Links

SAML SSO with Azure AD

Setting up SSO for your Ninox server (Private Cloud or On-Premises) using SAML and Azure Active Directory
SSO is an Enterprise feature available on request that requires a valid license purchased from Ninox or a certified partner.
We do not require you use Azure AD, but we use it to demonstrate a potential SAML setup with Ninox. Your setup may vary based on which third-party app you use.

SSO using SAML and Azure AD

Microsoft Azure AD offers multiple options for single sign-on. In the following instructions we use SAML.

Creating a new SAML integration

Step 1: Log in and open Azure Active Directory

  1. 1.
    Log in with your account at the Azure AD portal.
  2. 2.
    At the top of the page, under Azure services, click the Azure Active Directory (1) icon. A new page opens.

Step 2: Add Enterprise application

  1. 1.
    On the Overview page, click the + Add (1) tab and select Enterprise application (2) from the dropdown menu. A new page opens.
  2. 2.
    On the Browse Azure AD Gallery page, click + Create your own application (3). A pop-up appears on the right half of the page.

Step 3: Create your app

  1. 1.
    On the right half of the page, under Create your own application, enter a name in the What’s the name of your app? (1) field, e.g., Ninox SAML.
  2. 2.
    Select Integrate any other application you don’t find in the gallery (Non-gallery) (2) under What are you looking to do with your application?.
  3. 3.
    Click the Create (3) button to confirm. A success message appears in the top-right corner of the page. The Overview page opens.

Configuring SAML in Azure AD

Step 1: Select a single-sign on method

  1. 1.
    On the Overview page, click the Set up single sign on (1) tile. A new page opens.
  2. 2.
    On the Single sign-on page, under Select a single sign-on method, click the SAML (2) tile.

Step 2: Configure SAML-based sign-on

On the SAML-based sign-on page, under Set up Single Sign-On with SAML, click the Edit (1) icon to fill in the fields listed below. (2) Identifier (Entity ID): Replace the default entry customappsso in the URL http://adapplicationregistry.onmicrosoft.com/customappsso/primary with ninoxsaml, resulting in something like http://adapplicationregistry.onmicrosoft.com/ninoxsaml/primary. (3) Reply URL (Assertion Consumer Service URL): This URL is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de), and the path /ums/saml/consume, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/consume. The domain name needs to be replaced with the domain name of your Ninox server. (4) Sign on URL: This URL is a combination of the protocol https://, your Ninox server domain name (in this example it's anastasiya.ninoxdb.de) and the path /ums/saml/login, resulting in something like https://anastasiya.ninoxdb.de/ums/saml/login. The domain name needs to be replaced with the domain name of your Ninox server. (5) Relay State: WEB (6) Logout Url: This is optional and can be left blank

Step 3: Download certificate

  1. 1.
    Under SAML Signing Certificate tile, click Certificate (Base64).
  2. 2.
    Click the Download button. The download starts.

Assigning users to your SAML app in Azure AD

Step 1: Add users/groups

  1. 1.
    Return to the Overview page and click the Assign users and groups (1) tile. A new page opens.
  2. 2.
    On the Users and groups page, click + Add user/group (2). A new page opens.

Step 2: Select users

  1. 1.
    On the Add Assignment page, under Users, click None Selected (1).
  2. 2.
    On the right half of the page, under Users, users you previously created appear below. If you haven't created any users yet, refer to the Microsoft support article Add or delete users using Azure Active Directory.
  3. 3.
    Click the names of the users (2) you wish to add. Click the Select (3) button to proceed.

Step 3: Assign users

If groups are covered in your Active Directory plan level, you can assign groups in addition to users to your application.
  1. 1.
    On the right half of the page, under Users, click n user selected (1).
  2. 2.
    Click the Assign (2) button to confirm. A success message appears in the top-right corner of the page. The Users and groups page opens.

Retrieving SAML credentials from Azure AD

Copy the client credentials from Azure Active Directory to paste them in your Ninox server setup.
  1. 1.
    On the SAML-based sign-on page, under Set up Single Sign-On with SAML, visit the section Basic SAML Configuration and copy the Identifier (Entity ID) (1). The URL looks something like http://adapplicationregistry.onmicrosoft.com/ninoxsaml/primary.
  2. 2.
    On the same page, visit the section Set up Ninox SAML and copy the Login URL (2). The URL looks something like https://login.microsoftonline.com/e27eada0-11f1-4109-b4a5-1e22a03c95b8/saml2.

Finishing SAML setup in your Ninox server setup (Private Cloud or On-Premises)

  1. 1.
    Log in to your Ninox Private Cloud or Ninox On-Premises.
  2. 2.
    Click the gear icon in the top-right corner.
  3. 3.
    Select Server Administration from the dropdown menu. A new page opens.
  4. 4.
    Click the Configuration tab.
  5. 5.
    On the Server Configuration page, under Authentication Strategy, click the SAML V2 (1) tab. Fill in the fields listed below. (2) Single Sign on URL (SSO URL): paste the Login URL, refer to Retrieving SAML credentials from Azure AD (3) Issuer: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (4) IDP Certificate: upload the .cert file, refer to Configuring SAML in Azure AD (5) Audience: paste the Identifier (Entity ID), refer to Retrieving SAML credentials from Azure AD (6) Session Duration (in days): 30 (7) AutoProvision Users: enable
  6. 6.
    Click the Save and Restart (8) button to confirm.

Testing sign-in with Azure AD

Before testing the authentication, make sure you're logged out of your Ninox Private Cloud or your Ninox On-Premises server.
  1. 1.
    Return to the Azure AD portal and visit the SAML-based Sign-on page.
  2. 2.
    Visit the section Test single sign-on with Ninox SAML and click the Test (1) button. A pop-up appears on the right half of the page.
  3. 3.
    On the Test single sign-on with Ninox SAML window, under Testing sign in, leave the default selection Sign in as current user (2), then click the Test sign in (3) button. A new page opens.
  4. 4.
    The new page opens onto your Ninox Private Cloud or Ninox On-Premises server and you're logged in automatically. If this fails, return to the section on Configuring SAML in Azure AD as well as Finishing SAML setup in your Ninox server setup and verify all fields are filled in correctly.