Skip to main content

Configuring Single Sign-On with SAML2 with SCIM Provisioning with Entra Id

Sam Lewis

Microsoft Entra ID

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso

 

Prerequisites

When you use SAML as the SSO mode with provisioning, you need to contact our support team to enable the SSO feature.

 

SAML Supported features

  • IdP-initiated SSO
  • SP-initiated SSO (https://YOURINSTANCE.smartersends.com/login)
  • Just-In-Time provisioning

 

SCIM Supported features

  • Create users
  • Update user attributes
  • Deactivate users
  • Import users
  • Profile sourcing
  • Group push

 

Read this before you enable SAML

Enabling SAML affects all users who use this app. Users won't be able to sign in through their regular sign-in page. They are able to access the app through the connected SSO service.

 

Backup URL

SmarterSends doesn't provide a backup sign-in URL where non-admin users can sign in using their regular username and password. If necessary, an administrator can log-in using a backup url, please reach out to support@smartersends.com for instructions on utilizing this feature.

 

SAML2 Configuration steps

  1. Log into your Azure portal at https://portal.azure.com
  2. Click on Enterprise Applications
  3. Click New application
  4. Click “Create your own application”
  5. Name your application: “SmarterSends”
  6. Select “Integrate any other application you don't find in the gallery (Non-gallery)
  7. Click Create. This will add the application to your Entra ID directory
  8. Click on the Single sign-on under the Manage section in the left sidebar.
  9. Select the SAML method.
  10. Under the “Basic SAML Configuration” click Edit.
  11. Add an Identifier with the following value, replacing “xyz” with your instances sub-domain:
    https://xyz.smartersends.com/auth/saml2
  12. Add a Reply URL value, replacing “xyz” with your instances sub-domain:
    https://xyz.smartersends.com/auth/saml2/callback
  13. Add the Sign on URL, replacing “xyz” with your instances sub-domain
    https://xyz.smartersends.com/auth/saml2/callback
  14. Leave the Relay State and Logout Url blank
  15. Click Save.
  16. Under the Attributes & Claims section click Edit.
  17. Click the “Unique User Identifier” under Required Claim.
  18. Change the “Name identifier format” to Unspecified and the Source attribute to user.objectid. Click save.
  19. Modify the Additional Claims to match the following supported attributes:
Name Value
http://schemas.xmlsoap.org/claims/CommonName user.displayname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user.mail
phone user.telephonenumber
address user.streetaddress
city user.city
state user.state
zipcode user.postalcode
country user.countryCode
department user.department
SSGroups Groups starting with "SSG-"
SSRole user.assignedroles

 

  1. Click the Add a group claim link.
  2. Select the Groups assigned to the application
  3. Change the Source attribute to “Cloud-only group display names”
  4. Under the Advanced options you can define the filter groups to match the following:
  5. You can now close the Attributes and Claims section.
  6. You must create App Roles that match the roles setup within SmarterSends. The default roles within SmarterSends include spaces in their names and must be updated as Entra ID does not support spaces in the Role values.
  7. Sign in to SmarterSends with an Admin account.
  8. Navigate to Integrations -> SSO.
  9. Specify the following:
    1. Single Sign-On Provider: SAML2 with SCIM
    2. Default Role: Select a role that will be assigned to any user that does not pass a specific role.
    3. Default Group: Select a group that will be assigned to any user that does not pass a specific group.
    4. Metadata URL: Under the “SAML Certificates” section copy the App Federation Metadata Url and paste into your SmarterSends SSO integration under Metadata URL.
    5. Entity ID: Under the “Set up SmarterSends section copy the Microsoft Entra Identifier and paste into your SmarterSends SSO integration under Entity ID.
  10. Click "Save".
  11. The SAML setting is complete in SmarterSends. You can now assign groups and users to the application in Entra and test the SSO process.
  12. In Entra ID, open the application you created and click the App roles under Manage.
  13. Add App Roles to match the roles you have configured within SmarterSends. The role assigned to a user in Entra will be applied to the role within SmarterSends.

SCIM Integration Steps

  1. Back in the application you created in Azure, click the Provisioning link.
  2. Click Get started
  3. Choose Manual or Automatic Provisioning mode.
  4. Under the Admin Credentials
    1. Tenant URL: copy and paste the SCIM Base URL found in your SSO settings in SmarterSends.
    2. Secret Token: copy and paste the SCIM Bearer Token found in your SSO settings in SmarterSends.
    3. Click the Test Connection button.
  5. Click the Save button then the X button.
  6. Under the Manage section on the left, click Provisioning.
  7. Now you can update the Mappings.
  8. Click the “Provision Microsoft Entra ID Groups”
  9. Click the Delete button next to the attribute “externalId”
  10. Click Save at the top of the page then the X button.
  11. Click the Provision Microsoft Entra ID Users
    1. Change the Source attribute for the userName attribute to mail or the attribute you use for a user’s email address.
    2. Click the “Show advanced Options” checkbox.
    3. Click the Edit attribute list for customappsso
    4. Add CommonName as a string attribute like so:
    5. Click Save to save the custom attribute list.
    6. Change the Target attribute for the displayName to CommonName
  12. Click Save to save the Attribute Mapping.
  13. You should be ready to set the Provisioning Status to On and start testing the SCIM integration by assigning users and groups to the application.

 

Comments

0 comments

Article is closed for comments.

Powered by Zendesk