Configure SAML with Azure AD
If you use Azure AD as your SAML identity provider (IdP), you can use the information in this document to set up SAML authentication for your LMS.
These steps assume that you have permissions for modifying your organization’s Azure AD portal.
Note: These steps reflect a third-party application and are subject to change without our knowledge. However, even if the steps described here do not fully match the screens you see in your IdP account, using these steps along with the IdP’s documentation should still enable you to configure the integration.
Step One: Begin Adding The Integration In The LMS
- While signed in to the LMS as an administrator, go to System > Integration > Single Sign-On (SSO) > SAML Sign-In
- Click the + Add An Integration button.
- Select Azure AD from the list of SAML Identity provider.
- Keep this screen/tab open for now as we will refer to it later.
Figure 1: Add A New Integration Screen in The LMS
Step Two: Adding The LMS To Your OneLogin Applications
- In a new tab/window, access Azure AD.
- Go to Enterprise Applications > New Application.
- Search for Azure AD SAML Toolkitr.
- Select the Azure AD SAML Toolkit app.
Figure 2: Azure AD > Find Applications
- Edit the Name, entering My LMS.
- Click Create.
- You'll be automatically forwarded to the manage application screen for your new application. Keep this screen/tab open for now as we will refer to it later.
Step Three: Add Identity Provider Details To The LMS
In this step, you'll provide the LMS with the SAML Identity provider values it needs to communicate with Azure AD.
- In the Azure AD manage app UI, select the Single Sign-On tab.
- Click the option for SAML.
- On the SAML Setup screen, scroll down to the fourth section, titled Setup App Name.
- Copy values from Azure AD and paste them into the Identity Provider Details section of the LMS, as shown below.
| Copy Azure AD Field Value | to | LMS Field Value |
|---|---|---|
| Azure AD Identifier | > | Entity ID / Issuer URL |
| Login URL | > | SAML 2.0 Endpoint / SSO URL |
| Logout URL | > | SLO Endpoint / Logout URL |
| SAML Signing Certificate > Certificate (Base64) > Download (& open in text editor) | > | X.509 Certificate |
After copying values from the SSO tab into the Identity Provider Details section of the LMS, it should look something like this:
Figure 3: LMS Identity Provider Details
Step Four: Add Service Provider Details To Azure AD
In this step, we’ll define the service provider values that Azure AD will need to identify your app.
- On the Add A New Integration screen in the LMS, go to the Service Provider Details section.
- In the Azure AD SAML setup UI, scroll up to the Basic SAML Configuration section and click Edit.
- Copy values from the LMS into the Azure AD fields as shown below.
| Copy LMS Field Value | to | Azure AD Field |
|---|---|---|
| Entity ID | > | Identifier (Entity ID) |
| Assertion Consumer Service / SSO Service | > | Reply URL (Assertion Consumer Service URL) |
| Assertion Consumer Service / SSO Service | > | Sign On URL (* remove '/acs' from the end of this URL) |
| Single Logout Service | > | Logout URL |
- Click Save.
Step Five: Defining User Attributes
In this step, we’ll define the information about the user (id, email address, first name, last name) that need to be passed to the LMS.
- In the Azure AD SAML setup UI, scroll up to the User Attributes & Claims section and click Edit.
- Click the Add a New Claim link in the upper left corner of the parameter listing.
- Under Name enter "uuid" (without quotations).
- Under Source Attribute, select user.userprincipalname and then click Save.
- Repeat this sequence three more times, using the fields/values below.
| Field | > | Value |
|---|---|---|
| emailAddress | > | user.mail |
| firstName | > | user.givenname |
| lastName | > | user.surname |
Note: Even though Azure AD may provide additional user data that can be passed as parameters, only the paramters listed above are compatible with the LMS; all other values will be ignored.
Step Six: Finshing Up & Testing
At this point you've completed all the necessary steps to configure the LMS application in Azure AD.
In the LMS, on the Add A New Integration screen, finish configuring the User Login settings and then click Save
to save the integration in the LMS.
To test your new integration, you'll need to give users access to your new application in Azure AD before using the newly generated LMS login
link for this integration. For more information on granting users access to your application via Azure AD, please refer to the IdP's documentation.