All Collections
App Integrations
Active Directory Single Sign On
Active Directory Single Sign On

Set up Azure Active Directory Security Groups

Xandy Strydom avatar
Written by Xandy Strydom
Updated over a week ago

The single sign-on (SSO) capability in Device Magic allows you to leverage an identity provider like Azure Active Directory to handle user authentication, user provisioning, and device provisioning for Device Magic.


Set up in Azure Active Directory

Open Azure Active Directory and add two Active Directory Groups.

The group type should be Security.

The first group is for Device Magic users that may access the Device Magic web application.
The second group is for the devices that will be joined to your organization through the mobile app.

These two newly created groups will be referred to as the Users and Devices security groups throughout this article.

Note: When a device signs in using SSO, they will automatically be joined to your organization without an administrator first approving each device. Any SSO devices will be billed at your current subscription rate.

Assign any users who will access the website to the Users security group.

Assign users using the iOS or Android mobile apps to the Devices security group.

Also, note the Object ID of the two newly created Users and Devices security groups as you will need it to complete the setup in Device Magic later.


Create application in Azure Active Directory

Set up the application in Azure Active Directory

Please visit https://portal.azure.com and log in.

When logged in, select Azure Active Directory.

Select Enterprise applications and then + New Application.

Select Non-gallery application and type a name for the application, ideally something like Device Magic Single Sign On. Then, click Add at the bottom.

Again, click Azure Active Directory in the left menu bar, then choose App Registrations and change the selection drop down from Owned applications to All applications.


Roles (required)

Click the application you created, then click Manifest. In the application manifest, add a role for any Device Magic user roles that you want to assign to your users.

Later, when we assign users or groups to access the application, we will assign one of these roles to them. When the user signs into Device Magic they will be assigned the matching role and permissions in Device Magic.

Note: The value of the roles you create should match the exact name of an existing user role in your Device Magic organization. See the Forms-Read-Only role example in the images below.

"id" : This "id" will need to be a manually generated random uuid. Use an online tool to generate this uuid.


Also, in the manifest, find the key groupMemberShipClaims and set it to SecurityGroup

Click Save. Open the left menu bar and click Azure Active Directory.

Next, select Enterprise Applications, then All Applications, then the application you created, then Users and groups. Now click + Add User. Any users or groups who are allowed to access Device Magic using single sign on will be added here. We will also assign a Device Magic user role to the users or groups.

In the example below, we will select all users or groups that will belong to the Device Magic Forms-Read-Only role we created earlier.

First select any users or groups. Then click the Select button.

Now select the Device Magic user role which will be assigned to the users or groups. Click Select and then click the Assign button.

Now you will configure the Single Sign On settings. Below Users and groups, click Single sign-on. Then, click Edit in the Basic SAML Configuration section.
​

Set the following values:

Identifier (Entity ID):

Reply URL (Assertion Consumer Service URL)

Sign on URL

Relay State

Logout URL

Now click the Save button.

Next, click Edit in the User Attributes & Claims section. In the section that opens, click on Add new claim.

In the Manage claim section that opens, type the following values (do not paste) and click Save.


Roles attribute (Required)

Name: roles

Value: user.assignedroles

Make sure the new attribute shows up and click Save.


Telephone attribute (Optional)

To set the Device Magic user telephone number, another claim can be added. Add a new claim and use the following values, making sure to save once set.

Name: phone

Value: user.telephonenumber

Once done, close the section. Make a note of your thumbprint value (or you can use the Base64 certificate and use that) as well as the 3 configuration URLs.


Setting up SSO in your Device Magic organization

Click Organization Settings when logged in and then SAML Settings.

Enter the 3 configuration URL's and either the X.509 signing certificate or a fingerprint of the certificate that you made a note of in the earlier steps.
The Group Object ID's we noted earlier must be configured in the User Group identifier and Device Group identifier fields.

To test that your setup was successful - save and then log out. Visit https://app.devicemagic.com/users/login and select Log in with SSO.

Note: The user does not have to exist in the Device Magic Management console prior to setting up SSO. Logging in with SSO will automatically create them.

Enter the email address of an existing AD user that belongs to the Device Magic AD User Group that you configured earlier.

If everything is configured correctly, you will get the Microsoft Sign in page where you can enter your AD user's password to complete the sign in process.


Troubleshooting

If you run into the issue of an "Device Magic Internal Error" when trying to save your SAML settings / logging in, please see below:
​

  • Error can occur when there is no role associated with the account. Check that User Roles set up in both Device Magic and Azure Active Directory are exactly the same.
    ​


If you have any questions or comments feel free to send us a message at support@devicemagic.com.

Did this answer your question?