Skip to main content

How to Enable IdP Initiated SAML SSO in Azure AD

Damien Wise
  • Updated

You can read this article in Japanese (日本語) | Spanish (español)

Overview

This user guide shows you how to enable IdP Initiated SAML SSO in Azure AD. It demonstrates how to how to setup Azure AD and then send required information to Dubber’s Support team at support@dubber.net

Azure SSO Setup

To begin SSO setup, access your Azure environment and create their Enterprise Application and select the option to use Single Sign On.

mceclip0.png

On the “Home” screen, click the “Azure Active Directory” button.

The “Overview” screen for Azure Active Directory appears.

mceclip1.png

In the menu on the left, click on “Enterprise applications”.

The “Enterprise Applications” screen lists all your existing applications.

mceclip2.png

Click the “New application” button.

The “Browse Azure AD Gallery” screen appears.

mceclip3.png

Create Your Own Application

Click on “Create your own application”.

The “Create your own application” form appears on the right side of the screen.

mceclip4.png

In the “Input name” field, specify a name for your application.

Select the “Integrate any other applications you don’t find in the gallery (Non-gallery)” option and click on the “Create” button.

After your application is created, Azure shows an “Overview” screen.

mceclip5.png

In the “Getting Started” section, go to “Set up single sign on” and click on “Get started”.

The “Single sign-on” screen appears.

mceclip6.png

Under “Select a single sign-on method”, click on “SAML”.

The “SAML-based Sign-on” screen appears.

mceclip7.png

Basic SAML Configuration

In the “Basic SAML Configuration” section, click the “Edit” button.

On the right side of the screen, the “Basic SAML Configuration” form opens.

mceclip8.png

Click on “Add identifier”. In the “Add identifier” field specify the “Identifier (Entity ID)”.

Click on “Add reply URL”. In the “Add reply URL” field specify the “Reply URL (Assertion Consumer Service URL)”.

These values are based on the region of the connection. Use the values exactly as shown here.

Region Identifier (Entity ID) Reply URL (Assertion Consumer Service URL)
AU https://au.dubber.net https://au.dubber.net/saml/auth
CA https://ca.dubber.net https://ca.dubber.net/saml/auth
JP https://jp.dubber.net https://jp.dubber.net/saml/auth
US https://us.dubber.net https://us.dubber.net/saml/auth
UK https://uk.dubber.net https://uk.dubber.net/saml/auth
UK1 https://uk1.dubber.net https://uk1.dubber.net/saml/auth
EU https://eu.dubber.net https://eu.dubber.net/saml/auth
SG https://sg.dubber.net https://sg.dubber.net/saml/auth
Sandbox https://sandbox.dubber.net https://sandbox.dubber.net/saml/auth

Example:

mceclip9.png

Click the “Save” button.

User Attributes & Claims

In the “Attributes and claims” section, click the “Edit” button.

mceclip10.png

The “Attributes and Claims” screen opens.

mceclip11.png

In the “Required Claim” section, click on the claim name.

The “Manage claim” screen appears.

mceclip1.png

Set the “Name identifier format” to Email. Set the “Source attribute” to an email format, for example “user.mail”. Although “Unspecified” is supported, Dubber recommends you use an email address for account level SSO authentication.

Add a transformation rule to convert email to lower case if they are not stored in lowercase. Click on the “Transformation” option to open the “Manage transformation” panel. In the “Transformation” menu select “ToLowercase()”, and in the “Parameter 1” menu select “user.mail”. Click the “Add” button.

If your emails are not stored in lowercase, add a transformation rule to convert them to lower case.

mceclip2.png

It is important to note that Dubber does not support any additional attributes or claims such as given name, principal name, or surname.
Click the “Save” button” to return to the “Attributes and Claims” window.

Close the “Attributes and Claims” panel and return to the “SAML-based Sign-on” screen.

SAML Signing Certificate

Scroll down to the “SAML Signing Certificate” section, and click the “edit” button.

mceclip13.png

Dubber supports three SAML signing options in the “Signing Option” menu to configure how the SAML Response is signed. We recommend you select “Sign SAML response and assertion” because it is most secure option. After you select a Signing Option, you are advised not change it.

mceclip3.png

Click the “save” button and then close this panel to return to the “SAML-based Sign-on” screen.

This completes the Azure AD setup for Dubber.

Dubber SSO Setup

To complete the Dubber setup, send Dubber your Azure AD MetaData url or the MetaData file downloaded from the url. Dubber also needs to know which option you selected for the SAML Response signing option.

Raise a Support Request

In the “SAML Signing Certificate” section, c lick the “C opy” button on the right side of the “App Federation Metadata Url” field.

mceclip14.png

Create an email to support@dubber.net and paste in the URL. This raises a support request, and then a Dubber Support agent will manage the implementation of SSO for your account. After Dubber has received the necessary information, Dubber initiates configuration. When configuration is complete, Dubber advises the customer that the implementation is ready for testing.

Assign Users and Groups

To assign a user or a group to the application, go to the “Manage” menu on the left and click on “Users and Groups”.

mceclip15.png

On the “Users and Groups” screen, click on the “Add user/group” button.

The “Add Assignment” screen appears.

It is important to note that if your plan level allows for groups, you can assign groups or users to the application. If you have a free plan, you can assign users but not groups.

This example shows how to assign users. The process for assigning groups is similar.

mceclip16.png

Click on “None Selected”.

The “Users” panel opens on the right of the screen.

Click on a user in the list, then click the “Select” button.

mceclip17.png

The “Add Assignment” screen updates to say “1 user selected”.

mceclip18.png

Click the “Assign” button.

mceclip19.png

The list on the “Users and Groups” screen updates. Now it includes the user or group you assigned.

Force SSO

When setup is complete, the customer can force the use of SSO for their users. Only account administrators can do this.

Login to the Dubber portal, and select the “Account” menu option.

mceclip5.png

On the “My Account” screen, go to the “People” tab. Select the “Force SSO All Users” option to force every user to use SSO and disable authentication access in the Dubber portal.

mceclip6.png

You can use the mceclip9.png button on the right of each user in the list to force or unforce individual users.

Customer Access URL

Users with forced SSO set are unable to access the Dubber web portal using the region public url. Instead, they need to login to the customer’s IdP. Go to the “Properties” page for the application and click the “Copy” button next to the “User access URL” field. Paste the URL into a web browser to go to the user’s MyApps page at https://myapps.microsoft.com/

mceclip20.png

Related articles

Comments

0 comments

Please sign in to leave a comment.