Overview

This document outlines the steps required to configure Azure Active Directory as a Single Sign-On (SSO) provider for Liongard.

For more information, please review Microsoft's Documentation.

❗️

NameID Attribute for Authentication

Liongard uses the NameID attribute for authentication. This means that Usernames in your SSO platform must match the Usernames in Liongard exactly in order for SSO to function properly.

Liongard also sends the NameID in the format SAML:1.1:nameid-format:unspecified to your Identity Provider to allow it to select the claim format. Please note, if the format is unspecified, Azure Active Directory issues the NameID as a pairwise identifier by default. For more details regarding Microsoft’s documentation on NameID Policy, please see Azure Single Sign On SAML Protocol - Microsoft identity platform documentation under the NameIDPolicy section.

The NameID format can be customized using Azure portal (see reference from Microsoft’s documentation: Customize app SAML token claims - Microsoft identity platform).

Set up Liongard Single Sign-on (SSO) with Azure Active Directory

Before proceeding, confirm the Usernames in Liongard for all the accounts you would like to enable SSO.

1. Log in to portal.azure.com

2. Select Azure Active Directory

3. Select Enterprise Applications from left-hand menu

4. Select New Application on the main toolbar

5. Select Create your own Application

6. Give the application a name ("Liongard SSO" is recommended) and select Integrate any other application you don't find in the gallery (Non-gallery)

7. Return to Enterprise Applications and refresh the browser if the new application does not show up

8. Select the new application

9. Select Single Sign-on in the the left-hand menu

10. Select SAML

11. In the Basic SAML Configuration section, select Edit.

12. Leave your Azure AD window open, and in a separate browser, log in to Liongard.

13. In Liongard, navigate to Account Name > Company Settings > Select SSO Setup on the left-hand side.

14. In the Azure Portal, complete the following fields in the Basic SAML Configuration section using the settings from Liongard's SSO Setup page.

• Identifier (Entity ID) = Liongard Entity ID
  • Check the Default checkbox
• Reply URL (Assertion Consumer Service URL) = Liongard ACS (Consumer) URL
  • Check the Default checkbox
• Sign on URL = Liongard Service Provider Login URL
• Logout Url = Liongard Single Log Out URL

15. In the Azure Portal, copy the App Federation Metadata URL and paste it into the Liongard SSO settings under Metadata URL. Click Get Metadata.

16. In the Azure Portal, select Users and groups in the left-hand menu. Then, select Add user/group in the main toolbar

❗️

NameID Attribute for Authentication

Liongard uses the NameID attribute for authentication. This means that Usernames in your SSO platform must match the Usernames in Liongard exactly in order for SSO to function properly.

Liongard also sends the NameID in the format SAML:1.1:nameid-format:unspecified to your Identity Provider to allow it to select the claim format. Please note that Azure Active Directory issues the NameID as a pairwise identifier by default if the format is unspecified. For more details regarding Microsoft’s documentation on NameID Policy, please see Azure Single Sign On SAML Protocol - Microsoft identity platform documentation under the NameIDPolicy section.

The NameID format can be customized using Azure portal (see reference from Microsoft’s documentation: Customize app SAML token claims - Microsoft identity platform).

17. Add any users or groups that should have Liongard Single Sign-On capabilities. Liongard recommends adding at least one Global Administrator in the Exclude Users list during the setup and testing of SSO.

18. Select Save.