Roles

These are the roles that are needed:

  • Admin

Azure Active Directory

Azure AD is a directory service provided as part of Microsoft Azure cloud.

Azure Configuration

You need to start by setting up an Enterprise Application in Azure AD. To do this, log into https://portal.azure.com and select Active Directory Services -> Enterprise Applications. Enterprise App List

Add a Non-gallery application and enter a suitable name for it.

Add Enterprise App

Assign the users you want to grant access to iconik for. This allows you to control which users in your directory has access to iconik.

Assing Users

After this, go back to the overview page and select 2. Set up single sign on.

Set up single sign on

Select SAML as the sign-on method.

Select SAML

This brings you to a screen labeled Set up Single Sign-On with SAML. In section 3, download the Federation Metadata XML which will be used to create the configuration on the iconik side.

Download Federation Metadata XML

iconik configuration

Now, switch to another tab in your browser and log into iconik.

Go to Admin -> Settings -> Identity Providers and select NEW IDENTITY PROVIDER.

Identity Provider List

This will open a popup where you can upload the XML downloaded in the previous step. This will automatically configure iconik with the correct settings for Azure AD. You can change the name of the Identity Provider but leave the other settings as they are.

Add Identity Provider Popup

Finalize the creation and then open the settings for the newly created Identity Provider. On the left-hand side of the screen you will see a list of URLs. These will be used to configure the Azure AD side of the integration.

Autoconfigured Identity Provider Settings

Azure SAML Configuration

Now switch back to the Azure tab and go back to the Set up Single Sign-On with SAML page if you have navigated away from it.

Azure SAML settings

Open section 1 Basic SAML Configuration. You will have to copy the settings from iconik into Azure. On the iconik Identity Provider Settings page, you can copy the values by clicking the little icon next to the text url.

  • Copy Entity ID url from iconik into the field labeled Identifier (Entity ID) in Azure.
  • Copy Assertion Consumer Service url from iconik into the field labeled Reply URL (Assertion Consumer Service URL) in Azure.
  • Copy Logon URL from iconik into the field labeled Sign on URL in Azure.
  • Copy Single Logout Service from iconik into the field labeled Logout Url in Azure.

Finally, save the settings.

Azure SAML settings

Next, open section 2 User Attributes & Claims. In this section you need to change the attribute Azure sends as the Unique User Identifier. By default, this is a generated identifier but iconik expects an email address as the identifier. Change the value for Unique User Identifier (Name ID) to user.mail. The other settings can remain set to their defaults.

Azure Attributes and Claims

If groups are included in the listed claims then iconik will add the user to any groups provided which already exists in iconik. If a user was added to a group from Azure which they no longer are a member of then they will also be removed from the group in iconik when they log in. If groups are synced to Azure AD from an on-premise Active Directory then you can set the group Source Attribute to be sAMAccountName. This will make sure Azure sends the group name rather than the group identifier, which Azure AD sends as the default. If the group is a Cloud group in Azure then the option to send sAMAccountName does not exist and groups cannot be sent via SAML.

Azure Group Claims

You should now be able to test the Azure Login at the bottom of the Set up Single Sign-On with SAML page.

Test Azure Login

You should now be logged into iconik.

iconik login