This guide is for users looking to configure their Azure Active Directory identity provider with HandsHQ to enable SAML Single sign-on.
This is a brief overview of how to configure the setup. Please refer to the Azure Active Directory Supper Documentation for more information on how to use this service.
Configure Azure AD with HandsHQ
Add the HandsHQ app to Azure
Add HandsHQ to your Azure portal.
Open Azure
Select Enterprise applications
Land on the All applications section
Click New application ⇒ Create your own application
Add the name of the application HandsHQ
Choose Integrate any other application you don’t find in the gallery (non-gallery) ⇒ Create
Set up SAML SSO in HandsHQ
Next you'll need to set up SAML SSO in Settings ⇒ Single Sign-on.
Enable SSO on HandsHQ
Open HandsHQ
Select Settings at the top of the screen.
In the Single Sign-on section, click Enable SAML SSO.
Scroll down and change "Identity provider" to Azure Active Directory
If you cannot locate this, please contact your customer success manager to enable the feature.
Set up HandsHQ in Azure
Copy Service provider metadata URL
Return to Azure and Select Single sign-on in panel
Select SAML from options
Under Basic SAML Configuration, click Edit to make changes
Paste the copied URL into Identifier (Entity ID) field
Go back to HandsHQ and copy Service provider single sign-on URL
Return to Azure and paste it into Reply URL (Assertion consumer service URL)
Click Save at the top of the screen
Field to copy from HandsHQ | Paste into equivalent field in Azure |
Service provider metadata URL | Identifier (Entity ID) |
Service provider single sign-on URL | Reply URL (Assertion consumer service URL) |
Set up attributes & claims in Azure
To ensure that HandsHQ can verify user information, you must set up the Attributes and Claims section in Azure. This also helps enable Just-in-time provisioning.
In Azure, find the Attributes & Claims section
Click Edit to make to set up both the Required and Additional claims exactly as per the screenshot below:
Attributes and claims must be configured. Make sure the claim name and values are set up exactly as per the screenshot above (even if just-in-time provisioning won't be used).
Tip: leave the "Namespace" section blank for each claim. You can do so by editing the claim and deleting the URL from here - make sure you save the changes.
Set up Azure in HandsHQ
In Azure, find the SAML certificates section, copy App Federation Metadata Url
Paste it into a new tab in your browser ⇒ Find X509 Certificate ⇒ Copy it
Go back to HandsHQ and paste it into the Identity provider certificate field
Note: ensure to delete the </X509Certificate> tags from the start and end of the certificate
Return to Azure ⇒ Find the Set up HandsHQ section ⇒ Copy Login Url field
Go back to HandsHQ and paste it into Identity provider single sign-on URL field ⇒ Save changes
Field to copy from Azure | Paste into equivalent field in HandsHQ |
X509 Certificate (see above how to find it) | Identity provider certificate |
Login URL | Identity provider single sign-on URL |
Add users to Azure
Now return to Azure go to Enterprise applications, select Assign users and groups
Click Add user/group ⇒ None selected ⇒ Select users you want to add to HandsHQ ⇒ Select ⇒ Assign
You’re all set, users can now log into HandsHQ using Single Sign-on.
💡 Please note, you will need to also give users permission to access divisions in HandsHQ. You can do so either through HandsHQ Setting ⇒ Users or via email you’ll receive.
This is a brief overview of how to configure the setup. Please refer to the Azure Active Directory Supper Documentation for more information on how to use this service.