Page tree

Microsoft Entra ID SAML Integration

The steps below will guide you through the configuration for Single Sign-on when using Microsoft Entra ID, formerly called Azure, as your SAML Identity Provider. In a standard  Agiloft integration, Entra plays the role of an identity provider (IdP), which can be integrated with any number of Agiloft knowledgebases.

The steps on this page involve a third-party application and are subject to change. If the process below does not match what you see, use the generic SAML 2.0 SSO documentation and the documentation from Entra.

Prerequisites

These steps require administrator-level login credentials for the Entra administrator interface and your Agiloft knowledgebase.

Using SSO

The Entra ID SAML integration follows a standard  Agiloft SSO service provider setup, so users access  Agiloft with a URL similar to https://<SERVER_ADDRESS>/gui2/samlssologin.jsp?project=<KB_NAME>. For the server address, use the domain name, such as example.agiloft.com, rather than the server name, such as ps108.agiloft.com

  1. Go to the access URL for your organization, such as https://example.agiloft.com/gui2/samlssologin.jsp?project=My_KB.
  2. This page directs you to Agiloft or to the Microsoft Online login page, if you aren't already authenticated in Microsoft. Note that Entra uses Microsoft Active Directory services for user authentication. If you aren't yet entered as a Microsoft Online authenticated user in the Agiloft knowledgebase, the KB can be configured to automatically create a user account for you, and log you in seamlessly to the KB. 

Once a user has been added to the Agiloft application with Entra, you can update their information by Synchronizing User Attributes.

Setting Up Entra

To connect  Agiloft and Entra, complete the Entra setup documented in Tutorial: Microsoft Entra integration with Agiloft Contract Management Suite. This details the steps to add, configure, and test  Agiloft with Entra.

The full setup requires you to switch between  Agiloft and Entra, so open each one in its own browser window so you can easily switch between them.

Then, in  Agiloft:

  1. Go to Setup > Access, click Configure SAML 2.0 Single Sign-On, and go to the Service Provider Details tab.
  2. In the Agiloft (SP) Entity ID field:
    1. Place your cursor at the beginning of the URL and add https:// to the beginning.
    2. If there are any spaces in the URL, replace each one with an underscore (_).
    3. Leave the rest of the URL unchanged.
  3. Record the finished URL in a separate document for reference.
  4. In that document, also paste the SAML V2 Assertion Consume Service (ACS) Endpoint, and the Single Sign-On URL.
  5. For all three URLs, replace any spaces with an underscore (_).
  6. Click Finish.

Return to Entra:

  1. Now, log in to Entra and navigate to your single sign-on configuration.
  2. In Basic SAML Configuration, edit the details and click "Add identifier" under the Identifier (Entity ID) section.
  3. Paste the Agiloft (SP) Entity ID value in the text box.
  4. In the Reply URL (Assertion Consumer Service URL) section, click "Add reply URL".
  5. Paste the SAML V2 Assertion Consume Service (ACS) Endpoint value.
  6. Save your changes.
  7. Navigate to the Set up Single Sign-On with SAML page and locate the SAML Signing Certificate section.
  8. Click Download, and then open the certificate in a text editor and copy its contents into the document you created above.
  9. In the Set up Agiloft Contract Management Suite section, copy all three values into your document.

Now, return to  Agiloft

  1. Go to Setup > Access and click Configure SAML 2.0 Single Sign-On.
  2. Use your reference document and SAML 2.0 SSO to complete the rest of the fields. For the User Field(s) Mapping tab, refer to Synchronize User Attributes below.

Synchronizing User Attributes

The following attributes related to a user are sent in the SAML SSO authentication response to  Agiloft Agiloft can be set up to read these attributes and populate user records with the values if the administrator selects the option to automatically create and update user records. 

For more information about sending attribute values, see the Microsoft documentation Customizing Attribute Mappings and Automated User Provisioning.

Attributes sent by Entra
Field Mapping in Agiloft People table
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameFirst Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameLast Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressEmail Address

In the User Field(s) Mapping tab of the SAML Configuration wizard, enter the Entra attributes in the relevant field names.

User Field Mapping

Further synchronization customizing should be done with Entra. As long as Entra allows custom attributes to be added to the SAML response, they can be mapped to  Agiloft through the SAML Configuration wizard. 

Force SSO Login

Finally, to make sure users log in with SSO after the transition, manually set new passwords for users who should use SSO instead. To do so:

  1. Go to the People table and select every user who should use SSO from this point on.

    Don't select every single user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.

     

  2. Click Mass Edit, or Edit Fields, in the action bar.
  3. Select the Password field, then click Next to proceed to the Update tab.
  4. Select the Standard text option and leave the value blank.
  5. Click Next, then Finish.
  6. Now, go to Setup Employees and go to the Layout tab. If you will use SSO for every user in the system, including external users, go to Setup People instead.
  7. Remove the Password field from the layout. This prevents users from manually setting a new password and potentially using it to log in instead of SSO.

Next, go to Setup > System > Manage Global Variables and check the Customized Variables tab for the Hotlink Type variable. If it has been customized, edit it and reset it to the default value of STANDARD.

You might also notice a setting in the People table called SSO Authentication Method. This field is set automatically by the system when you enable SSO, and should not be modified.