Microsoft Entra ID SAML Integration
The steps below will guide you through the configuration for Single Sign-on when using Microsoft Entra ID, formerly called Azure, as your SAML Identity Provider. In a standard Agiloft integration, Entra plays the role of an identity provider (IdP), which can be integrated with any number of Agiloft knowledgebases.
The steps on this page involve a third-party application and are subject to change. If the process below does not match what you see, use the generic SAML 2.0 SSO documentation and the documentation from Entra.
Prerequisites
These steps require administrator-level login credentials for the Entra administrator interface and your Agiloft knowledgebase.
Using SSO
The Entra ID SAML integration follows a standard
Agiloft SSO service provider setup, so users access
Agiloft with a URL similar to https://<SERVER_ADDRESS>/gui2/samlssologin.jsp?project=<KB_NAME>
. For the server address, use the domain name, such as example.agiloft.com
, rather than the server name, such as ps108.agiloft.com
.
- Go to the access URL for your organization, such as
https://example.agiloft.com/gui2/samlssologin.jsp?project=My_KB
. - This page directs you to Agiloft or to the Microsoft Online login page, if you aren't already authenticated in Microsoft. Note that Entra uses Microsoft Active Directory services for user authentication. If you aren't yet entered as a Microsoft Online authenticated user in the Agiloft knowledgebase, the KB can be configured to automatically create a user account for you, and log you in seamlessly to the KB.
Once a user has been added to the Agiloft application with Entra, you can update their information by Synchronizing User Attributes.
Setting Up Entra
To connect Agiloft and Entra, complete the Entra setup documented in Tutorial: Microsoft Entra integration with Agiloft Contract Management Suite. This details the steps to add, configure, and test Agiloft with Entra.
The full setup requires you to switch between Agiloft and Entra, so open each one in its own browser window so you can easily switch between them.
Then, in Agiloft:
- Go to Setup > Access, click Configure SAML 2.0 Single Sign-On, and go to the Service Provider Details tab.
- In the Agiloft (SP) Entity ID field:
- Place your cursor at the beginning of the URL and add https:// to the beginning.
- If there are any spaces in the URL, replace each one with an underscore (_).
- Leave the rest of the URL unchanged.
- Record the finished URL in a separate document for reference.
- In that document, also paste the SAML V2 Assertion Consume Service (ACS) Endpoint, and the Single Sign-On URL.
- For all three URLs, replace any spaces with an underscore (_).
- Click Finish.
Return to Entra:
- Now, log in to Entra and navigate to your single sign-on configuration.
- In Basic SAML Configuration, edit the details and click "Add identifier" under the Identifier (Entity ID) section.
- Paste the Agiloft (SP) Entity ID value in the text box.
- In the Reply URL (Assertion Consumer Service URL) section, click "Add reply URL".
- Paste the SAML V2 Assertion Consume Service (ACS) Endpoint value.
- Save your changes.
- Navigate to the Set up Single Sign-On with SAML page and locate the SAML Signing Certificate section.
- Click Download, and then open the certificate in a text editor and copy its contents into the document you created above.
- In the Set up Agiloft Contract Management Suite section, copy all three values into your document.
Now, return to Agiloft:
- Go to Setup > Access and click Configure SAML 2.0 Single Sign-On.
- Use your reference document and SAML 2.0 SSO to complete the rest of the fields. For the User Field(s) Mapping tab, refer to Synchronize User Attributes below.
Synchronizing User Attributes
The following attributes related to a user are sent in the SAML SSO authentication response to Agiloft. Agiloft can be set up to read these attributes and populate user records with the values if the administrator selects the option to automatically create and update user records.
For more information about sending attribute values, see the Microsoft documentation Customizing Attribute Mappings and Automated User Provisioning.
Attributes sent by Entra | Field Mapping in
Agiloft People table |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | First Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Last Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Email Address |
In the User Field(s) Mapping tab of the SAML Configuration wizard, enter the Entra attributes in the relevant field names.
Further synchronization customizing should be done with Entra. As long as Entra allows custom attributes to be added to the SAML response, they can be mapped to Agiloft through the SAML Configuration wizard.
Force SSO Login
To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO. Now, users whose passwords were reset can only log in with SSO. If you also allow some external users to log in with SSO, repeat the process for the External Users table.$global.null
and click Next.