Create an Active Directory Enterprise Non-gallery application
· In the Azure portal, select Azure Active Directory on the left navigation pane.
· Select Enterprise applications in Azure Active Directory.
· Select New Application.
· Click Create your own application (Non-gallery application.)
· Click "Integrate any other application you don't find in the gallery (Non-gallery) and give your app a name, for example CCQ and click create:
(Note: If this is a multi-tenant and there is already a CCQ Non-gallery application in place with this name, you must give this new one a unique name, f.ex. CCQYourCompanyName)
Congratulations! Your Azure Enterprise Non-Gallery Application for CCQ has been created. This provides a secure access to the CCQ application for users in your Active directory. Please follow next steps to configure the application and establish a connection between Azure and CCQ.
Configure your Active Directory Enterprise application for SAML SSO
Steps:
Assign users and groups
Add groups according to your needs for CCQ, here below you can see examples. For each module in CCQ there are various access groups, and there must be a corresponding group in Azure. These groups must be Security groups. You can use existing groups or create groups specially for CCQ, like CCQ_Users, CCQ_Admins, etc.
Note: You will need Object ID information for each group when configuring Azure SSO in CCQ organization document.
All users that are allowed to authenticate with CCQ should be in a group for that purpose. CCQ uses that group to decide if user is allowed to log into the system, without any additional access rights. Example name: CCQ_Users.
2. Set up single sign on
Click single sign on and choose SAML:
This page will open with the following 5 steps (see picture with steps below):
Set up Single Sign-On with SAML
Basic SAML Configuration
Identifier (Entity ID): - Add the following URL: https://quality.ccq.cloud/
Note: Entity ID has to be unique. If this is a multi-tenant and there is already a CCQ connection with this identifier in place, you must give this new one a unique name, f.ex. https://quality.ccq.cloud/yourcompanyname
Reply URL (Assertion Consumer Service URL): - Add the following URL https://quality.ccq.cloud/_saml/validate/adfs/ + your CCQ organization ID. You can find that ID in the URL string, when opening the organization page in CCQ.
2. Attributes and Claims
Add all the attributes you see in the picture. (Add content by clicking on the three dots in the right corner of the box and choose Edit).
Check settings for user.groups:
3. SAML Certificates
Download the Federation Metadata XML file to your computer. We will use it in the organization document in CCQ. You can also copy the „App Federation Metadata URL“ and paste in a brower window to access the certificate. For more information, see here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-protocol-reference
Note! When renewing your certificate in Azure AD, please remember to update the certificate in CCQ accordingly, or your users will be locked out of CCQ.
4. Set up CCQ
Copy the Login URL, we will use this URL in the organization document in CCQ
5. Test single sign-on with CCQ.
After we have set everything up both in Azure and in CCQ you can use this button to test single sign-on with CCQ. Information on the steps in CCQ can be found here: https://intercom.help/ccq-help/en/articles/6990760-ccq-stillingar-vegna-azure-sso
Summary:
· Create your own Enterprise application (Non-gallery)
· Assign users and groups
· Set up Single Sign-On with SAML
· Now you have all the information necessary to complete the SSO configuration in CCQ, see CCQ Azure AD SSO Setup document (in Icelandic).
· When you have finished the SSO configuration in CCQ, you can test single sign-on with CCQ. In Azure you can for example find a button for that purpose (see step 5). Note that the Azure tester (and all CCQ users) must belong to at least the CCQ_user group to be able to log into CCQ.