Configuring Microsoft Entra ID for the SAML Integration

This section provides the steps to set up Microsoft Entra ID, formerly known as Microsoft Azure AD, to provide single sign-on (SSO) access to OpenAir using the OpenAir SAML SSO feature.

Important:

The following configuration steps are given for illustration purposes only. OpenAir does not support specific identity provider products or product versions. The following steps do not reflect the latest identity provider product version and still refer to the product name at the time these steps were written and tested. The Refer to Microsoft product documentation for detailed and updated instructions about Microsoft Entra ID. For additional questions about setting up Microsoft Entra ID, please contact Microsoft Support.

Microsoft Azure AD Premium is required. The Free and Basic versions of Microsoft Azure AD only support preconfigured attributes in the SAML assertion and do not let you define the custom attribute user_nickname required by the OpenAir service provider.

To configure Microsoft Azure AD for the SAML integration

Sign in to the Azure Portal using your Azure Active Directory administrator account.
Browse to Azure Active Directory > Enterprise Applications > New application > Non-gallery application. The Add your own application pane displays.
Enter a Name for the application (“OpenAir Sandbox” or “OpenAir Production”, for example) and click Add. The Application Overview page displays.
Click Single sign-on on the left hand side pane, and select SAML. The SAML-based sign-on configuration page displays.
Enter Basic SAML Configuration settings:
- Identifier (Entity ID) — Enter the Entity ID generated by OpenAir on the identity provider profile you created for Microsoft Azure on your OpenAir account.
  - https://auth.sandbox.openair.com/sso/metadata/<unique_ref_generated_by_OpenAir> (Sandbox account)
  - https://auth.openair.com/sso/metadata/<unique_ref_generated_by_OpenAir> (Production account)
- Reply URL (Assertion Consumer Service URL) — Enter the Assertion Consumer Service URL generated by OpenAir on the identity provider profile you created for Microsoft Azure on your OpenAir account.
  - https://auth.sandbox.openair.com/sso/acs/<unique_ref_generated_by_OpenAir> (Sandbox account)
  - https://auth.openair.com/sso/acs/<unique_ref_generated_by_OpenAir> (Production account)
  Note:
  Examples in this help topic use sample Entity ID and Assertion Consumer Service URL generated for a sandbox account. To set up Microsoft Azure with your production or sandbox account, replace the URLs with the unique Entity ID and Assertion Consumer Service URL generated by OpenAir on the identity provider profile you created for Microsoft Azure on your OpenAir account. See OpenAir SAML Metadata.
- Leave the optional fields Sign on URL and Relay State blank.
Add the User Attributes & Claims user_nickname:
1. Click Add new claim.
2. Enter the Name user_nickname.
3. From the Source attribute dropdown, select the source attribute containing the OpenAir User ID.
4. Click Save. The attribute user_nickname is now listed in the table.
5. Delete all other attributes & claims that can be deleted.
Review the SAML Signing Certificate and download the Metadata XML file. OpenAir Customer Support or OpenAir Professional Services will need the Metadata XML file to enable the SAML feature or change the SAML settings on your account.
Click Users and groups on the left hand side pane and assign users and group to this SAML application. Azure AD will not issue a token allowing a user to sign in to the application unless Azure AD has granted access to the user. Users may be granted access directly, or through a group membership. To assign a user or group to your application, click the Assign Users button. Select the user or group you want to assign, and click the Assign button.

To configure Microsoft Azure AD for the SAML integration

Related Topics: