Single sign-on with Azure AD and SAML
Visit portal.office.com and click on the Admin icon
From the menu on the left click Admin centers then choose the Azure Active Directory
In the new window that opens, from the main menu on the right of the page click the Azure Active Directory option
The page will refresh and new options will appear. On the right-hand side of the page under the Create menu click Enterprise application.
Select the option for Non-gallery application and then assign this new Azure AD SAML application a name and click Add at the bottom of the page.
Once you have added your community, you'll be taken to the Quick start menu. There are some required steps you'll need to take:
Assigning a test user
This will need to be a user controlled by you who can test the SSO set up once completed. To add this user select the Assign a user for testing (required) option then click the Add user option. This will open an Add assignment menu on the right from which you can select Users and groups.
Once selected, this will open the User and user groups menu which will populate with the users in your Active directory. Click the user you wish to assign as a test user then click the Select button, then the Assign button at the bottom of the screen.
To go back to the Quick start menu, click Enterprise applications from the main menu, select your community then click Quick start from the menu on the right.
Create your test user
Click this option to open the Provisioning window and ensure that the Provisioning Mode is set to Manual.
Configure single sign on
From the Quick start menu, select the configure single sign on option and select SAML-based Sign-on in the drop-down menu. Configure the values for the Identifier (Entity ID) and Reply URL fields, as per the metadata from your community. This can be downloaded from https:// < yourcommunityurl >/saml/module.php/saml/sp/metadata.php/crowdsaml2 or you can retrieve it within the community from Community Settings> Authentication > Get our metadata
Finally, in the User Attributes section click View and edit all other attributes. This will be prepopulated with default attributes which will need to be deleted. This can be done by selecting the menu dots next to each value and clicking Delete.
Next click Add attribute and enter the value for the Name and Value columns as configured in the screenshot below:
Note that Mail must be mapped to the user field that contains their valid email address (if the UPN is not set to the user's email address). Additional Name/Value mappings are permitted if using custom fields/dynamic groups within the community.
Once this is complete you can download the Metadata XML file in the Download column which will then need to be saved in the community under the Community Settings > Authentication > Submit your metadata.
Finally, once the SSO has been configured, you'll just need to add the remaining users/user groups that you'd like to give access to. To do this, simply follow the same steps as when Assigning a Test user, above.
Mobile set up
In order to complete the setup for mobile devices, a second SAML configuration must be created. Follow the steps on this page until "Configure single sign on".
At this point, enter the following details for Identifier and Reply URL:
Identifier: https://mobile.crowdicity.com/entityDescriptor.xml
Reply URL: https://mobile.crowdicity.com/proxy/saml
Then continue following the guide.
When you have your new Metadata for this SAML configuration, you can upload it to the community under Community Settings > Authentication > Submit your metadata.
Important: This metadata should be submitted under the Mobile metadata section.
