EM Product Documetation Hub
EM API Developer Information
EM SAML SSO Integration
13 min
introduction entity management (em) supports security assertion markup language (saml) single sign on (sso) and the following information provides the necessary steps required to configure saml sso em supports integration with azure ad for saml sso out of the box this document covers the most common configuration components refer to the information provided by azure ad for additional considerations and configurations how does saml sso work? saml sso works by transferring user identity from the identity provider (idp) to the service provider (sp) through an exchange of digitally signed xml documents (i e , requests, responses) the authentication sequence followed using saml sso integration with em is the end user initiates log in to the kingland application request is received by the service provider (kingland) service provider creates a saml request to the identity provider (azure ad) identity provider identifies the user, creates a saml response and sends it to the service provider service provider verifies the saml response and logs the user in what information does kingland provide? kingland provides the following data elements to assist in configuring the saml sso integration with em value example description sign on url \<url>/saml/login success the location where the end user connects to the service provider and begins the log in process reply url \<url>/saml/sso the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token log out url \<url>/saml/singlelogout the location where a user is directed once they have signed out of the application how do i register an sso application? the values provided by kingland are used in the registration of the application sign in to your azure account through the azure portal select azure active directory select app registrations select new registration enter the name of the application select a supported account type to who can use the application select web for the type of application you want to create enter the reply uri provided by kingland what information do i need to provide? the client provides the following data elements to ensure successful setup of saml sso integration with em value description directory (tenant) id this is the tenant id assigned to the application in azure ad application (client) id this is the client id assigned to the application in azure ad certificate file upload the certificate file to be used to authenticate the application into azure ad client secret this is the client secret configured for the application in azure ad, if used where do i get the tenant id and client id values? the information necessary to configure saml sso integration with em is generated when the application is registered in the client azure account sign in to your azure account through the azure portal select azure active directory option from app registrations in azure ad, select the desired application copy the application (client) id and the directory (tenant) id values and keep them for setup purposes how do i configure authentication? there are two options available for authentication 1) certificate based authentication and 2) password based authentication (application secret) the recommended method is using a certificate but an application secret may also be created the certificate may be an existing certificate to be used for the application or a new certificate may be generated in azure ad upload an existing certificate select azure active directory from app registrations in azure ad, select the desired application select certificates & secrets select certificates > upload certificate and select the applicable certificate select add after registering the certificate with the application in the application registration portal, enable the client application code to use the certificate create an application (client) secret select azure active directory from app registrations in azure ad, select your application select certificates & secrets select client secrets > new client secret enter the description of the new client secret and set a duration click add to save the client secret the value of the client secret is displayed after it is created be sure to copy the value of the client secret (key) because it cannot be retrieved later store the key value where your application can retrieve it where do i obtain the generated certificate information? as part of registering an application for saml based single sign on, azure ad generates a certificate that is valid for three years unless an existing certificate is uploaded select the single sign on option in the left menu the single sign on with saml preview page is presented click the applicable download link provided in the saml signing certificate section based on the certificate type desired the following types are available base64 this is formatted as base 64 encoded text file raw this is formatted as a binary file federation metadata xml this option may be available based on the application and is formatted as an xml file