Setting up SSO with Microsoft Azure AD

Validaide supports Single Sign-On (SSO) with Microsoft Azure Active Directory (Azure AD). Setting up SSO with Azure AD in Validaide is 'self-service', meaning that an Administrator can configure SSO using Azure AD themselves in the 'Administration' section of Validaide.

 Please note the following:

- In order to set up SSO using Azure AD, you will need to add Validaide as an application to your Azure AD. If you do not have access to Azure yourself, you will need to reach out to your IT department and ask them for support. You can provide the URL of this article to them for assistance, as it contains the Domain and Redirect URI that they will require.

- Once you enable SSO, all users of your company can no longer log in using their original Validaide credentials. If somehow the SSO setup is incorrect, your users will not be able to log in to Validaide and you yourself might lose access as well. If this happens, you can reach out to support@validaide.com so we can help troubleshoot the problem or disable SSO for you.

Technical Implementation

Validaide uses a 3rd party service called Auth0 for authenticating users in Validaide and the SSO implementation of Validaide is built around Auth0's concept of 'Enterprise Connections'. More information about Auth0 Azure AD Enterprise Connections can be found here.

Process

The process to configure SSO using Azure AD consists of the following steps:

1. Azure AD: Create an Enterprise Application for Validaide
2. Azure AD: Create a Client Secret
3. Azure AD: Configure the Redirect URI
4. Azure AD: Add permissions
5. Azure AD: Assign Users and/or Groups
6. Validaide: Enable SSO with Azure AD
7. Validaide: Test SSO

In order for the SSO integration to be established, at the end of this step the following information is required:

• Domain
  (the domain of your company e.g. 'acme.com')
• Client (or Application) ID
  (the unique identifier of Validaide in Azure AD e.g. '4acf2315-8a94-4c43-816e-cb8892e2656e')
• Client Secret
  (a secure string e.g. '3zA8Q~3aqlKh55lPQqFDdijnFWRNk')
• (optional) Identity Provider Domains
  (a comma-separated list of domains, e.g. 'acme2.com,new-acme.com')

As input, you will need to use the following information from the Validaide application:

• Domain: validaide.eu.auth0.com
• Redirect URI: https://validaide.eu.auth0.com/login/callback

Step 1: Azure AD: Create an Enterprise Application for Validaide

1. Log in to Azure, typically this is achieved by navigating to https://aad.portal.azure.com
2. Navigate to the menu 'Enterprise Applications', you should see the overview of all applications
   
3. Press the button 'New application', you are redirected to the 'Browse Azure AD Gallery'
4. Press the button 'Create your own application', a popup appears to the right
5. In the 'Create your own application' popup, input the name 'Validaide' and select the option 'Integrate any other application you don't find in the gallery'
   
6. Press 'Create', you will be redirected to the Application Overview page
7. On this page, make a note of the Application ID (a.k.a. Client ID) as this is used as part of the SSO configuration in Validaide
   

Step 2: Azure AD: Create a Client Secret
 

1. Click on the 'Azure Active Directory' menu to the left
2. Click on the menu 'App registrations', select the tab 'All applications'
   
3. Click on the 'Validaide' application, you are redirected to the App Registration Overview page
4. Click on the menu 'Certificates & secrets'
   
5. Press the button 'New client secret', a popup appears to the right called 'Add a client secret'
6. Fill in the description 'Validaide Secret' and define the expiration value
7. Press the 'add' button, the secret will be added to the original overview
   
8. On this page, make note of the Secret Value as, as this will be visible only once!
   

Step 3: Azure AD: Configure the Redirect URI

1. Click on the 'Authentication' menu to the left
   
2. Press the 'Add a platform' button, a popup appears to the right called 'Configure platforms'
3. Click on 'Web', the provide the Redirect URI of Validaide: https://validaide.eu.auth0.com/login/callback
4. Press 'Configure', the Web platform will be visible accordingly
   

Step 4: Azure AD: Add Permissions
 

1. Click on the menu 'API permissions'
   
2. Press the 'Add a permission' button, a popup appears to the right called 'Request API permissions'
3. Click 'Microsoft Graph' > 'Delegated permissions' and enable the following:
   1. OpenId:email
   2. OpenId:openid
   3. OpenId:profile
      
4. Press the 'Add permissions' button, the popup will close and permissions will be listed
   

Step 5: Azure AD: Assign Users and/or Groups
 

1. Click on the menu 'Enterprise Applications'
2. Click on the menu 'Users and groups'
   
3. Add the Users and/or Groups for the Validaide application

Please make sure that the Email field is not empty.

You can do this under Users (or by clicking on a user name) -> Edit Properties.

Step 6: Enable SSO with Azure AD in Validaide

1. Log in to Validaide on https://app.validaide.com/login
2. Navigate to the Administration menu using the cog wheel icon in the top menu
3. Click on the 'Single Sign-on (SSO)' menu under 'Tenant Configuration'
   
   NOTE: SSO is an enterprise feature, if the menu is not visible, it means the SSO module is not enabled for your company, please contact support@validaide.com for pricing information.

   4. Press the 'Microsoft Azure AD' button, a dialog will open called 'Configure Microsoft Azure AD'

   5. Fill in the fields as follows:

1. Domain: The primary domain of the Azure AD of your organization, e.g. 'acme.com'
2. Client ID: The Client (or Application) ID you noted before
3. Secret: The Secret Value that you noted before
4. Additional Domains (optional): Here you can fill in any additional domains of your organization

   6. Press the 'Save' button, the SSO setup will be configured

NOTE: It is best to not log out of Validaide until you have confirmed SSO is working!

Step 7: Test SSO

A good way to test SSO is to do this using a different browser or a private browser tab. The user enabling SSO should remain logged in so they can disable the SSO if for some reason it is not working. Alternatively, you can go through the process together with a colleague or someone from your IT department.

1. Once SSO is enabled, open a different browser, or if you do not have a different browser, open a 'private browsing' tab, so you do not interrupt your current session and you remain logged in.
2. Navigate to the login page of Validaide at https://app.validaide.com/login
3. Type in your E-mail address: if SSO is configured correctly, Validaide will detect your company's domain and the login screen will change dynamically be removing the password field and telling you 'Single Sign-on is Enabled', as seen below:

   4. Press the 'Log In' button: you should now be redirected to the login of your company, and once you have identified yourself, gain access to Validaide.

NOTE: Users added to Azure AD are not automatically created in Validaide. The SSO connection will only become active once the user logs in to Validaide for the first time.

Troubleshooting

It may happen that SSO is not working after you have configured it. If this is the case, the first step is to work with your IT department to determine if the setup was performed correctly and there are no errors in the Azure AD audit trail. For example, not setting the Redirect URI or providing the right permissions will result in the SSO not working correctly.

If you cannot get the SSO to work after debugging, contact support@validaide.com and we will provide assistance.

You can also have a look at the Single Sign On (SSO) FAQ