This guide demonstrates the step-by-step process for creating a new application in Microsoft Entra ID, capable of communicating via SAML 2.0 with Axur Platform services. In this guide, we will cover all the necessary configurations to ensure that Single Sign-On (SSO) works correctly and as expected.
Table of Contents
Before you start
Ensure you have an Administrator account in Microsoft Entra ID and that you can access it without issues.
When performing the configurations, make sure that the data you copy or enter into the specified fields is correct. Incorrect data entry can cause problems later when we test our application.
It is important to note that this solution is not based on using an on-premises Active Directory (AD) service, i.e., hosted by your own company in your infrastructure. The focus is on using the AD service provided by Azure, in the cloud.
Note: Azure Active Directory (Azure AD) is now Microsoft Entra ID. This guide will refer to Microsoft Entra ID, but you may still see “Azure AD” in some portal interfaces.
Groups, users, and assignments
In all Axur Platform SSO application creation tutorials, there is the concept of users and groups. After all, the provider is where all your user information will be stored, in addition to the groups to which they belong (creating groups via the provider is optional). In this sense, this section is dedicated to teaching how to create groups and users in Microsoft Entra ID, as well as assigning users to groups.
Creating a group (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Note: On-Prem AD Groups in Entra ID Claims
Groups synced from an on-premises Active Directory to Microsoft Entra ID cannot be used in group Claims (SAML/OIDC tokens) because they are not considered “cloud-native.” To work around this limitation, groups must be created directly in Microsoft Entra ID as “cloud-only groups.”
Observation: It is of extreme importance that group names comply with the determined pattern. More specifically, a new group must contain the values from the table as a suffix:
Group |
|
|
|
|
|
In this sense, group values like Axur-one-manager and ClientX-one-expert are valid, but Axur-manager and ClientX-analyst are not, because they do not include the expected suffixes.
Here’s a little bit more information on the groups:
Group Name | Group Description |
one-viewer | Users in this group will have access to the Axur Platform, with the ability to view all ticket, result, and invoice information, but cannot perform any actions. |
one-practitioner | Users in this group will have access to the Axur Platform and, in addition to viewing all information, can perform non-billable actions (all except Takedown requests). |
one-expert | Users in this group will have access to the Axur Platform and, in addition to performing non-billable actions, can also request Takedowns. |
one-manager | Users in this group will have access to the Axur Platform and can perform all actions (non-billable and billable) and also view activities performed by their users in the Axur Platform. |
one-basic | Users in this group have a personalized set of capabilities. When they are created, the manager can decide what their capabilities will be. |
To create a new group in Microsoft Entra ID, follow the step-by-step instructions in the images, and don’t forget to follow the indicated guidelines:
After adding a couple of groups, you might see something like the image below:
Creating a user
To create a new user in Microsoft Entra ID, follow the step-by-step instructions in the images:
It is of extreme importance that the users you create have the First Name, Last Name, and Email fields filled in. It is not necessary to add groups to the user now, as we will do this later.
Assigning a group to a user (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Follow the step-by-step instructions in the images to assign a group you created to a user:
Creating a new application
Access your Azure account, and log in as an Administrator. Then, follow the step-by-step instructions in the images below to create the new SAML application providing data for the Axur Platform:
Sending Axur Platform data to Microsoft Entra ID
Microsoft Entra ID needs to know who it will be communicating with for the SSO process to work smoothly. Follow the images to insert the following Axur Platform data into the Microsoft Entra ID settings:
To add the data, you will need to upload a file. Download this file by accessing the following URL:
https://api.axur.com/gateway/1.0/saml-proxy/saml/metadata
Verify that the data obtained through the file matches the images before continuing!
Mapping user attributes
By using Microsoft Entra ID as our provider, we are leveraging the credentials that are already stored and managed by Microsoft, and these credentials are stored in the format defined by the provider. However, to communicate with the Axur Platform using SAML, it’s necessary that user data is sent in a standardized way. Think of it this way: We need to ensure that the Axur Platform always receives the user’s email attribute in the same format, regardless of whether this data comes from Microsoft or any other provider. Different providers store their data in different ways, and mappings solve this problem!
Unlike some providers, Microsoft Entra ID already includes some user mappings defined when a SAML application is created. To complete this configuration, simply delete one mapping, named userprincipalname. Follow the images to perform the process:
Mapping user groups (Optional)
This section is optional. Groups can be managed within the Axur Platform if you wish. Therefore, if you desire, you can skip the sections on Creating a group, Assigning a group to a user, and Mapping user groups
Just like user attributes, we also have groups, which bring users together according to some specific criteria. These groups are created by the administrator in Microsoft Entra ID, and as explained in the previous section, it is necessary to create a mapping so that this data is transmitted to the Axur Platform in a standardized way, regardless of the provider.
In this section, the focus is on taking each of the groups you created in the group creation section, and telling Microsoft Entra ID how these group names should be mapped at the time of sending to the Axur Platform.
Follow the images to create the groups and their mappings in the Microsoft Entra ID settings. Use the data provided in the images to perform the configuration on your platform:
Field | Value |
Name (required) | Group |
Namespace (instead of Entity ID as in the original table) |
|
Obtaining Microsoft Entra ID provider data
Since we are using Microsoft Entra ID as our identity provider, it is necessary to obtain some information that can tell the Axur Platform who it will be communicating with and whether its information is secure and reliable.
In the case of Microsoft Entra ID, you can either download the .xml file with the information or copy a link that leads to the same data. You can do whichever you prefer, as both options are supported by the Axur Platform.
Save this information, as we will use it when configuring SSO on the Axur Platform.
Assigning groups/users to the application
Now all that remains is to assign users or groups to the new application you created. Follow the step-by-step instructions in the images to do this:
To assign groups:
To assign users:
In this section, you can assign both groups and users directly. Just select from the menu after searching. Therefore, for both cases (creating groups via the provider and managing groups through the Axur Platform itself), we can configure the application with ease.
Some common errors
The Service Provider (SP) information (Axur Platform in this case). Verify the data from the corresponding section and ensure they are the same.
The Identity Provider (IdP) information (Microsoft Entra ID in this case). Verify that the file you downloaded or the link you copied is valid and was not modified.
The application access information. Verify the assignments of groups or direct users.
This concludes the necessary configurations in the Microsoft Entra ID provider. Return to the configuration guide on the platform to finalize the creation of your application.
Specific errors
Error | Description | How to Resolve |
Non Authorized IdP or expired IdP login | Unauthorized IdP or expired session | Check the Federation Metadata and the IdP. |
Missing value for string parameter [email claim] | Missing or empty email claim | Make sure the email attribute is correctly configured in the IdP. |
Redirection error | Incorrect endpoint URL in the IdP | Check whether the endpoints are correctly configured. |
Local entity is not the intended audience of the assertion in at least one AudienceRestriction | The assertion was not intended for the SP | Check if the entityId configured in the app is set to com:axur:sso. |
Authentication statement is too old to be used with value {date} | The authentication statement has expired | The IdP session duration exceeds 7 days. Contact support to adjust it. |
Validation of protocol message signature failed | The signature of the SAML message is invalid | Verify that the Federation Metadata was correctly provided. |
This concludes the necessary configurations in the Microsoft Entra ID provider. Return to the configuration guide on the platform to finalize the creation of your application.
If you have any questions, feel free to reach out at [email protected] 😊