Setting Up Single Sign-On (SSO) in Azure

Preconditions

The portal needs to be:

• Registered in the TMS and active.
• Needs to have a valid domain alias on the designated environment.

---

1. Single sign-on

These steps need to be done by the client manually. This section specifically describes how to do the SSO linking through Azure. The concept of SAML2 remains the same, so technically it should work for any provider as long as they support SAML2. However, we advise using Azure since we know it works 100% of the time.

A. Creating an Enterprise Application & App Registrations in Azure

1. Go to Azure Portal.
2. Once signed in, search for the following part in the search bar at the top: Azure Active Directory (now Microsoft Entra ID).
3. On the overview page, click on Enterprise Applications.
4. Create a new Enterprise application by clicking on + New application in the top bar.
5. Choose the option + Create your own application.
6. Fill in a logical name in the What's the name of your app? input field and select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create at the bottom of the page.
8. Wait a few seconds while Azure sets up the required parts. Once completed, you will be redirected to the overview page of your newly created application.
9. Go back to Azure Active Directory and select Enterprise Applications.
10. Locate your newly created application under All applications (you can sort based on creation date if needed) and click on its name to access it.
11. In the left-hand menu, under Manage, click Single sign-on.
12. Choose SAML as the single sign-on method.
13. After a few seconds, you will see an overview to set up SSO with SAML. Modify the Basic SAML Configuration section by clicking on the Edit pencil icon and filling in the following parts:

info

Note: Set these properties as placeholders initially. After communicating the options in step 13, you will receive these settings from TMA, which you must update.

• Identifier (Entity ID):
  https://<sub-domain>.<main-domain>/Saml2
  Example: https://test.tma-assessment.nl/Saml2
• Reply URL (Assertion Consumer Service URL):
  https://<idp-sub-domain>.<idp-main-domain>/Saml2/Acs
  Example: https://idp-test.tma-assessment.nl/Saml2/Acs

14. Save the settings and, when prompted to test, select No, I'll test later.
15. Send the following settings to TMA:
    • Azure AD Identifier (now called Microsoft Entra Identifier).
    • App Federation Metadata URL.

That’s it! Everything is set up in Azure, and now TMA can start configuring settings in the TMS.

---

2. Enable Provisioning in the TMS and Azure

It’s recommended to use provisioning with SSO so the client doesn’t need to manually register users in the application continuously. This section consists of two parts: first, setting up the required data in the TMS, followed by setting up provisioning in Azure.

A. Provisioning Settings in Azure

1. Creating the App Roles

info

Note: This step is only required if you don’t have any roles except for "User" and wish to use additional or different roles for configuring the TMS roles. If you don’t need this, you can skip this part.

1. Go to Azure Portal.
2. Search for Azure Active Directory.
3. Go to App registrations and find the app registration you want to use for provisioning. If you followed the SSO guide above, use that one.
4. Go to App roles and create the required roles.
5. Communicate these roles to TMA and specify how each role should be mapped to TMA-specific roles.

2. Setting Up the Provisioning

1. Go to Azure Portal.
2. Search for Azure Active Directory.
3. Navigate to Enterprise applications and find your Enterprise application for provisioning.
4. If this is your first time setting it up, you’ll see an information page with a Get started button. Click Get started.
5. Under Provisioning Mode, select Automatic.
6. In Admin Credentials, fill in the Tenant URL, which is the API with an appended extension.
   • Example: https://api-test.tma-assessment.nl/scim/v2
7. Use the Secret Token received from TMA. If you haven’t received it, contact TMA.
8. Click Test Connection. If it connects successfully, you’ll see a green success message. If there’s an error, verify the Secret Token and Tenant URL.
9. Save the form and go to the provisioning overview page.

3. Configuring Attribute Mappings

1. Under Manage provisioning, click Edit attribute mappings.
2. Open the Mappings dropdown and click Provision Azure Active Directory Users.
3. Scroll down and check Show advanced options.
4. Click Edit attribute list for customappsso.
5. Add a user or group and Provision on demand. The user should now be automatically created in the TMS.
6. Fill in the following fields and save:
   • Name: roles
   • Type: String
   • Multi-Value?: Checked
7. Go back to step 11 and scroll down. Above Show advanced options, click Add New Mapping.
8. Set Mapping Type to Expression and enter the following in the Expression field:

   AppRoleAssignmentsComplex([appRoleAssignments])
9. Choose Target Attribute as the newly created attribute for customappsso, roles.
10. Click OK and then Save in the Attribute Mapping view.
11. Confirm Yes when asked: "Saving your changes will result in all assigned users and groups being resynchronized. This may take a long time depending on the size of your directory."

That’s it! Everything should now be set up.