SSO Entra ID (SAML) Reference
Who is this guide for?
This guide provides essential information for configuring SSO integration with Entra ID.
Important
The following instructions assume you have the necessary permissions to make changes in the Azure portal.
Overview
SAML (Security Assertion Markup Language) is a single sign-on (SSO) protocol that allows users to log in once and subsequently access multiple applications without needing to reauthenticate. This SAML authentication process involves two main entities:
- Service Provider: The application the user is attempting to access. In our case, this is RAC/M Identity.
- Identity Provider: Responsible for authenticating the user and transmitting their identity to the service provider. Here, we use Microsoft Entra ID as the identity provider.
SAML Flow
- The unauthenticated user attempts to access an application (the service provider).
- The service provider redirects the user to the identity provider (IdP) with a SAML request.
- The service provider identifies the identity provider, and the user is redirected to the IdP login page.
- The user enters their credentials on the identity provider’s authentication portal.
- The identity provider validates the user’s credentials and generates a SAML response containing an authentication assertion.
- This SAML response is returned to the service provider, which validates it to authorize the user.
- The user is now authenticated and can access the application.
Setup in the Azure portal
- Access the Azure portal at https://portal.azure.com/.
- In the service search bar, type Enterprise Applications.
- Click on New Application.
- Select Create your own application, then enter a name for the application. Click Create to confirm.
- In the service search bar, type
App registrations
- Select the newly created application from the list.
- Click on Authentication, then Add a platform, and finally select Web.
- In Redirect URIs, enter the RAC/M Identity domain name followed by /gui/loginSamlCallback.action (e.g., https://racm.mycompany.com/gui/loginSamlCallback.action). Note this value for future use.
- Then, click Configure.
- Then, click Configure.
- Click on the Expose an API tab, then select Set Application ID URI.
- Enter an ID for the application and save this value in a secure location. Then click Save.
- Go to the Overview tab, then click on Managed application in... to access the application settings.
- Click Single sign-on, then select SAML as the authentication method.
- In the Basic SAML Configuration section, click Edit to modify the settings.
- In the Identifier (Entity ID) field, enter the application ID you previously set. Check the Default box. In the Reply URL field, enter the Redirect URIs value. Also, check the Default box and click Save.
- Confirm that the save was successful on the details page.
- Copy and save the App Federation Metadata Url from the SAML Signing Certificate section for future use.
- Go to the Users and groups tab, then click Add user/group. Here, you can specify the users and/or groups that will be allowed to authenticate via SAML.
Setup in RAC/M Identity
- Open the [Server]/conf/config.properties file.
- Edit the following SAML properties:
1. auth.saml.enabled=true 2. auth.saml.relyingPartyIdentifier=${App ID} 3. auth.saml.metadataUrl=${App Federation Metadata Url} 4. auth.saml.replyURL=${ReplyURL} 5. auth.saml.app.id=${RAC/M Identity asset ID containing Entra ID accounts} 6. auth.saml.username.racm.column.name=${The name of the column in the APPLICATION_ACCOUNT table where the Entra ID account name is located, e.g., ACCOUNT_NAME} - Here is an example with sample values:
1. auth.saml.enabled=true 2. auth.saml.relyingPartyIdentifier=https://my-company-host 3. auth.saml.metadataUrl=https://login.microsoftonline.com/8568938f-a8b6-9981-f67e-84848f092389/federationmetadata/2007-06/federationmetadata.xml?appid=5643aae85-111a-4ee5-3321-5abedef445d0a 4. auth.saml.replyURL=https://racm.mycompany.com/gui/loginSamlCallback.action 5. auth.saml.app.id=9 6. auth.saml.username.racm.column.name=ACCOUNT_NAME