Skip to main content

Setting Up SAML Single Sign-On with Microsoft Entra ID

Jomar
  • Updated

Looking for SCIM User Provisioning for Microsoft Entra? Click Here

This guide provides step-by-step instructions to configure SAML Single Sign-On (SSO) between Microsoft Entra ID (formerly Azure Active Directory) and AskNicely. Choose the user provisioning option that best fits your organization's needs:

  1. Without user provisioning
  2. Users provisioned automatically, but roles set manually within AskNicely
  3. Users provisioned automatically, including location-based data access

Prerequisites

  • AskNicely Administrator Account: Ensure you have admin access to your AskNicely account.
  • Microsoft Entra ID Administrator Account: You need permissions to configure enterprise applications.

Option 1: Configure SAML SSO Without User Provisioning

In this setup, users are added to AskNicely manually. SSO enables them to authenticate via Microsoft Entra ID.

Step 1: Add AskNicely as an Enterprise Application

  1. Sign in to the Microsoft Entra admin center with your admin credentials.
  2. Navigate to Azure Active Directory > Enterprise applications.
  3. Click on New application.
  4. Select Create your own application.
  5. Enter the name AskNicely, choose Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

Step 2: Configure SAML-Based Single Sign-On

  1. In the AskNicely application overview, select Single sign-on from the left menu.
  2. Choose the SAML option.

Step 3: Set Up Basic SAML Configuration

  1. Under Manage, Single sign-on, click on the Edit icon in the Basic SAML Configuration section.
  2. Enter the following details:
    • Identifier (Entity ID): https://[subdomain].asknice.ly/saml/metadata
    • Reply URL (Assertion Consumer Service URL): https://[subdomain].asknice.ly/saml/sso
    • Logout URL: https://[subdomain].asknice.ly/saml/slo
  3. Click Save.

Step 4: Copy SAML Metadata

  1. In the SAML Certificate section, copy the App Federation Metadata Url.

Step 5: Configure AskNicely with SAML Details

  1. Log in to your AskNicely admin account.
  2. Go to Settings > Users > SAML 2.0.
  3. Turn on Enable SAML integration.
  4. Set Display Name to something meaningful, e.g., “Sign in with SSO”.
  5. Turn on Omit AuthContext in the AuthNRequest, and Sign SAML Request (AuthNRequest and metadata).
  6. Paste the SAML Issuer URL file, and click “Import Metadata”
  7. Save your changes.

Step 6: Assign Users in Microsoft Entra ID

  1. In the Microsoft Entra admin center, go to Enterprise applications > AskNicely > Users and groups.
  2. Click Add user/group.
  3. Select the users or groups you want to grant access.
  4. Click Assign.

Step 7: Test SSO Configuration

  1. Open a new browser window in incognito/private mode.
  2. Navigate to the AskNicely login page: https://[subdomain].asknice.ly/login.
  3. Click on Sign in with SSO.
  4. Enter your email address and proceed. You should be redirected to Microsoft Entra ID for authentication.
    1. Your email address must match that of a user in AskNicely
  5. Upon successful sign-in, you will be directed to your AskNicely dashboard.

Option 2: SSO with Automatic User Provisioning (Roles Set Manually)

This option allows automatic creation of user accounts in AskNicely upon first SSO login. Roles must be assigned manually afterward.

Step 1: Complete Steps 1-5 from Option 1

Follow the initial setup steps to configure SAML SSO between Microsoft Entra ID and AskNicely.

For Step 5, also enable Automatically Create New Users, and set the role for newly registered users.

Option 3: SSO with Automatic User Provisioning Including Location-Based Access

This setup automatically provisions users and assigns roles and location-based data access based on attributes from Microsoft Entra ID.

Step 1: Complete Steps 1-5 from Option 2

Set up SAML SSO between Microsoft Entra ID and AskNicely.

Step 2: Configure User Attributes in Microsoft Entra ID

  1. In the Single sign-on settings of the AskNicely app in Microsoft Entra ID, go to User Attributes & Claims.
  2. Click Edit.
  3. Add new claims to pass user attributes:
    • Click Add new claim.
    • Name: e.g., Location
    • Namespace: Leave blank unless specified.
    • Source Attribute: Select the appropriate attribute (e.g., user.location).

Step 3: Map Attributes in AskNicely

  1. In AskNicely, go to Settings > Users > User Roles.
  2. Add Filter to the default role.
  3. Enable Set this at the user level
  4. Click Update

Additional Tips

  • Consistent Attribute Names: Ensure that attribute names in Microsoft Entra ID match exactly with those in AskNicely.
  • Role Values: The roles assigned via attributes must correspond to valid roles within AskNicely.
  • Testing: After each configuration, test with a single user before rolling out to all users.
  • User De-Provisioning: Remember that disabling or removing a user in Microsoft Entra ID does not automatically deactivate them in AskNicely. This must be done manually unless SCIM provisioning is configured.

Need Assistance?

If you have any questions or need further help, please contact our support team at support@asknicely.com. We're here to help!

Related articles