Page tree

Microsoft Entra ID SAML Integration

The steps below will guide you through the configuration for Single Sign-on when using Microsoft Entra ID, formerly called Azure, as your SAML Identity Provider. In a standard  Agiloft integration, Entra plays the role of an identity provider (IdP), which can be integrated with any number of Agiloft knowledgebases.

The steps on this page involve a third-party application and are subject to change. If the process below does not match what you see, use the generic SAML 2.0 SSO documentation and the documentation from Entra.

Prerequisites

These steps require administrator-level login credentials for the Entra administrator interface and your Agiloft knowledgebase.

Using SSO

The Entra ID SAML integration follows a standard  Agiloft SSO service provider setup, so users access  Agiloft with a URL similar to https://<SERVER_ADDRESS>/gui2/samlssologin.jsp?project=<KB_NAME>. For the server address, use the domain name, such as example.agiloft.com, rather than the server name, such as ps108.agiloft.com

  1. Go to the access URL for your organization, such as https://example.agiloft.com/gui2/samlssologin.jsp?project=My_KB.
  2. This page directs you to Agiloft or to the Microsoft Online login page, if you aren't already authenticated in Microsoft. Note that Entra uses Microsoft Active Directory services for user authentication. If you aren't yet entered as a Microsoft Online authenticated user in the Agiloft knowledgebase, the KB can be configured to automatically create a user account for you, and log you in seamlessly to the KB. 

Once a user has been added to the Agiloft application with Entra, you can update their information by Synchronizing User Attributes.

Setting Up Entra

To connect  Agiloft and Entra, complete the Entra setup documented in Tutorial: Microsoft Entra integration with Agiloft Contract Management Suite. This details the steps to add, configure, and test  Agiloft with Entra.

The full setup requires you to switch between  Agiloft and Entra, so open each one in its own browser window so you can easily switch between them.

Then, in  Agiloft:

  1. Go to Setup > Access, click Configure SAML 2.0 Single Sign-On, and go to the Service Provider Details tab.
  2. In the Agiloft (SP) Entity ID field:
    1. Place your cursor at the beginning of the URL and add https:// to the beginning.
    2. If there are any spaces in the URL, replace each one with an underscore (_).
    3. Leave the rest of the URL unchanged.
  3. Record the finished URL in a separate document for reference.
  4. In that document, also paste the SAML V2 Assertion Consume Service (ACS) Endpoint, and the Single Sign-On URL.
  5. For all three URLs, replace any spaces with an underscore (_).
  6. Click Finish.

Return to Entra:

  1. Now, log in to Entra and navigate to your single sign-on configuration.
  2. In Basic SAML Configuration, edit the details and click "Add identifier" under the Identifier (Entity ID) section.
  3. Paste the Agiloft (SP) Entity ID value in the text box.
  4. In the Reply URL (Assertion Consumer Service URL) section, click "Add reply URL".
  5. Paste the SAML V2 Assertion Consume Service (ACS) Endpoint value.
  6. Save your changes.
  7. Navigate to the Set up Single Sign-On with SAML page and locate the SAML Signing Certificate section.
  8. Click Download, and then open the certificate in a text editor and copy its contents into the document you created above.
  9. In the Set up Agiloft Contract Management Suite section, copy all three values into your document.

Now, return to  Agiloft

  1. Go to Setup > Access and click Configure SAML 2.0 Single Sign-On.
  2. Use your reference document and SAML 2.0 SSO to complete the rest of the fields. For the User Field(s) Mapping tab, refer to Synchronize User Attributes below.

Synchronizing User Attributes

The following attributes related to a user are sent in the SAML SSO authentication response to  Agiloft Agiloft can be set up to read these attributes and populate user records with the values if the administrator selects the option to automatically create and update user records. 

For more information about sending attribute values, see the Microsoft documentation Customizing Attribute Mappings and Automated User Provisioning.

Attributes sent by Entra
Field Mapping in Agiloft People table
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameFirst Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameLast Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressEmail Address

In the User Field(s) Mapping tab of the SAML Configuration wizard, enter the Entra attributes in the relevant field names.

User Field Mapping

Further synchronization customizing should be done with Entra. As long as Entra allows custom attributes to be added to the SAML response, they can be mapped to  Agiloft through the SAML Configuration wizard. 

Force SSO Login

To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO.

  1. First, make the Password field optional in the Employees table:
    1. Go to Setup Employees and go to the Fields tab.
    2. Edit the Password field and go to the Options tab.
    3. Find the Make this a required field setting and change the value from Yes to No.
    4. Click Finish to save the change.
  2. Next, for employees who should always use SSO to log in, reset their passwords to a null value:
    1. Go to the Employees table and select each user who should use SSO from this point on.
      Don't select every user in your system. It's best to leave at least one administrator unchanged, if not the whole admin team, in case you encounter SSO issues in the future that prevent users from logging in with SSO.
    2. Click Edit Fields in the action bar.
    3. Select Password, then click Next.
    4. On the Update tab, select A formula.
    5. In the Password field, enter the variable $global.null and click Next.
    6. On the Confirm tab, clear the Run rules and Update defaults checkboxes, then click Finish.

Now, users whose passwords were reset can only log in with SSO.

If you also allow some external users to log in with SSO, repeat the process for the External Users table.