To allow users in your organization's Azure AD to sign up - and sign in - to Gluu with ease you need to do the following:
Tip! If you're creating a new account then you can sign up with Microsoft (click the button here). This will add your organization's Azure 'tenant ID' automatically. Note that it is only possible if your company's security policy allows you to add new applications (typically you need to be an AD Admin user)
Step 1: Approve Gluu as an app in your Azure AD
Log in to your Azure portal (as administrator).
Approve Gluu as an app in your Azure Active Directory admin center (see example below)
Log in to Gluu (as Account Owner) and go to 'Account and users'. Click the widget 'Authentication' inside Gluu (see the image below)
NOTE! It's important that the Gluu Account Owner and the AD administrator is the same (email.)
Add your Azure AD Tenant ID.
Want to limit access to members of specific AD groups?
This is useful if you're part of a large organisation but only a smaller group of users will use Gluu - or if you want to run multiple Gluu accounts and give different groups access to each.
As a default, Gluu will allow any member of a tenant ID to sign up and sign in. If you add a group then users trying to sign up will only be allowed access if they 1) use an email that is in your organization's Azure AD and 2) are a member of one of the allowed groups.
To add groups you just need to...
Add the text "Gluu.LoginRole" inside "limit access to members of..."
2. Go to the Azure Portal and find "Enterprise Applications"
3. Find the Gluu App with the Application Id "eed8bb18-66fe-49e9-bca5-2d90d9a92c75", it only shows after you have logged on to Gluu with a Microsoft Login prior to this.
4. Go to the tab "Users and groups" on the Gluu App under Enterprise Applications.
5. Click "Add User/group"
6. Pick a username or a role that should only be allowed access to login on Gluu. Make sure "Restricted Login" is greyed out under "Role" or selected if there are more options.
To validate you should have an entry like this now:
Now users that are in your Azure AD can easily sign up and sign in to your organisation's Gluu account.
Step 2: Your users can sign in to Gluu
When you're ready to deploy then send the users that you want to invite an email with a link to https://secure.gluu.biz/#/login - ask people to click the button with the Microsoft logo:
Each user will then be authenticated against your Azure AD (and any specific groups that you added). If the user's email matches and the user is in the group, then he/she will enter Gluu and the user will be automatically created in your Gluu account.
From now on, he/she can enter Gluu by clicking the Microsoft button. Users don't have to create any separate passwords.
Adding roles and rights
Roles and rights have to be added to the user after he or she has accessed and been set up. See this article on managing rights.
How to revoke access
This access will be granted until the user is removed from your Azure AD domain and/or the groups that you have allowed to access. So, if you want to stop a user from accessing Gluu, then he/she should be removed from your Azure AD (or the allowed groups).
Authenticating users that are already in Gluu
If a user has been added before the AD integration was setup up, then this user can also access with authentication by clicking the Microsoft sign-in button.
We match the Microsoft Sign-in with the e-mail the user is registered with in Gluu. You can change e-mail for the user in Gluu if your Microsoft Sign-In e-mail is different from what the user is registered with in Gluu.
Tip! If you want to add roles and rights to users before they sign in, then add them to Gluu manually first - without inviting them. You can then send out a common email with the link and instructions to sign in by clicking the Microsoft sign-in button. Gluu can help you import larger sets of users. Just send the list to our helpdesk.
Tags: Integrations, IT Support, Technical