Requirements for this guide:
- You have access to the Azure portal at https://portal.azure.com
- You are entitled to access the overview of and to edit registered apps at https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
- For SAML only: You are entitled to access the overview of and to add enterprise apps at https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview
- You are entitled to access the overview of and to add new users at https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
To let Flip users log in via Single-Sign-On to your Flip app, you need to configure your app in Azure and enable it.
If you haven’t already registered an app for Flip, please go through the steps provided in this guide: Flip Syncer and Single-Sign-On (SSO): How to set up Azure AD
If you haven’t already set up groups for Flip, please go through the steps provided in this guide: Setting up dedicated Entra ID groups for Flip
1. Create a user to let Flip test SSO with your tenant
Please provide a test user to let Flip test the SSO process and configuration. Do ensure that testing is possible without any multifactor authentication obligations.
If you already set up Entra ID groups, ensure that this test user is a member of the group intended to act as the user base. See Setting up dedicated Entra ID groups for Flip for guidance.
Switch to the user administration by searching (1) and clicking on “User” (2). Then click on “+ New user / Create new user” to open a form.
Please note: select the correct user navigation entry (blue icon).
Give the user a username that indicates their intended use (1).
Please note the user principal name and the password (2) to let Flip test the SSO configuration with your tenant.
Also ensure that the user is activated (3) and click on “Review + create” (4).
Important: Add the user to the group intended to act as the user base.
Please provide the noted information to your contact person at Flip.
2. Set up OIDC or SAML
Depending on your policy, we can set up Single-Sign-On with OIDC or SAML. We’re recommending OIDC as the way to go.
2.1 Single-Sign-On with OIDC
Before proceeding, ensure that you’ve selected the corresponding Flip app (1) in Azure.
Click on “Authentication” (2) in the navigation panel and click on “Add a platform” (3) to open up a panel on the right side.
Select “Web” (4) as the type of the app platform.
Insert the URI (1) of your Flip tenant's endpoint. Your contact at Flip will provide this information to you. If you already know the domain and the tenant ID of your Flip tenant, you can build the URI yourself: https://DOMAIN/auth/realms/TENANT/broker/oidc-azuread/endpoint
Select the ID token option (2) and save (3) your configuration.
It will now be listed under “Platform configurations”.
Click on “Overview” in the navigation panel and switch to “Endpoints” to get important information for the Flip Syncer configuration.
Save the following information:
- OAuth 2.0 token endpoint (v1!) (1)
- OpenID Connect metadata document (2)
You can close the panel again.
Please send all information to your contact person at Flip. They will set up Single-Sign-On for you.
If you’re planing to use information besides the Unique User Identifier / User Principal Name (UPN) as the username in Flip, please get in touch with your contact person at Flip. We have to configure a mapping for the specific user information and the username in Flip. Otherwise, Flip can’t identify the user correctly.
Within your App registration (1), select “Token configuration” (2) in the navigation panel.
Check if “upn” is already listed. If not, click “Add optional claim” (3), select “ID” as the type of token and also “upn” (5) in the list below.
Then save this configuration by clicking on “Add” (6).
2.2. Single-Sign-On with SAML
Jump to your Enterprise application created for Flip (1) and select “Users and groups” in the navigation panel (2).
By clicking “+ Add user/group” you can add the groups created while going through this guide: Setting up dedicated Entra ID groups for Flip
Switch to “Single sign-on” (1) in the navigation panel to set up “SAML” (2) by clicking on the option.
You will get the shown screen, where you configure the essential URLs of your Flip tenant.
Simply click on “Edit” (1) to open up a pane where you can add the following information. Your contact at Flip will provide this information to you. If you already know the domain and the tenant ID of your Flip tenant, you can build the URLs yourself:
Identifier (Entity ID): https://DOMAIN/auth/realms/TENANT
Reply URL (Assertion Consumer Service URL): https://DOMAIN/auth/realms/TENANT/broker/saml-azuread/endpoint
Sign on URL: https://DOMAIN/auth/realms/TENANT/broker/saml-azuread/endpoint
On the same page, please scroll down and have a look at the third and fourth box.
Please send all information (1 + 2) to your contact person at Flip. They will set up Single-Sign-On for you.
- App Federation Metadata URL (1)
- Login URL (2)
- Microsoft Entra Identifier (2)
- Logout URL (2)
3. OIDC only: set up the User Principal Name (UPN)
If you’re planing to use information besides the Unique User Identifier / User Principal Name (UPN) as the username in Flip, please get in touch with your contact person at Flip. We have to configure a mapping for the specific user information and the username in Flip. Otherwise, Flip can’t identify the user correctly.
Switch to your App registration (1) and select “Token configuration” (2) in the navigation panel.
Check if “upn” is already listed. If not, click “Add optional claim” (3), select “ID” as the type of token and also “upn” (5) in the list below.
Then save this configuration by clicking on “Add” (6).
Comments
0 comments
Please sign in to leave a comment.