Skip to main content
All CollectionsTutorials
Integrated authentication with Azure Active Directory
Integrated authentication with Azure Active Directory

Learn how to create an application in Active Directory to authenticate via SAML

Pablo Brunetti avatar
Written by Pablo Brunetti
Updated over 4 months ago

The Digibee platform supports integration with several identity providers, given that Azure Active Directory is one of the most popular, we created this article in the form of a support tutorial for creating and configuring the application in Azure Active Directory:

​1 - Access Azure Active Directory:

2 - Create an “Enterprise Applications”​

3 - “New Application”:

4 - Search for the “Azure AD SAML Toolkit” plugin, this application will be created with the SAML protocol authentication feature, which we will configure in the next steps.

5 - Name the application:​

6 - Access “Single sign-on” and select the SAML method.​

7 - On this screen we will configure the application settings:​

The first information you need to send to Digibee is the “Federation Metadata XML” highlighted above, this XML file contains the private information of this application which will be configured in your realm, enabling integrated authentication. However, this “Download” button is disabled by default, this is because, a little higher up, in the “Basic SAML Configuration” you have “mandatory” information to fill in. You'll only receive this information (Identifier, Reply URL and Sign on URL) from Digibee after sending the Federation Metadata XML.

This forces us to fill in these 3 fields with any URL just to release the Federation Metadata XML download button further down, which is the file we need at that moment.

This information is enough to meet the mandatory fields and release the “Federation Metadata XML” Download button.

As previously stated, You'll need to provide this XML to Digibee Support, so that a configuration can be made in your realm and then Digibee will return you with the following information:

  • Identifier (also called Issuer),

  • Reply URL (also called Callback URL),

  • Login URL,

  • Metadata URL

With this, We can return to the mandatory fields and exchange the URLs that we previously provided with the “official” ones that you received from Digibee Support after sending the Federation Metadata XML.

Regarding the URL metadata, It'll be necessary to upload it as indicated below:​

This way, You'll need to use the XML content from the Metadata URL provided by Digibee and save it in a file with an .xml extension, so you can upload it.​

8 - To integrate Digibee Platform groups with groups created in Active Directory, it is necessary to configure the “Attributes & Claims” section:

You need to add the “Group claim”, this means that in the authentication process, Active Directory will send the groups to which the user belongs to Digibee, this way it will be possible to associate groups between Azure and Digibee, if you have done the to/from groups on the platform, group integration is optional.

The chosen “Group Claim” option may affect the integration of groups with the platform, if the “All groups” option is chosen, all Group IDs for this user, including those from other applications, will be sent to Digibee for the association to occur, however, if the user is included in a large number of groups, Active Directory will compress this list of “Group IDs” and send it to Digibee via SAML in a link, this will prevent the automatic association of groups from occurring, in this case the alternative is to use the “Groups Assigned to the application” option:

9 - Finally, it is worth remembering that the users who will log in must be created in the application:​

10 - Now it is possible to test the integration.​

Problem solving:

If you have errors related to entering incorrect information, Active Directory usually returns the error on the screen itself:

In these cases you can double-check whether the URLs provided by Digibee were entered correctly, remembering that in Azure they must always be entered with HTTPS. Also ensure that the metadata xml file has been uploaded, as explained in step 7.

If authentication was successful but without automatic association of groups, it is possible to check the SAML Response that was sent to Digibee:

SAML Response will always be encoded in Base64 and can be decoded in public internet tools.

The list of Group IDs sent to Digibee is usually within this tag:

Did this answer your question?