Axero enables integration with Azure Active Directory (AD) to facilitate Single Sign-On (SSO). Once this integration is complete, users can access your intranet by using their Azure AD credentials. Additionally, it allows the synchronization of user data from Azure AD to Axero.
This section provides detailed information on Azure AD SSO, guides you through the setup process on your intranet, and provides solutions to common issues. If you need further details or require support from the Axero team, please submit a private case.
On visiting your intranet, users will be redirected to the Azure Active Directory login page.
Note: New users who log in with Azure AD SSO are automatically approved. To prevent users from signing in from Azure AD SSO, you must remove them from the app in the Azure portal.
Logging in with Axero CredentialsYou can allow users to log in using Axero credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page. Users can either log in with Axero credentials or click "Login via SAML" to sign in using Active Directory credentials.
Return to top
After entering the site URL in the mobile app, users will be redirected to the Azure Active Directory login page.
Logging in to the App with Axero CredentialsYou can allow users to log in to the app using Axero credentials. Set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page after entering the site URL. Users can either log in with Axero credentials or click Active Directory Login to sign in using Active Directory credentials.
Roles can be imported into Axero using attribute mapping. Azure roles are imported into Axero as top-level Roles. The roles are assigned to or unassigned from users when they log in.
See the Configure Roles Import section in the setup guide below for instructions on importing Azure roles into Axero.
Axero employs the System for Cross-domain Identity Management (SCIM) for automated user provisioning. Once set up, Azure AD is the data source for creating Axero user accounts. New users added to Azure AD are automatically created in Axero without needing to sign in. Similarly, users removed from Azure AD are automatically deactivated in Axero, and any updates in Azure AD are synced accordingly.
When you set up auto-provisioning, users are automatically created in Axero when added to Azure Active Directory.
Any data can be imported from Azure Active Directory if there are corresponding User Profile Fields in Axero. Attribute mappings must be added to Control Panel > System > Single Sign On > Data Mapping > SCIM.
Configure user syncing to import user profile photos into Axero (see the "Configure User Syncing" section below).
You can also use the REST API to import user data into Axero.
User data is updated in Axero every time a user logs in. When auto-provisioning is set up, user data is synced to Axero every 40 minutes.
To upload profile pictures into Axero, you must also set up user synchronization (please refer to the "Configure User Syncing" section below).
Please note that due to limitations with Azure, if a profile field is cleared or made empty in Azure, this change will not be reflected in Axero. The corresponding profile field in Axero will maintain its previous value. If you need to remove or update this information, you can manually edit the user in Control Panel > People > Manage People.
When a user's sign-in is disabled in Azure Active Directory, the user will be banned from Axero.
If users are deleted or removed from the Azure Active Directory app, they will be banned in Axero. After thirty days, this user's account will be permanently deleted. You can configure what happens to the content of deleted users–whether it gets deleted, reassigned to an anonymous system user, or reassigned to a particular user. This can be set up in the Control Panel under System > Single Sign On > SCIM User Provisioning.
Axero creates a user when the user logs in for the first time. However, you can add users to Axero before they log in using the methods below.
Bulk Import UsersPre-populate users before Azure Active Directory setup or launch with Bulk Import Users. The Axero usernames you create must match the usernames in Active Directory.
Add UsersYou can add users in Control Panel > People > Manage People > Add User. The Axero username you create must match the username in Active Directory.
REST APIYou can use our REST API to import users: REST API: Add User and REST API: Update User Profile Fields.
Adding Axero Administrator AccountsIf Axero administrator accounts are set up before configuring Active Directory and their usernames are identical to those in Active Directory, these accounts will automatically synchronize with their corresponding Active Directory counterparts. However, if the usernames do not match, you must adjust permissions for the Active Directory administrator accounts and delete the original Axero administrator accounts.
Any data can be imported from Active Directory if there are corresponding User Profile Fields in Axero. Attribute mappings must be added to Control Panel > System > Single Sign On > Mapping > Azure Active Directory.
Enter the attribute name as the property name in Axero. See the table below for common fields to import.
To import manager and user profile photos into Axero, set up user syncing (see the "Configure User Syncing" section below).
You can also use our REST API to import user data into Axero.
User data is updated in Axero every time a user logs in. When user syncing is set up, you can configure syncing settings in Control Panel > System > Single Sign On > User Syncing:
You can also sync all users immediately by clicking Sync Now.
How to Sync a Specific User
Start typing a name and select the user from the menu that appears.
Note: User syncing does not update user roles. Roles are updated on login only.
When a user is disabled in Active Directory, this information is not sent to Axero. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User, preventing them from logging in while keeping their content intact.
This guide provides instructions for enabling Azure AD single sign-on (SSO) in Axero. Setting up on the client side is estimated to require 1-3 hours, while configuration by the Axero team should take about 1 hour. The total setup time for SSO may vary depending on the duration needed to configure internal systems and supply the necessary information to the Axero team. The entire process may take up to 1-2 business days.
After completing the instructions in this guide, Azure AD SSO will be operational on your intranet. Should you encounter any problems, please submit a case here for support.
To allow Axero users to log in via SSO, you need to have an Azure portal subscription. You can skip this section if you already have an Azure portal subscription.
Note: To import profile photos into Axero, you must also configure user syncing. Refer to the "Configure User Syncing" section below.
Axero Azure Gallery App
Note: If you set up auto-provisioning and want to import profile photos into Axero, you must also configure user syncing. Refer to the "Configure User Syncing" section below.
When user syncing is set up, user data is automatically synced at the specified time and frequency. Mappings for basic properties must be configured exactly as below in Control Panel > System > Single Sign On > Data Mapping > Azure Active Directory.
{ "resourceAppId": "00000002-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", "type": "Scope" }, { "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", "type": "Role" } ] }
How to Sync All Users
How to Sync a Specific UserSearch for a user and select the user.
How to Exclude the Manager from SyncingThe manager field builds the Organizational Chart. If you need a different organizational chart in Axero, you can exclude the manager field from sync.
User Syncing After a Name or Email ChangeAfter a user's name or email changes in Active Directory, you may see the exception "Invalid directory size." To fix this exception, have the user log out and log in again via Azure SSO.
Roles can be imported into Axero using attribute mapping. The Azure attributes represent roles. The attribute values should be true or false. When a role attribute is true, the user is assigned the Axero role. When a role attribute is false, the Axero role is removed from the user. User roles are updated upon login only.
Step 1: Configure AzureTo set up roles import, first create user attributes to represent roles. The attribute values should be true or false. If you have Active Directory, you may need to create custom attributes and sync them to Azure.
Step 2: Configure Axero
Error: At https://login.microsoftonline.com/xxxxxx-d38a-4a87-8e6a-dffaab339740/saml2: "The signed in user 'abc@xyz.com' is not assigned to a role for the application 'xxxxxx-d38a-4a87-8e6a-dffaab339740'."
Add the user to your enterprise application in Users and groups.
Reference: Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory
Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "InvalidPassword" in stack trace.
Go to Control Panel > System > General Settings > Advanced Settings. Set "Maximum length for password" to a value over 25.
Exception: "UserRepository.AddUserWithSAMLActiveDirectoryProperties Error" when a new user tries to login. "Failed" in stack trace.
Go to Control Panel > System > General Settings > Advanced Settings. Set "Minimum length for username" to a lower value. Set "Maximum length for username" to a higher value.
Exception: "Password field missing" while syncing users
Enter the password for user syncing in Control Panel > System > Single Sign On.
Exception: "Application ID field missing" while syncing users
Enter the application ID for user syncing in Control Panel > System > Single Sign On.
Exception: "The remote server returned an error: (401) Unauthorized." while syncing users
In the Azure portal, generate a password for the app in App registrations. The key value will appear on save.
Exception: "Invalid directory size." while syncing users
Have the user log out and log in again via Azure SSO.
Exception: AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: xxxxxxxx-64c8-43a5-bd20-033dd4ce8441.
Make sure the service provider name in the saml.config file and the identifier (Entity ID) in Azure are the same.
Issue: Data isn't syncing every 20 minutes when auto-provisioning is set up
Error: An item with the same key has already been added.
Cause: Duplicate attribute mapping.
Fix:
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/24742/azure-ad-sso
Your session has expired. You are being logged out.