SSO Azure Setup
The following instructions set up an identity provider in Azure Active Directory (Azure AD).
Azure AD is Microsoft’s multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management and identity protection into a single solution. Azure AD can function as a Single Sign-On (SSO) Provider supporting SAML 2.0, Secure Web Authentication and OpenID Connect. Tehama can be integrated with Azure AD through SAML 2.0 and can presented as a managed Enterprise Application alongside other Azure integrated applications.
Once enabled, authentication to Tehama must be made through Azure AD - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Admin account. Azure AD/Tehama Integration is limited to authentication only.
User accounts are required for both Azure and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via Azure AD SSO.
Integration with Azure AD SSO is a four step process as follows.
- Obtain initial configuration settings from Tehama
- Create an application in Azure AD
- Obtain the required Federation Metadata XML from Azure
- And enter it back into Tehama
Prerequisites for Azure AD Integration
- A Tehama Account with Admin privileges (i.e.: the Tehama account for the user with the Admin role for the account's organization - AKA the organization owner)
- An Azure account with Global Administrator privileges
Setup Time - 10 minutes
Create a connected application
Login to Tehama using the Admin Account and click the SETTINGS tab in the navigation bar.
Select the AUTHENTICATION tab.
Check "Enable SAML Single-Sign on".
Make a note of the Entity ID and Callback URL (Assertion Consumer Service URL) values.
Open a second browser tab and sign in to your Azure Admin Account.
Select Azure Active Directory from the top level menu and Enterprise Applications from the second level menu.
Select + New Application and then select Non-gallery Application.
Enter the application name and click Add.
Select Properties and add an appropriate application logo. You may download and save a copy of this image to use as the logo:
Select Single sign-on from the second level menu.
The SAML settings will be displayed.
Copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Identifier field.
Copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Reply URL field.
Leave all other fields at their default values.
To complete the Tehama SSO setup obtain the Federation Metadata XML by clicking on MetaData XML to download a copy the XML file.
Open the XML in a text editor and copy the contents to the clipboard.
Return to the Tehama Web UI and enable SSO by clicking on the checkbox to Enable SAML Single-Sign On (if not already enabled), then paste the IDP metadata into the Federation Metadata XML box.
and click SAVE.
Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.
Tehama SSO Configuration is now complete.
You will still need to return to the Azure Console to assign User and Groups and/or configure Self-Service settings as appropriate for your organization before it will be possible to access Tehama using Azure AD integration.