Set up single sign-on (SSO) with Microsoft Azure Active Directory
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
This article presents how to configure single sign-on for AlisQI.
In this article
AlisQI encourages the use of single sign-on for security and convenience. If you wish to enable this feature, please contact firstname.lastname@example.org.
AlisQI supports single sign-on based on SAML 2.
In SAML terms, your user directory (e.g., Azure Active Directory) will fulfill the role of Identity Provider (IdP), while AlisQI is the Service Provider (SP).
Changes to user management
Without SSO, AlisQI users are identified by a username and a password. Email addresses are optional.
With SSO enabled, users are identified by their email addresses. Since the username and password fields are obsolete, they will be deactivated when going live with SSO.
Before SSO can be enabled, all users must have a valid email address. Note that these must exactly match those in your user directory!
In this article, you'll have all the steps for setting up Microsoft Azure Active Directory since most of our customers use this. Other directories should work just fine, as long as they support SAML 2.
Download AlisQI metadata
Before you start configuring SSO in Azure, you need to download the metadata of the AlisQI SP. You can find this by going to
https://[your].alisqi.com/sso (e.g., https://demo.alisqi.com/sso). Note that AlisQI uses the open-source package SimpleSAMLphp as its middleware for SAML.
Open the Federation tab and click Show metadata (as shown in the screenshot below). Next, open the link to the metadata and save the file to disk. You will probably have to rename the file to add the .xml extension. Alternatively, you can also copy-paste the XML shown on the page into a new file.
Create a new application in Azure Active Directory
- Open your Azure AD portal
- Chose Manage / Enterprise applications from the menu
- Add a new application
- Click "Create your own application"
Configure single sign-on
- In the application overview, open single sign-on settings and then select SAML
- Upload the AlisQI metadata you downloaded earlier
- A popup "Basic SAML Configuration" will open. You don't need to make any changes, so just hit Save and close the popup.
- A second popup will ask whether you wish to test single sign-on. This won't work yet, so just close it.
- Edit the User Attributes & Claims, and set Unique User Identifier to user.mail like in the image below
- Copy the App Federation Metadata Url and send it to AlisQI support.
Users and groups
You must specifically allow users to access AlisQI by adding them to the Users and groups menu in the application overview.
Optionally, you can add the AlisQI logo in the properties screen to make the application more recognizable to your users.
Test and go live
AlisQI support will be able to test the SSO integration in the middleware before enabling it in the application. Once the integration is verified, we can together decide when to activate this within AlisQI.
Watch the following videos by Microsoft for details: