Setting up SSO with Microsoft Azure AD – Rhombus Systems

Topics included in this article:

Common Questions
Step-by-step instructions
SCIM setup with Azure

Pre-Requisite: Azure Active Directory Subscription. To view the Microsoft documentation, click the links for Provision users and groups using SCIM or Configuring SCIM provisioning for Azure AD.

Common Questions

Will users be provisioned when they are added to an AD group if the group is defined?

Users will automatically get provisioned in Rhombus if:
1. SCIM has been configured between the IDP (Azure AD, Okta ...) and Rhombus
2. JIT (Just In Time) SAML has been enabled on Rhombus

In either scenario, it is expected that the Users are assigned to Groups on the IDP side (Auzre AD, Okta ..) with matching Role names on the Rhombus side.

Do users need to be created in both AD and Rhombus for it to work?

This is not required as long as Users have matching IDP Group to Role name association and JIT (Just In time) SAML has been enabled in Rhombus.

What do I need to do on the Rhombus side before the integration?

You will need to create the user Roles in Rhombus. The group or role on the IDP side (Azure AD, Okta ..) and the Role name in Rhombus need to match. As an example, Users assigned to matching groups in AD will automatically get assigned to the matching Role with the similar name.
If the Role in Rhombus does not match the AD group name, there will be a mismatch error and Rhombus will not add the user, unless the role mismatch option is enabled in Rhombus.

Step by Step Instructions

Below are the steps necessary to setup single sign-on with Office 365/Microsoft Azure AD.

1) Access the Azure Active Directory Portal (https://aad.portal.azure.com/) and create a new application named "Rhombus Systems".

Screen_Shot_2021-02-17_at_11.18.04_AM.png

2) Assign users and groups to the application.

Screen_Shot_2021-02-17_at_11.21.09_AM.png

3) Ensure that corresponding roles have been created in the Rhombus web console that match the role names in AD in spelling, case and white space.

4) Edit the "Basic SAML Configuration" by copying and pasting the information from the SSO page on the Rhombus web console.

Screen_Shot_2021-02-17_at_11.38.04_AM.png

Screen_Shot_2021-02-17_at_11.43.16_AM.png

5) Edit the "User Attributes & Claims" so that the "Unique User Identifier" is set to "user.mail". Note: depending on the configuration of the user or group, this may need to be set to "user.userprinciplename".

Next, click the "Add new claim" at the top of the "User Attributes & Claims" edit page and add the following Role claim:

Namespace should be set to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roles/Roles

Your "User Attributes & Claims" should look something like this:

6) Download the MetaData XML and paste it in the "IDP MetaData XML" field in the Rhombus Single Sign-On Settings page.

Screen_Shot_2021-02-17_at_11.51.04_AM.png

7) Edit The Metadata XML by adding the NameIDFormat Attribute as show below:

Add the following line in the XML within the IDPSSODescriptor as shown below

 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

If you are using a SAML 2.0, you may need to add the appropriate "md" prefixes to the XML tags to match the format.

<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>

Screen_Shot_2021-02-17_at_1.31.11_PM.png

8) Click "Save" on the Rhombus web console SSO page.

9) Now when users try to login to Rhombus, they will be redirected to login through AD. If JIT is not enabled, each user will need to be created in Rhombus before logging in.

SCIM setup with Azure

If you also want to setup SCIM provisioning with Azure, we have you covered. Checkout our step by step for setting this up on our other article: How to configure SCIM 2.0 with Azure

Common Questions

Step by Step Instructions

SCIM setup with Azure

Related articles