Azure AD via SAML

SAML is an XML-based standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Azure AD can act as a SAML Identity Provider, allowing users to authenticate and access applications like Mindful through a single sign-on (SSO) process.

This section covers the Azure AD SSO integration with SAML. Topics covered:

  • Setting up SAML in Azure AD
  • Adding group claims
  • Adding application roles to SAML
  • Assigning users to SAML
  • Adding an application roles claim
  • Configuring your Mindful Organization
  • Adding Role Mappings

Set up SAML in Azure AD

  1. Navigate to Azure Active Directory > Enterprise Applications, then click New Application.
  2. Select Create your own application.
  3. Name the application and make sure Integrate any other application you don't find in the gallery is selected.
  4. Once created, you will be taken to the application Overview page.image of the saml app overview page

  5. Click Set up Single Sign-On and choose SAML.

  6. The first box will have two required entries. Select the Edit button for this first box.

    image of the basic saml configuration page

  7. The Identifier(Entity ID) will be the Cognito user pool URN. Contact the Mindful Support team to obtain the correct value.

  8. The Reply URL will be the callback URL to Mindful. Contact the Mindful Support team to obtain this value, as well.

Add Group Claims

  1. In the second box in the Set up Single Sign-On with SAML section, click the Edit button.
  2. Click Add a group claim.
  3. Select which groups are to be included in the claim. This will depend on the client's requirements, but All Groups is a good selection for testing. The Source attribute should be Group ID.

Add Application Roles to SAML

Important: If you do not plan to use Application Roles, skip this section.
  1. From your Azure active directory, select App registrations.

  2. Navigate to your application.

  3. Click App roles, then click Create app role. Make sure Allowed member types is Users/Groups or Both.

screenshot of the app registrations sidebar menu

screenshot of the edit app role window

Assign Users to SAML

  1. Navigate to Enterprise Applications > Your application.
  2. Click Assign users and groups, then click Add user/group.
  3. Select the user or users you wish to assign the role.
  4. Select the application role you wish to assign to the user or users (Can be the default user role if using groups).

  5. Click Assign.

  6. This will add another row to the Users and groups list. You should see the new row with your assigned role.

screenshot of the role selector

Add the Application Roles Claim

  1. In the second box in the Set up Single Sign-On with SAML section, click Edit.
  2. Click Add new claim.
  3. Name the new claim roles.
  4. The Source should be Attribute.
  5. The Source attribute field should be user.assignedroles

Configure your Mindful Organization for SAML using Azure AD

Now it's time to link the Mindful Organization to your Azure AD SAML account. This step can only be performed by Mindful staff.

Add Role Mappings - Azure AD Group to Mindful

Now we need to map our Azure AD Group to Mindful roles.

  1. Click Add Role Map.
  2. If you are using Azure AD Groups: For Name, enter the Group ID of the group you created in Azure AD. The Group ID can be found by going to Azure > Groups. Select the group and look for an Object ID field. This is the UUID (aka Group ID) for the group. If you are using Azure Application Roles, enter the name of the role you created and assigned to your users.
  3. For Roles, enter the Role or Roles that the user will be assigned when they log in with a matching role.
  4. If more roles are necessary to map, add those as well. Make sure to click Save to keep your changes.