Ga naar hoofdinhoud

Single Sign-On with SAML

About Single Sign-On

Single Sign-On (SSO) is an alternative to two-factor authentication, allowing users to access multiple web applications with a single set of credentials using SAML (Security Assertion Markup Language). With SSO, you can verify your account through Microsoft once per day, streamlining authentication and improving convenience.

This guide explains how to set up SSO with Azure AD for your PIM+ installation.

Prerequisites to Azure Setup

  1. Ensure PIM+ is installed and configured in IIS.
  2. Log in to portal.azure.com and confirm your Azure AD is set up in Active Directory.

Azure Setup

  1. In the Azure portal, go to Microsoft Entra ID.
  2. Select Enterprise Applications.
  3. Click New Application to open the Azure AD gallery.
  4. Search for "SAML tool" and select Azure AD SAML Toolkit.
  5. After creation, go to Users and Groups to assign SAML access.
  6. Click Add User/Group and select users to grant access.

    Note: "Global Administrators" are included by default.

  7. Click Assign to apply changes.
  8. Under Manage > Properties, set Assignment required to Yes to restrict access to assigned users.
  9. Go to Single Sign-On and choose SAML.
  10. Edit Basic SAML Configuration:
    • Identifier (Entity ID): Enter your PIM+ installation URL.
    • Reply URL: Add your PIM+ URL with /saml.asp appended.
    • Sign-on URL: Enter your PIM+ installation URL.
    • Click Save.
  11. In Attributes and Claims, click Add a Group Claim:
    • Choose All groups and set Source attribute to Group ID.
    • Click Save.
  12. Download the SAML certificate (Base64) from SAML Certificates.
  13. Note the Login URL and Azure AD Identifier for later use.

Setup Within PIM+

  1. Log in to PIM+ and go to Settings > Login and Security Settings.
  2. In the SAML section, check Allow SAML.
  3. Enter your PIM+ installation URL in Installation URL.
  4. Paste the Login URL and Azure AD Identifier (Issuer) from Azure.
  5. Upload the downloaded certificate.
  6. Click Upload Now and then Save Changes.
  7. Check Allow accounts to be created if they have no membership to the SAML groups above to enable new SSO users.
  8. After setup, users can sign in with SSO, and accounts are automatically created and mapped to SAML accounts. Assign users to security groups or roles as needed.

Tips and Considerations

  • To enforce SSO, enable the option to only accept SAML logins in PIM+ settings.
  • To restrict automatic account creation, leave the related option unchecked.

For more details, refer to PIM+ documentation on security roles, users, and groups.