Setting up automatic sign-in for Azure AD
You can integrate eformity.net with Microsoft Azure Active Directory (Azure AD) to automatically sign in users. Additionally, roles in Azure AD can be managed, and data such as name, position, and phone number can be utilized from Azure AD.
Step 1: Add 'Enterprise Application'
To establish the connection, you need to create an Enterprise application in Azure AD. Within the Azure Active Directory environment, create a new 'Enterprise application' and select 'Non-gallery application':
Step 2: Configure users
After the application is created, select 'Users and groups' on the left. Specify the users and groups that should have access.
Step 3: Enable Single Sign-On
Once users are assigned, click 'Single sign-on' on the left and then choose 'SAML'. This screen is divided into different sections:
Basic SAML Configuration
In both the 'Identifier' and 'Reply URL' fields, enter the same URL in the format: https://[subscription-code].eformity.net/saml/signin. For example, if your subscription code is blueorange, you would enter: https://blueorange.eformity.net/saml/signin.
User Attributes & Claims
You now need to add a new claim in 'User Attributes & Claims'. Some claims are already listed by default. To add a new claim, click on 'Add new claim'.
When adding a new claim, fill in the following details:
| Name | Namespace | Attribute |
| CommonName | http://schemas.xmlsoap.org/claims | user.displayname |
After creating a new claim, you can also add a new group. Use 'Add a group claim' to add a new group. The image below shows the values to use when creating the new group:
You have now completed the basic configuration for automatic sign-in via Azure AD. When you have successfully created a new group, you will see the following appear:
Step 4: Complete configuration with eformity
Before the integration can be activated, we need some additional information from your Azure AD environment. Please provide the following to your contact person at eformity:
TenantId: The tenantId of the Azure AD environment
SAML Signing Certificate: Download the certificate as Base64
Step 4.1: Log into your eformity.net
Go to https://[subscription-code].eformity.net and log in with your personal credentials. Once logged in, click the hamburger menu icon.
A side panel will open on the left side of the screen. Click on System Management.
Step 4.2: Navigate to the SAML option
After clicking the System Management tile, a new page will load. Once the page has loaded, click on Identity Providers in the menu and choose SAML.
A side panel will now open on the right-hand side of the page. To configure the SSO connection, click the blue Edit button.
Step 4.3: Configure the SAML integration
After clicking Edit, you can fill in the required configuration fields. Refer to the image below and use the table for explanation:
| Field name | Description |
|---|---|
| Active | Indicates whether SSO is enabled. |
| Domain | The SAML sign-in URL of your eformity environment. Example: https://blueorange.eformity.net/saml/signin/ |
| URL | The Login URL from the Azure AD SAML configuration |
| Thumbprint | The certificate thumbprint (SHA-1 hash) from Azure AD. When using certificate this is not neccassery. |
| Certificate | The full Base64-encoded certificate content. You have to remove the following lines: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- |
| Update profile | When enabled, eformity will synchronize user profile information from Azure AD. |
| Update record permissions | Enables updating of user permissions in eformity based on Azure AD groups or roles. |
| Report to | Leave empty |
| Issuer | Leave empty |
| Logout URL | Leave empty |
Step 4.4: Setting up mappings
To synchronize profile data from Azure AD to eformity, attribute mappings must be set up. Below are some examples of a common mappings:
| Name | Value |
|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
| DisplayName | http://schemas.xmlsoap.org/claims/CommonName |
| FirstName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
| LastName | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
| FullName | http://schemas.microsoft.com/identity/claims/displayname |
| JobTitle | http://schemas.xmlsoap.org/claims/Jobtitle |
| MobileNumber | http://schemas.xmlsoap.org/claims/Telephone |
If you want to sync additional fields like department, job title, or phone number, make sure these attributes are also available as claims in Azure AD.
Sometimes you want to control how and when values are mapped. eformity supports mapping identifiers that can be used as prefixes to the claim values. The table below shows the different identifiers:
| Identifier | Description |
|---|---|
| + | Map this field only when a new record is being created in eformity. |
| ? | Map only if the field is currently empty in eformity. |
| ! | Always map, even if the incoming value is empty. |
These identifiers can be prefixed to the field values in the mapping table to control behavior.