Skip to main content

Setting up SSO with Microsoft Azure AD

Paul
  • Updated

Topics included in this article:

Pre-Requisite: Azure Active Directory Subscription. To view the Microsoft documentation, click the links for Provision users and groups using SCIM  or  Configuring SCIM provisioning for Azure AD

 

Common Questions

Will users be provisioned when they are added to an AD group if the group is defined?
Users will automatically get provisioned in Rhombus if:
1. SCIM has been configured between the IDP (Azure AD, Okta ...) and Rhombus
2. JIT (Just In Time) SAML has been enabled on Rhombus
In either scenario, it is expected that the Users are assigned to Groups on the IDP side (Auzre AD, Okta ..) with matching Role names on the Rhombus side.
 
Do users need to be created in both AD and Rhombus for it to work?
This is not required as long as Users have matching IDP Group to Role name association and JIT (Just In time) SAML has been enabled in Rhombus.
 
What do I need to do on the Rhombus side before the integration?
You will need to create the user Roles in Rhombus. The group or role on the IDP side (Azure AD, Okta ..) and the Role name in Rhombus need to match. As an example, Users assigned to matching groups in AD will automatically get assigned to the matching Role with the similar name.
If the Role in Rhombus does not match the AD group name, there will be a mismatch error and Rhombus will not add the user, unless the role mismatch option is enabled in Rhombus.
 

Recovery Users

  • A Recovery User is a user account in your organization which bypasses SAML once enabled. 
  • It is recommended the leave 2 Super User Accounts as Recovery Users when enabling SSO to ensure you have a method of logging and disabling SSO in the event SAML encounters errors.
• Enabling a user account as a Recovery User is done during the SSO configuration process.

• Any user with a Blue Checkmark will be a Recovery User

• When finished, select OK.

 ssoRecoveryUser.jpg
 

Warning

Rhombus currently has an enterprise application denoted by our logo available on the Azure enterprise application market. This app does not contain SCIM provisioning at this time, but we are working with Azure support to get this updated. The below steps document how to create our enterprise application from scratch containing SCIM functionality. However, if you just need SSO and not SCIM you can use out enterprise application with the below modifications:

mceclip0.png

  • Sign on URL, Relay State, and Logout URL should all be blank (same as above screen shot)

This modification allows you to access your Rhombus console from your My Apps dashboard.

 

Step by Step Instructions

Below are the steps necessary to setup single sign-on with Office 365/Microsoft Azure AD.

1) Access the Azure Active Directory Portal (https://aad.portal.azure.com/) and create a new application named "Rhombus Systems".

Screen_Shot_2021-02-17_at_11.15.51_AM.png

Screen_Shot_2021-02-17_at_11.18.04_AM.png

 

2) Assign users and groups to the application.

From the Azure home page, navigate to Azure Active Directory->App Registrations (tab on left side)->All applications->Select Rhombus Systems app->App roles (tab on the left side)

Once there, click the Create app role on the top (red box)

mceclip0.png

Next, make sure the Display name and Value fields match the role name defined in the Rhombus console (the role name within Rhombus CAN contain spaces. Rhombus will first check for a match using space, and then underscore):

mceclip1.png

Azure Create app role

mceclip3.png

Role in Rhombus Console

Once you have confirmed the name matches on both Azure and Rhombus console, hit blue Apply button at the bottom of the Create app role pop out.

NOTE: Please note that the role name within Azure cannot contain spaces, but the Rhombus role name can. The below screen shot demonstrates how you would enter the Super Admin Group role name within Azure.

mceclip0.png

 

3) Add the newly created app role to the correct users within the Rhombus Systems Enterprise Application.

Navigate to Enterprise Applications->Rhombus Systems app->Users and groups and check the select box for the user(s) that need the new role and click the Edit button at the top:

mceclip5.png

In the Edit Assignment popup, click None Selected under Select a role, then on the right side select the corresponding role for that user and hit the blue Select button. Once selected click the blue Assign button

mceclip6.png

 

 

You can confirm the assignment worked by viewing it in the Role assigned column (red box)

mceclip7.png

 

4) Edit the "Basic SAML Configuration" by copying and pasting the information from the SSO page on the Rhombus web console

mceclip1.png

Screen_Shot_2021-02-17_at_11.43.16_AM.png

 

5) Edit the "User Attributes & Claims" so that the "Unique User Identifier" is set to "user.mail". Note: depending on the configuration of the user or group, this may need to be set to "user.userprinciplename". 

Screen_Shot_2021-02-17_at_11.46.46_AM.png

Next, click the "Add new claim" at the top of the "User Attributes & Claims" edit page and add the following Role claim:

mceclip4.png

Namespace should be set to http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Your "User Attributes & Claims" should look something like this:

mceclip0.png

 

6) Download the MetaData XML and paste it in the "IDP MetaData XML" field in the Rhombus Single Sign-On Settings page.

Screen_Shot_2021-02-17_at_11.51.04_AM.png

mceclip8.png

 

7) Edit The Metadata XML by adding the NameIDFormat Attribute as show below:

Add the following line in the XML within the IDPSSODescriptor as shown below

 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

If you are using a SAML 2.0, you may need to add the appropriate "md" prefixes to the XML tags to match the format.

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

Screen_Shot_2021-02-17_at_1.31.11_PM.png

 

8) Click "Save" on the Rhombus web console SSO page. 

Office_365_SSO_8.png

 

9) Now when users try to login to Rhombus, they will be redirected to login through AD. If JIT is not enabled, each user will need to be created in Rhombus before logging in. 

 

SCIM setup with Azure

If you also want to setup SCIM provisioning with Azure, we have you covered. Checkout our step by step for setting this up on our other article: How to configure SCIM 2.0 with Azure

 

My Apps setup with Azure

1) Download the SP Metadata file on the SSO settings page inside the Rhombus Console. 

SPmeta.png

2) Log in to your Azure portal, click the Single sign-on tab and upload your SP Metadata file 

SP2.png

3) Click explore button on the far right to open the Library folder, locate the file, and once selected hit add

SP3.png

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk