Configuring SSO with Azure Active Directory (AD)
IMPORTANT: If you are planning on enabling SSO for your Nucleus account, let your Nucleus account rep know so they can send you the relevant information required for setup on the Azure AD side.
The below steps will allow you to configure single sign-on with your Azure Active Directory Paid version. This is the recommended way of setting up your Azure AD for SSO with Nucleus.
This will allow you to enable your users to automatically sign-in to Nucleus for their Nucleus accounts. You'll also be able to control in your Active Directory who has access to Nucleus.
Nucleus has two options for setting up your Azure AD based on groups or based on roles. Choose the option below based on which pertains to your organization:
Optional: Nucleus allows you to assign Nucleus roles based on a user's role or group in Azure AD so you can manage your user access from Azure. See individual sections below for the setup instructions for these advanced features.
Note: If you wish to set up Azure AD SSO with Nucleus and manage the permissions to Nucleus in Nucleus, follow the Setting up Azure AD with Groups Section of this article, but ignore step 16.
You'll need an Azure AD subscription to follow the steps below. Note that these screenshots pertain to the newest Azure Portal.
Option 1: Setting up Azure AD with Groups
Log into your office console and complete the following steps:
1. Click Azure Active Directory on the left side of the console, in the left-hand navigation menu.
2. Click Enterprise Applications in the left-hand navbar OR click Find an enterprise app on the dashboard.
OR
3. Click + New Application.
4. On the "Add an application" page, click Non-gallery application.
5. On the following page, enter in the following information, then click Add:
- Name: A name to differentiate the application in your Azure.
6. On the following page, click Single sign-on in the lefthand navigation menu.
7. Click on SAML.
8. On the following page, enter in the following information, then click Save:
- Identifier (Entity ID): this is going to be the name that AD uses to direct Nucleus login requests to the proper application
- Reply URL: This is the url that you were given by your Nucleus support representative which is specific to your Nucleus instance.
9. Once you have saved the Basic SAML Configuration, scroll down the page until you get to Section 3, SAML SIGNING CERTIFICATE
10. Do the following in this section (Section 3):
- Copy the Thumbprint: You will need to send this to your nucleus support representative
- Download the Certificate(Base64): You will need to send this to your Nucleus representative
11. Once you have copied/downloaded the info from step 12, scroll down even further to the Set up <Application Name> and copy the following
- Copy the Login URL: You will need to send this to your Nucleus representative
- Copy the Azure AD Identifier: You will need to send this to your Nucleus support representative
12. Once you have all of the above, navigate to Users and Groups on the left-hand navbar:
13. Click + Add user
14. Add as many users or groups to the application as you would like. Note, these users will all be able to log into Nucleus.
15. Once you have added your users to the application, collect all your information which you need to send to your Nucleus representative to complete the SSO setup for you. You will need the following, which can all be found in the Single sign-on tab in the lefthand navbar:
- Identifier (Entity ID): Needs to be copied
- Thumbprint: Needs to be copied
- Certificate(Base64): Needs to be downloaded
- Login URL: Needs to be copied
- Azure AD Identifier: Needs to be copied
16. (Optional for Azure Groups) If you would like to use Azure AD groups to assign and manage Nucleus roles, use the following instructions:
- Navigate to All Services, then App registrations.
- Select the application you just created, then click the Manifest button.
- In the resulting Edit manifest page, modify the "groupMembershipClaims" field to read: "All". Then click Save.
17. Once you send this info to your Nucleus representative, you are all done! Your SSO setup should be completed within 24 hours by a Nucleus support rep, who will respond to you via email confirming that SSO is complete and you are all set!
Option 2: Setting up Azure AD for Roles
Log into your Office Admin console and complete the following steps:
1. Click Azure Active Directory on the left side of the console, in the left-hand navigation menu.
2. Click Enterprise Applications in the left-hand navbar OR click Find an enterprise app on the dashboard.
OR
3. Click + New Application.
4. On the "Add an application" page, click Non-gallery application.
5. On the following page, enter in the following information, then click Add:
- Name: A name to differentiate the application in your Azure.
6. On the following page, click Single sign-on in the lefthand navigation menu.
7. Click on SAML.
8. On the following page, enter in the following information, then click Save:
- Identifier (Entity ID): this is going to be the name that AD uses to direct Nucleus login requests to the proper application
- Reply URL: This is the url that you were given by your Nucleus support representative which is specific to your Nucleus instance.
9. If you would like to use Azure AD roles to assign Nucleus roles, use the following instructions:
- Navigate to All Services, then App registrations.
- Select the application you just created, then click the Manifest button.
- In the resulting Edit manifest page, modify the "groupMembershipClaims" field to read: "All". Then click Save.
- Create your roles in the manifest for the enterprise app you just created using the following resource, (section 6h): https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
- Once you have completed section h, please click Save on the manifest.
- Close the Microsoft Help Center Article
Note: an example manifest is shown here (Admin is the role which we created):
10. Once you have successfully created the roles for the enterprise application, navigate to Enterprise Applications > Nucleus Application you just created > Single Sign-on, then scroll down the page until you get to Section 2, User Attributes & Claims.
11. Click on the edit (pencil) icon in Section 2, User Attributes & Claims.
12. Click Add new claim, then enter the following information, and click Save:
- Name: role
- Source attribute: user.assignedroles
13. Once you have saved the Basic SAML Configuration, scroll down the page until you get to Section 3, SAML SIGNING CERTIFICATE
14. Do the following in this section:
- Copy the Thumbprint: You will need to send this to your nucleus support representative
- Download the Certificate(Base64): You will need to send this to your Nucleus representative
15. Once you have copied/downloaded the info from step 12, scroll down even further to the Set up <Application Name> and copy the following:
- Copy the Login URL: You will need to send this to your Nucleus representative
- Copy the Azure AD Identifier: You will need to send this to your Nucleus support representative
16. Once you have all of the above, navigate to Users and Groups on the left-hand navbar:
17. Click + Add user
18. Add as many users or groups to the application as you would like. Note, these users will all be able to log into Nucleus.
- Note: Select the roles for each user that you created in step 9. You can assign each group or user a role in the application from this screen. For the example we gave in step 9, you could assign a user the "Admin" role, which will be passed in the SAML response to Nucleus.
19. Once you have added your users to the application, collect all your information which you need to send to your Nucleus representative to complete the SSO setup for you. You will need the following, which can all be found in the Single sign-on tab in the lefthand navbar:
- Identifier (Entity ID): Needs to be copied
- Thumbprint: Needs to be copied
- Certificate(Base64): Needs to be downloaded
- Login URL: Needs to be copied
- Azure AD Identifier: Needs to be copied
20. Once you send this info to your Nucleus representative, you are all done! Your SSO setup should be completed within 24 hours by a Nucleus support rep, who will respond to you via email confirming that SSO is complete and you are all set!
If you used AD groups or roles within your SSO setup, please refer to the SSO Mapping Page for instructions on how to map your user groups and roles from AD to Nucleus.
Comments
0 comments
Please sign in to leave a comment.