Setting up single sign on (SSO) with Azure (via Azure Gallery)

NOTE: if you are using ADFS, see this article: https://recognize.zendesk.com/hc/en-us/articles/226678267-Setting-up-single-sign-on-using-Active-Directory-with-ADFS-and-SAML

NOTE: If you have not already, please read our SSO Overview which contains some common questions and answers.

Single Sign-on With Recognize and Azure AD

In this tutorial, you learn how to integrate Recognize with Azure Active Directory (Azure AD).

Integrating Recognize with Azure AD provides you with the following benefits:

• You can control in Azure AD who has access to Recognize
• You can enable your users to automatically get signed-on to Recognize (Single Sign-On) with their Azure AD accounts
• You can manage your accounts in one central location - the Azure portal

If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.

Prerequisites

To configure Azure AD integration with Recognize, you need the following items:

• An Azure AD subscription
• A Recognize single sign-on enabled subscription
• An admin account in both Azure AD and Recognize

To test the steps in this tutorial, you should follow these recommendations:

• Do not use your production environment, unless it is necessary.
• If you don't have an Azure AD trial environment, you can get a one-month trial here: Trial offer.

Scenario description

In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:

1. Adding Recognize from the gallery
2. Configuring and testing Azure AD single sign-on

Adding Recognize from the gallery

To configure the integration of Recognize into Azure AD, you need to add Recognize from the gallery to your list of managed SaaS apps.

To add Recognize from the gallery, perform the following steps:

1. In the Azure portal, on the left navigation panel, click Azure Active Directoryicon.

   

2. Navigate to Enterprise applications. Then go to All applications.

   

3. To add new application, click New application button on the top of dialog.

   

4. In the search box, type Recognize.

   

5. In the results panel, select Recognize, and then click Add button to add the application.

   

Configuring and testing Azure AD single sign-on

In this section, you configure and test Azure AD single sign-on with Recognize based on a test user called "Britta Simon".

For single sign-on to work, Azure AD needs to know what the counterpart user in Recognize is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Recognize needs to be established.

In Recognize, assign the value of the mail in Azure AD as the value of the NameID to establish the link relationship. UserPrincipalName is supported, please contact Recognize Support team if you wish to link based on UPN. 

To configure and test Azure AD single sign-on with Recognize, you need to complete the following building blocks:

1. Configuring Azure AD Single Sign-On - to enable your users to use this feature.
2. Creating an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
3. Creating a Recognize test user - to have a counterpart of Britta Simon in Recognize that is linked to the Azure AD representation of user.
4. Assigning the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
5. Testing Single Sign-On - to verify whether the configuration works.

Configuring Azure AD single sign-on

In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Recognize application.

To configure Azure AD single sign-on with Recognize, perform the following steps:

1. In the Azure portal, on the Recognize application integration page, click Single sign-on.

   

2. On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.

   

3. On Step 1 section, click Edit:

   

4. Delete any sample values.
5. In a new tab or browser, visit Recognize's Company Admin portal and visit Settings > User management and scroll to Single Sign On section. It is here that you will retrieve the settings necessary to enter into section 1, Basic SAML Configuration. 
6. Copy the appropriate settings from Recognize into the SAML Configuration. 

7. 

   a. In the Identifier textbox, type a URL using the following pattern: https://recognizeapp.com/<your-domain>/saml/metadata
   b. In the Reply URL textbox, type a URL using the following pattern: https://recognizeapp.com/<your-domain>/saml/acs

   b. In the Sign-on URL textbox, type a URL using the following pattern: https://recognizeapp.com/<your-domain>/saml/sso

8. Click Save button. This completes the configuration Recognize's settings on the Azure side. Now you need to obtain the Azure settings for entry on the Recognize side.

   

9. On the SAML Signing Certificate section, click Certificate (Base64) and then save the certificate file on your computer.

   

10. On the Recognize Configuration section, click Configure Recognize to open Configure sign-on window. Copy the Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL from the Quick Reference section.

    

     

11. Perform the following steps on SSO Settings section.

    

    a. As Enable SSO, select ON.

    b. In the IDP Entity ID textbox, paste the value of SAML Entity ID which you have copied from Azure portal.

    c. In the Sso target url textbox, paste the value of SAML Single Sign-On Service URL which you have copied from Azure portal.

    d. In the Slo target url textbox, paste the value of Sign-Out URL which you have copied from Azure portal.

    e. Open your downloaded Certificate (Base64) file in notepad, copy the content of it into your clipboard, and then paste it to the Certificate textbox.

    f. Click the Save settings button.

Testing

In order to test the configuration, you will need an AzureAD user assigned to the Enterprise Application and you will need a corresponding user provisioned in Recognize. 

 

Assigning the Azure AD test user

In this section, you enable Britta Simon to use Azure single sign-on by granting access to Recognize.

To assign Britta Simon to Recognize, perform the following steps:

1. In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.

   

2. In the applications list, select Recognize.

   

3. In the menu on the left, click Users and groups.

   

4. Click Add button. Then select Users and groups on Add Assignment dialog.

   

5. On Users and groups dialog, select Britta Simon in the Users list.

6. Click Select button on Users and groups dialog.

7. Click Assign button on Add Assignment dialog.

Testing single sign-on

Now that the configuration is complete and you have a corresponding test user in Recognize that is assigned to this AzureAD application, this section will show you the best practices for testing the configuration. You will need to be able to sign in as the test user.

NOTE: It is recommended to do this in a separate browser or private browser mode, while you retain your original browser session that is logged into AzureAD and Recognize in a secondary tab.

1. To test the initial connection, simply visit https://recognizeapp.com/<yourdomain.com/saml/sso. If you are presented with your Azure AD sign on page, then the initial connection is working properly. 
2. Then proceed to sign in. If the connection is successful, you will be redirected back to Recognize and signed in to Recognize.