Configure Azure AD SSO using SAML 2.0

Document created by Brock Halladay Employee on Jan 28, 2019Last modified by Brock Halladay Employee on Feb 26, 2019
Version 3Show Document
  • View in full screen mode

 

Requirements

  • Azure AD
  • App Federation Metadata URL under the SAML Signing Certificate settings in Azure AD
  • Account Admin permissions in Bridge

 

Process

  1. Client adds Bridge as an Enterprise Application in Azure and sends metadata URL to the IC
  2. IC or Client enables SAML 2.0 in the instance
  3. Copy the appropriate fields to Azure and Test Authentication
  4. Troubleshooting issues

 

Client adds Bridge as an Enterprise Application in Azure

  1. Navigate to the Azure Portal
  2. Select Azure Active Directory -> Enterprise applications -> +New application

  3. Search for Bridge and click the application with the Bridge logo (usually the first in the list)
  4. You should be redirected to the Bridge app within Azure (if not go to Azure Active Directory -> Enterprise applications -> All applications -> Bridge)
  5. Go to Single sign-on

  6. Then copy the App Federation Metadata Url and send that to your implementation consultant.

IC or Client enables SAML 2.0 in the Bridge instance

  1. In Bridge, navigate to the account authentication settings (https://<domain>.bridgeapp.com/admin/config/auth)
  2. Scroll to the SAML 2.0 and click Enable

  3. Azure AD does not use the Name Qualifiers on Entity IDs by default so you'll likely want to uncheck that box
  4. Click Save (this will populate the other fields you'll need to add to Azure)

Copy the appropriate fields to Azure and Test Authentication

  1. Reload the authentication page in Bridge and scroll to the bottom
  2. Send the ACS URL and the Audience URI fields to the client to have them add them to the Basic SAML Configuration in Azure

     

  3. Once that has been saved, be sure to configure the Unique User Identifier in Azure to match the UID for Bridge (the example below is for email)
  4. Skip SAML Signing Certificate and Set up Bridge because the data was added when the Azure federation metadata was added to Bridge
  5. Add the test user (and any other users) to the Users and Groups tab.
    • Go to Users and Groups
    • Click Add User
    • Select Users and Groups None Selected
    • Search for the test user (and any other user or group that needs access to Bridge through Azure) then click Select and finally Assign

  6. Test Single Sign On and verify they were able to log into Bridge.

Troubleshooting Issues

  1. "The user I logged in with doesn't have the same permissions and/or my username is weird"
    • Verify Unique User Identifier in Azure matches the UID in Bridge
    • Check to see if JIT provisioning is turned on
    • Check to see if there are duplicate users (this would be a symptom that JIT is turned on for the account or sub-account)
  2. Entity ID error, if you see this Microsoft error, check that the Entity ID matches (this can change when modifying SAML 2.0 configuration settings in Bridge):
  3. Bridge settings error (Name Qualifiers)
    • If you see this Microsoft error, ensure the Use Name Qualifiers on Entity IDs setting in Bridge is unchecked:
  4. User not assigned to Bridge in Azure AD:
    • If you see this Microsoft error, make sure the user has been assigned Bridge in Azure:

Attachments

    Outcomes