SSO setup using Microsoft Entra ID
This how-to-guide describe how to set up SSO with Microsoft Entra ID with Conveyor. The first part covers the basic SSO setup and the second part explains how to add Groups to the SSO setup. Adding SSO groups is optional and this is primarily useful for larger organizations, that have groups in Microsoft Entra ID.
SSO setup
On a high level, the SSO setup consists of the following steps:
- You create a new Enterprise Application in Azure AD In order to connect to Conveyor, you will need to have the following information: the entity id and the reply url. You can ask for the values of these parameters to the Conveyor support team.
- You configure the necessary user attributes. The only required claim is the email address as this is the user identifier in Conveyor. If you want to use SSO groups, you will also need to configure the groups claim, for more information look at mapping SSO groups.
- After configuring these settings, you will be able to download the SAML metadata XML. Send this information to the Conveyor support team, such that they can configure it in a next step.
- (optional) If you already have users working with Conveyor and you have a test-domain to configure SSO, this is a recommended practice. This way the current users are not impacted, and we can still fine-tune the settings.
- When everything is working correctly, we can switch to the production domain such that all users are using SSO.
Integrating SSO Group mapping with Microsoft Entra ID
Prerequisites
This feature requires that SSO login has been set up for your Conveyor installation. If this is not set up, please contact Conveyor support.
Conveyor the Group claim
Once SSO has been set up we will need to configure our Microsoft Entra ID Enterprise Application to send the Groups claim. To do this navigate the Azure UI to go to your Microsoft Entra ID Enterprise Application.
In the Manage menu select Single sign-on
, and press the edit button on Attributes & Claims
(the second block in this UI).
In this menu we want to press the Add a group claim
button.
Configure the Groups mapping as follows:
We chose to:
- (Optionally) Configure
Groups assigned to the application
, meaning only groups assigned to the application will be added to the Groups claim - (Optionally) Use
Cloud-only group display names
, this means the name of the group in Microsoft Entra ID will be added. Making for clearly names Groups in Conveyor - (Required) To
Customize the name of the group claim
into the nameGroups
, this is the expected claim name in Conveyor. Nothing else will be accepted.
After this is configured the Groups claim will now be synced.
Testing the sync
The syncing happens every time a user logs in, so to test it we need to log out and log in.
In the settings/users tab in Conveyor there is a column called SSO GROUPS
, this should now contain the correct Groups for your user.