Requirements
- Azure AD
- App Federation Metadata URL under the SAML Signing Certificate settings in Azure AD
- Account Admin permissions in Bridge
Process
- Client adds Bridge as an Enterprise Application in Azure and sends metadata URL to the IC
- Client enables SAML 2.0 in the instance
- Copy the appropriate fields to Azure and Test Authentication
- Troubleshooting issues
Client adds Bridge as an Enterprise Application in Azure
1 - Navigate to the Azure Portal
2 - Select Azure Active Directory -> Enterprise applications -> +New application
3 - Search for Bridge and click the application with the Bridge logo (usually the first in the list)
4 - You should be redirected to the Bridge app within Azure (if not go to Azure Active Directory ->Enterprise applications -> All applications -> Bridge)
5 - Go to Single sign-on
6 - Then copy the App Federation Metadata Url and save it for the next section.
Client enables SAML 2.0 in the Bridge instance
1 - In Bridge, navigate to the account authentication settings (https://<domain>.bridgeapp.com/admin/config/auth)
2 - Scroll to theSAML 2.0 and clickEnable
3 - Azure AD does not use the Name Qualifiers on Entity IDs by default so you'll likely want to uncheck that box
4 - Click Save (this will populate the other fields you'll need to add to Azure)
Copy the appropriate fields to Azure and Test Authentication
1 - Reload the authentication page in Bridge and scroll to the bottom
2 - Send the ACS URL and the Audience URI fields to the client to have them add them to the Basic SAML Configuration in Azure
3 - Once that has been saved, be sure to configure the Unique User Identifier in Azure to match the UID for Bridge (the example below is for email)
4 - Skip SAML Signing Certificate and Set up Bridge because the data was added when the Azure federation metadata was added to Bridge
5 - Add the test user (and any other users) to the Users and Groups tab.
- Go to Users and Groups
- Click Add User
- Select Users and Groups None Selected
- Search for the test user (and any other user or group that needs access to Bridge through Azure) then click Select and finally Assign
6 - Test Single Sign On and verify they were able to log into Bridge.
Troubleshooting Issues
1 - "The user I logged in with doesn't have the same permissions, and/or my username is weird"
- Verify Unique User Identifier in Azure matches the UID in Bridge
- Check to see if JIT provisioning is turned on
- Check to see if there are duplicate users (this would be a symptom that JIT is turned on for the account or sub-account)
2 - Entity ID error: if you see this Microsoft error, check that the Entity ID matches (this can change when modifying SAML 2.0 configuration settings in Bridge):
3 - Bridge settings error (Name Qualifiers)
- If you see this Microsoft error, ensure the Use Name Qualifiers on Entity IDs setting in Bridge is unchecked:
4 - User not assigned to Bridge in Azure AD:
- If you see this Microsoft error, make sure the user has been assigned Bridge in Azure: