Setting up SSO for Azure AD

Updated on 12 Sep 2022
3 Minutes to read

Print
Share
Dark
Light

Article Summary

Share feedback

Thanks for sharing your feedback!

Setting up Single Sign-On involves very detailed settings, and every provider and customer environment is different. If a user is inexperienced with SSO, it may take several attempts to get all the identifying data and settings correct to allow for secure and reliable authentication. It is recommended to make sure someone in the organization with experience in SSO and IT infrastructure is available to streamline the process. Decisions support team is available to help but may not be able to answer questions or solve problems that are unique to a company.

Decisions allows users to use Single Sign-On for Azure Active Directory using Azure and the SAML Module.

Prerequisite:

Azure iDP configured within Portal
Azure application (non-gallery app)
Metadata document from the application in Azure
SAML module installed (to learn more on installing modules, see Installing Modules)

Accounts created before the following module is installed will need to be updated before using single sign-on. Please contact support on how to update the account. Learn how to modify accounts after setting up SSO in the SSO Basics article.

Configuration

In Azure, ensure that the correct endpoint URL is added to the Reply URL (Assertion Consumer Service URL) field.
In Decisions Studio, navigate to System > Settings, right-click SAML Settings, and select Edit.
From the Edit SAML Settings window, check the Enabled box. Then under Identity Providers, click ADD.
From Add Identity Providers, provide a Display Name. Under Metadata Document Preference, select Fetch Metadata From URL. Then, map the applicable metadata via the chosen method.
The Metadata URL is generated by the AD server and is a required input. Providing it will automatically fill in all module fields except for the SP Issuer ID, which is the Portal Base URL.
The screenshot below is an example of the Azure portal to demonstrate where to find the metadata URL for a created app.
Under the PROCESS IF USER NOT FOUND category, select Run Flow In Background. Under Run Flow, click PICK OR CREATE FLOW and pick SAMLDefaultCreateAccount.
If manually configuring the module, click ADD under X.509 Certificates, and add a valid x509 Certificate. Click OK. If the metadata URL were used, the X.509 certificate would automatically be pulled.
For more information on x.509 Certificates, see What an x509 Certificate is.
In the Edit SAMLSettings window, select the newly added Identity Provider from the Primary Identity Provider list. Select the Log SAML Requests & Responsesoption and click SAVE.
These requests and responses are kept in a set of logs called SAML found at C:\\Program Files\Decisions\Decisions Server\Logs.

Enabling SSO

Before enabling SAML SSO, configure at least one Admin user to work with SAML SSO, or else there will be no admin users who can log into the system after enabling it. When SSO is enabled, no local users can log in. If this is accidentally done, disable SSO and then log in with local users.

Navigate to C:\Program Files\Decisions\Decisions Server and open Settings.xml in a Text Editor.
Locate <EnableSingleSignOn> and change the false value to true.
Save the file, then close the file.
Open DecisionsServerInstaller.exe, then select RESTART SERVICE.
Continue testing on an Incognito Session; use the first open session to uncheck the Enabled button in the SAML module should something not work.
This saves users from having to set EnableSSO to false and restarting Service Host Manager again.

Troubleshooting

Converting a local account to a SAML/SSO account? Updating the User Identifier still errors out? Here are some options:

Modify the UserID of the account
Use SQL to modify the entity_account table and change the type of account
Create a new account after SAML has been turned on and add it to the admin group

If Redirect is working only on refresh on initial login: