Setup Single Sign On from Microsoft Entra (formerly Azure Cloud)

This article explains the process of using Microsoft Entra ID to connect to One Model using single sign on (SSO), and how to configure your SSO between Microsoft Entra ID and One Model. 

What is Microsoft Entra ID? 

Microsoft Entra ID, formerly known as the Azure Active Directory, is an identity and access management service provider that uses SAML 2.0 and other protocols to enable single sign on with One Model. The protocol diagram below illustrates the single sign on process. The cloud service (the service provider) uses an HTTP Redirect or HTTP Post binding to pass an AuthnRequest (authentication request) element to Microsoft Entra ID (the identity provider). Microsoft Entra ID then uses an HTTP post binding to post a Response element to the cloud service. 

Configure One Model

Read these instructions in conjunction with the following One Model articles:

Introduction to Single Sign On (SSO) 

Automated Role Assignment via Single Sign On. 

And this related Microsoft article - Single sign-on SAML protocol

1. Set Up One Model for SSO Integration

Start by navigating to One Model>Admin>Company and find the SAML 2 Integration then select +Add SAML 2 Integration. The following configuration will need to be entered by the customer:

  • Metadata URL
  • Issuer

All configuration selections are described in detail here. Once those details are entered and saved, the ACS URL and Issuer will appear. If you require the ACS URL and Entity ID to produce your Metadata URL and Issuer, then use the following filename pattern:

○      ACS URL = https://yourOneModelURL/Saml/Acs

○      Issuer = http://yourOneModelURL/Saml/Init

Under Person IDs, the default selection is ‘Don’t populate Person ID’. This is because the Person ID isn’t strictly required for successful SSO, but we recommend setting this up in your initial configuration so the Person ID is ready for Contextual Security. 

The relevant customer Person ID attribute will need to be made available from SAML NameID (or other Attribute). It is fine to select ‘SAML Attribute’ rather than ‘NameID’ as long as the attribute is unique to the employee, available from the IdP and part of the employee’s core HRIS system record, e.g. it could be a PersonID, EmployeeNumber, Email, EmployeeID, Username, etc

 

Role assignment via SSO is optional and not required or recommended for the initial configuration. 

You will need to note the following:

  • ACS URL: This will be generated by One Model.
  • Entity ID: A unique identifier for your application.

Configure these details on the Microsoft Entra ID side as shown below.

2. Configure Microsoft Entra ID (formerly Azure AD)

  • Go to your Entra ID account. 
    Register One Model as an Enterprise Application:

    In the Azure Portal, go to Azure Active Directory > Enterprise Applications.

  • Select New Application > Create your own application > Integrate any other application you don't find in the gallery (Non-gallery).

 

 

  • Name the application (e.g., "One Model SSO").

  • Set Up SAML Authentication:

In the new application, go to Single Sign-On and select SAML.

  • Configure the following:
  • Identifier (Entity ID): Use the Entity ID provided by One Model.
  • Reply URL (ACS): Input the ACS URL from One Model.
  • Sign-on URL (optional): Provide if users will access One Model directly through Entra ID.
     

3. Configure Claims and User Attribute

Map the following required attributes in Attributes & Claims:

○      Email: Use the primary user email, e.g. emailaddress

○      First Name and Last Name: E.g. givenname, surname

○      Person ID for Contextual Security: Required for Contextual. Mapped as NameID or another attribute. Note, if Email is chosen as the unique user identifier via NameID for contextual security, then the email address is case sensitive and the SAML attribute will need to match exactly with the data coming from the HRIS  

4. Enable SSO Testing and Assign Users

  • Test the SSO Configuration and troubleshoot any issues.
  • Go to Users and Groups within the Entra application and assign users or groups who need access to One Model.

5. Optional: Automate Role Assignment via SSO

If your organization chooses automated role assignment via SSO for their One Model application, additional attributes will be necessary; likely via ‘groups’. One Model can assign roles based on attributes passed through SAML when additional configuration is completed via the SAML2 Integration settings under Admin > Company. 

Ensure that Person ID and Customer Role names are correctly mapped. Be sure to read this article to understand how the role assignment works. 

6. Monitor and Troubleshoot SSO Logs

  • Use Sign-in Logs in Entra  to monitor login attempts and troubleshoot issues.
  • Make sure admin consent is granted for any additional permissions required by One Model. If preferred, you can also follow the instructions at the end of this article to see what is being passed to One Model. 

A common issue is where a string like the below is sent as part of the attribute. Remove that string to ensure we can reach the email or name. 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.