O365/Azure AD as an identity provider
After enabling Devo as a service provider, you can set up O365/Azure AD as an identity provider for SAML SSO. To do it, follow these steps:
- Go to Azure Active Directory and select Enterprise applications under the Manage menu.
- Click New application at the top of the screen.
- Choose Non-gallery application.
- Enter a name for the application and click Add.
- In the application, select Manage → Users and groups or click 1. Assign users and groups to configure the users/groups allowed to access the application.
- Then, choose Manage → Single sign-on or click 2. Set up single sign on.
- Choose SAML as the single sign-on method.
- Then, click Edit on Basic SAML Configuration.
Using the Entity ID and ACS URL from the Devo SAML2 configuration page (Preferences → Domain preferences → Authentication → SAML2), set the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) in the Azure Basic SAML Configuration page.
- Save the changes.
- (Optional) If you will be using IDP Role Mapping to map Devo Roles to Azure Groups, click Edit on User Attributes & Claims.
- Click Add a group claim.
- Choose which groups to provide in the claim.
- Select Source attribute (default is Group ID).
- Under Advanced options, check Customize the name of the group claim.
- Enter groups in the Name field and save changes.
- Download the Certificate (Base64) under SAML Signing Certificate.
- Configure Devo Identity Provider Settings (Preferences → Domain preferences → Authentication → SAML2)
- In the EntityID field in Devo, enter the Azure AD Identifier from Set up –
- In the Single Sign-On URL field in Devo, enter the Login URL from Set up –
- In the Add certificate field in Devo, paste the contents of the certificate downloaded in the previous step.
- (Optional) Check the User provisioning and Role mapping options in the Devo SAML2 area.
- Click Update in Devo to save the SAML2 changes.
- (Optional) In Azure SAML setup, click Test in Test single sign-on to ensure the configuration is correct.
- In the application, click Manage → Properties and copy the User access URL. This is the URL that users need in order to login to Devo with SSO from Azure.
- (Optional) Configure IDP Role Mapping. If the Source attribute was set to Group ID, you must use the Object ID from Azure AD as the External group/role. Go to Role mapping to learn more.