Single Sign-on with Azure AD

Single Sign-on allows you to configure eSPACE to be accessed and users to be authenticated via your network provider.  For more information general on how SAML SSO works with eSPACE, please check out this KB article.

NOTE:  Only eSPACE Admins can get to the SSO Integration Setup page in eSPACE

The following instructions will help you configure eSPACE to allow Single Sign-on through your Azure AD account

1. Login to portal.azure.com
2. Click Azure Active Directory
3. On left side, click Enterprise Applications
4. Click "+ New Application"
5. Search for "Azure AD SAML" and click "Azure AD SAML Toolkit", the click "Create"
   • You can also choose to "Create your own application" (select the "Non-Gallery" option).
6. Click "Set up single sign on" option under Getting Started
7. Click SAML option
8. Edit the Basic SAML Configuration panel
   1. For Identifier, set to https://app.espace.cool
   2. For the Reply URL (ACS URL) enter the value from eSPACE SSO Setup page
   3. For Sign-on URL enter https://app.espace.cool/Account/SSOAuth  
   4. Click "Save" for the panel
9. Edit the "Attributes & Claims" panel
   • In the Additional Claims:
     1. Click the row with Value "user.mail" and update the following (and "Save" when done):
        • Name is emailaddress
        • Namespace is blank
     2. Click the row with Value "user.givenname" and update the following (and "Save" when done):
        • Name is firstname
        • Namespace is blank
     3. Click the row with Value "user.surname" and update the following (and "Save" when done):
        • Name is lastname
        • Namespace is blank
10. In the SAML Signing Certificate
    • Download the  Federation Metadata XML, and upload to the eSPACE SSO Setup page.
    • The previous step should populate the Certificate and and Single Sign On Service URL.
11. In the Required Attributes section of eSPACE, confirm the attribute names match what was entered in the Attribute and Claims section above (email, firstname, lastname).  These fields are case sensitive and you must enter them exactly as seen in step 9. 
12. On the Properties page (of Azure) modify the name, logo, and assignment setting and visibility of the app.  Use the Users and Groups page to manage who can access the app.
    • If a "Create new login..." option is selected, be sure to select the appropriate login account to be cloned for any new users provisioned via SSO.  eSPACE will copy all settings and configurations about the user (including roles, module access, location access).  The following WILL NOT be cloned:
      • Billing Contact role

      • Name, Email address, Employee IDNOTE:  Below is an eSPACE logo you can use:

13. On the eSPACE SSO Setup page, adjust the User Provisioning setting as desired. Be sure to set the appropriate Integration Admin

NOTE:  Under User Provisioning, if you choose "Create a new login account and allow them immediate access" there is a chance a duplicate user account could be created if a single user has been using an alias or had a name change resulting in a new email address.