloaded from Azure.
  5. Select a login type: 
    • SSO Login + Communifire Login will allow users to login with either Azure AD credentials or Communifire credentials. 
    • SSO Login Only will only allow Azure AD credentials and the login page will redirect to the Azure AD login page.
  6. If you set up auto-provisioning, expand the SCIM User Provisioning section.
  7. Select what to do with content of a deleted user. You can delete the content, reassign the content to the system anonymous user, or reassign the content to a specific user.
  8. Click the Data Mapping tab.
  9. For Type, select Azure Active Directory.
  10. Ensure the property names are the same as the attributes you entered in Azure. Example:
  11. Click SystemAdvanced System Utilities.
  12. Click Restart Site.

Note: If you set up auto-provisioning and want to import profile photos into Communifire, you must also configure user syncing. Refer to the Configure User Syncing section below.

Return to top

Configure User Syncing (Optional)

When user syncing is set up, user data is automatically synced at a time and frequency you specify. Mappings for basic properties must be configured exactly as below in Control Panel > System > Single Sign On > Data Mapping > Azure Active Directory.

Name Value
givenName user.givenname
surname user.surname
mail user.mail
jobTitle user.jobtitle
telephoneNumber user.telephonenumber
department user.department
  1. In the Azure portal, go to Azure Active Directory > App registrations.
  2. Click All applications and search for the app you created for Single Sign On.
  3. Click the app.
  4. Copy the Application ID and save it for later.
  5. Click Certificates & secrets.
  6. Click New client secret.
  7. Enter a description.
  8. Select Never expires.
  9. Click Add.
  10. Copy the key value and save it for later.
    Note: This is the only time the key will be shown. If you lose the key, you can generate a new one.
  11. Click Manifest and locate the line with "requiredResourceAccess": [], 
  12. Paste the following code into the square brackets
    {
			"resourceAppId": "00000002-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
					"type": "Scope"
				},
				{
					"id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
					"type": "Role"
				}
			]
		}
  13. When finished, the block should look like this: 
  14. Click API Permissions. Ensure that Directory.ReadAll is assigned for Delegated and Application type. 
  15. Click Grant admin consent.
  16. In Communifire, go to Control Panel > SystemSingle Sign On.
  17. Check Enable user syncing.
    Note: If you set up auto-provisioning and don't need attributes beyond the properties available in auto-provisioning, leave Enable user syncing unchecked, as profile fields are synced by the auto-provisioning process.
  18. Check Sync profile pictures if you want to pull profile photos from Azure Active Directory. Note that any profile photo changes made in Communifire will be overwritten when this option is checked.
  19. Enter the Application ID and key from the Azure portal in Application ID and Password.
  20. Set the Syncing Day Interval, which sets how frequently to sync data, in days.
  21. Set the UTC Syncing Start Time, which sets when to start user syncing, in UTC time (hours:minutes).
  22. Click Update.

How to sync all users

How to sync a specific user

Search for a user and select the user.

How to exclude the manager from syncing

The manager field builds the Organizational Chart . You can exclude the manager field from sync if you need a different org chart in Communifire.

  1. In Control Panel > System > Single Sign On, click the Data Mapping tab.
  2. Uncheck Sync supervisors.
  3. Click Update.

User syncing after a name or email change

After a user has a name or email change in Active Directory, you may see the exception "Invalid directory size." To fix this exception, have the user log out and log in again via Azure SSO. You can submit a request here to force log out all users.

Return to top

Configure Roles Import (Optional)

Roles can be imported into Communifire using attribute mapping. The Azure attributes represent roles. The attribute values should be true or false. When a role attribute is true, the user is assigned the Communifire role. When a role attribute is false, the Communifire role is removed from the user. User roles are updated on login only.

Step 1: Configure Azure

To set up roles import, first create user attributes to represent roles. The attribute values should be true or false. If you have Active Directory, you may need to create custom attributes and sync them to Azure.

  1. After the attributes and true/false values have been added, go to Azure AD > Enterprise applications > select the app > Single sign-on > User Attributes & Claims > Edit.
  2. Click Add new claim.
    • Name: Enter a descriptive name, without spaces.
    • Value: Select the attribute that represents the role.
      Example:
  3. Click Save.
  4. Repeat steps 2-3 to add claims for all the roles.
  5. Click Save.

Step 2: Configure Communifire

  1. If you haven't already created the roles in Communifire, go to Control Panel > People > Roles to create the roles.
    1. Click Add User Role.
    2. Enter a Name and Description for the role.
    3. Click Save.
  2. Go to Control Panel > System > Data Mapping > Azure Active Directory.
  3. Click Add.
    • Property name: Enter the claim name you entered in Azure.
    • Field: Select Set User Role.
    • Role: Select the role that the attribute is for.
      Example:
  4. Repeat step 3 to add mappings for all the role attributes.
  5. Click Update.
Troubleshooting

Error: At https://login.microsoftonline.com/xxxxxx-d38a-4a87-8e6a-dffaab339740/saml2: "The signed in user 'abc@xyz.com' is not assigned to a role for the application 'xxxxxx-d38a-4a87-8e6a-dffaab339740'."

Add the user to your enterprise application in Users and groups.

References: ComponentSpace Azure AD Integration Guide.pdf

Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory

Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "InvalidPassword" in stack trace.

Go to Control Panel > System > General Settings > Advanced Settings. Set "Maximum length for password" to a value over 25.

Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "Failed" in stack trace.

Go to Control Panel > System > General Settings > Advanced Settings. Set "Minimum length for username" to a lower value. Set "Maximum length for username" to a higher value.

Exception: "Password field missing" while syncing users

Enter the password for user syncing in Control Panel > System > Single Sign On.

Exception: "Application ID field missing" while syncing users

Enter the application ID  for user syncing in Control Panel > System > Single Sign On.

Exception: "The remote server returned an error: (401) Unauthorized." while syncing users

In the Azure portal, generate a password for the app in App registrations. The key value will appear on save.

Enter the password for user syncing in Control Panel > System > Single Sign On.

Exception: "Invalid directory size." while syncing users

Have the user log out and log in again via Azure SSO. You can submit a request here to force log out all users.

Exception: AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: xxxxxxxx-64c8-43a5-bd20-033dd4ce8441.

Make sure the service provider name in the saml.config file and the identifier (Entity ID) in Azure are the same.

Issue: Data isn't syncing every 20 minutes when auto-provisioning is set up

Go to Azure Active Directory > Enterprise Apps and open the app. Click the Provisioning tab. Click Stop provisioning.

Click Ok.

Click Start provisioning.

Error: An item with the same key has already been added.

"An item with the same key has already been added." exception

Cause: Duplicate attribute mapping.

Duplicate attribute mapping example

Fix:

  1. Go to Control Panel > System > Single Sign On > Data Mapping
  2. Select the SSO type
  3. Delete the duplicate mapping
    Delete the mapping
  4. Click Update

Return to top

Attachments

Wiki Index

Pages

Intranet Software