Set up Liongard Single Sign-on (SSO) with Azure Active Directory

Overview

This document outlines the steps required to configure Azure Active Directory as a Single Sign-On (SSO) provider for Liongard.

For more information, please review Microsoft's Documentation.

❗️

NameID Attribute for Authentication

Liongard uses the NameID attribute for authentication. This means that Usernames in your SSO platform must match the Usernames in Liongard exactly in order for SSO to function properly.

Liongard also sends the NameID in the format SAML:1.1:nameid-format:unspecified to your Identity Provider to allow it to select the claim format. Please note, if the format is unspecified, Azure Active Directory issues the NameID as a pairwise identifier by default. For more details regarding Microsoft’s documentation on NameID Policy, please see Azure Single Sign On SAML Protocol - Microsoft identity platform documentation under the NameIDPolicy section.

The NameID format can be customized using Azure portal (see reference from Microsoft’s documentation: Customize app SAML token claims - Microsoft identity platform).

Set up Liongard Single Sign-on (SSO) with Azure Active Directory

Before proceeding, confirm the Usernames in Liongard for all the accounts you would like to enable SSO.

  1. Log in to portal.azure.com

  2. Select Azure Active Directory

770770
  1. Select Enterprise Applications from left-hand menu
768768
  1. Select New Application on the main toolbar
763763
  1. Select Create your own Application
763763
  1. Give the application a name ("Liongard SSO" is recommended) and select Integrate any other application you don't find in the gallery (Non-gallery)
569569
  1. Return to Enterprise Applications and refresh the browser if the new application does not show up

  2. Select the new application

11131113
  1. Select Single Sign-on in the the left-hand menu
10051005
  1. Select SAML
731731
  1. In the Basic SAML Configuration section, select Edit.
765765
  1. Leave your Azure AD window open, and in a separate browser, log in to Liongard.

  2. In Liongard, navigate to Account Name > Company Settings > Select SSO Setup on the left-hand side.

18351835
  1. In the Azure Portal, complete the following fields in the Basic SAML Configuration section using the settings from Liongard's SSO Setup page.
  • Identifier (Entity ID) = Liongard Entity ID
    • Check the Default checkbox
  • Reply URL (Assertion Consumer Service URL) = Liongard ACS (Consumer) URL
    • Check the Default checkbox
  • Sign on URL = Liongard Service Provider Login URL
  • Logout Url = Liongard Single Log Out URL
780780
  1. In the Azure Portal, copy the App Federation Metadata URL and paste it into the Liongard SSO settings under Metadata URL. Click Get Metadata.
788788 854854
  1. In the Azure Portal, select Users and groups in the left-hand menu. Then, select Add user/group in the main toolbar
695695

❗️

NameID Attribute for Authentication

Liongard uses the NameID attribute for authentication. This means that Usernames in your SSO platform must match the Usernames in Liongard exactly in order for SSO to function properly.

Liongard also sends the NameID in the format SAML:1.1:nameid-format:unspecified to your Identity Provider to allow it to select the claim format. Please note that Azure Active Directory issues the NameID as a pairwise identifier by default if the format is unspecified. For more details regarding Microsoft’s documentation on NameID Policy, please see Azure Single Sign On SAML Protocol - Microsoft identity platform documentation under the NameIDPolicy section.

The NameID format can be customized using Azure portal (see reference from Microsoft’s documentation: Customize app SAML token claims - Microsoft identity platform).

  1. Add any users or groups that should have Liongard Single Sign-On capabilities. Liongard recommends adding at least one Global Administrator in the Exclude Users list during the setup and testing of SSO.

  2. Select Save.