Azure Active Directory
Azure AD is a directory service provided as part of Microsoft Azure cloud.
You need to start by setting up an Enterprise Application in Azure AD. To do this, log into
https://portal.azure.com and select
Active Directory Services -> Enterprise Applications.
Add a Non-gallery application and enter a suitable name for it.
Assign the users you want to grant access to iconik for. This allows you to control which users in your directory has access to iconik.
After this, go back to the overview page and select
2. Set up single sign on.
Select SAML as the sign-on method.
This brings you to a screen labeled
Set up Single Sign-On with SAML. In section 3, download the Federation Metadata XML
which will be used to create the configuration on the iconik side.
Now, switch to another tab in your browser and log into iconik.
Admin -> Settings -> Identity Providers and select
NEW IDENTITY PROVIDER.
This will open a popup where you can upload the XML downloaded in the previous step. This will automatically configure iconik with the correct settings for Azure AD. You can change the name of the Identity Provider but leave the other settings as they are.
Finalize the creation and then open the settings for the newly created Identity Provider. On the left-hand side of the screen you will see a list of URLs. These will be used to configure the Azure AD side of the integration.
Now switch back to the Azure tab and go back to the
Set up Single Sign-On with SAML page if you have navigated away
Open section 1
Basic SAML Configuration. You will have to copy the settings from iconik into Azure. On the
iconik Identity Provider Settings page, you can copy the values by clicking the little icon next to the text
Entity IDurl from iconik into the field labeled
Identifier (Entity ID)in Azure.
Assertion Consumer Serviceurl from iconik into the field labeled
Reply URL (Assertion Consumer Service URL)in Azure.
Logon URLfrom iconik into the field labeled
Sign on URLin Azure.
Single Logout Servicefrom iconik into the field labeled
Logout Urlin Azure.
Finally, save the settings.
Next, open section 2
User Attributes & Claims. In this section you need to change the attribute Azure sends as the Unique User Identifier.
By default, this is a generated identifier but iconik expects an email address as the identifier. Change the value for
Unique User Identifier (Name ID) to
user.mail. The other settings can remain set to their defaults.
If groups are included in the listed claims then iconik will add the user to any groups provided which already exists
in iconik. If a user was added to a group from Azure which they no longer are a member of then they will also be removed
from the group in iconik when they log in. If groups are synced to Azure AD from an on-premise Active Directory then you
can set the group Source Attribute to be
sAMAccountName. This will make sure Azure sends the group name rather than
the group identifier, which Azure AD sends as the default. If the group is a Cloud group in Azure then the option
sAMAccountName does not exist and groups cannot be sent via SAML.
You should now be able to test the Azure Login at the bottom of the
Set up Single Sign-On with SAML page.
You should now be logged into iconik.