Configuring Azure Active Directory Single Sign On (SSO)

Observe supports using Azure Active Directory(AD) using Security Authentication Markup Language (SAML). Use the following steps to configure SSO for Azure AD.

Configuring Basic SAML for AzureAD

  1. From the Azure Active Directory portal, navigate to the Enterprise applications page and click New Application.

  2. Click Create your own application.

  3. Select Integrate any other application you don’t find in the gallery, and enter Observe as the Input Name.

  4. Click Set up single sign-on, and then click SAML.

  5. Click Edit on the Basic SAML Configuration tile, and add the URL https://{CUSTOMER_ID}.observeinc.com/auth/saml2/callback to the following fields:

  • Identifier (Entity ID)

  • Reply URL (Assertion Consumer Service URL

  • Sign on URL (Optional)

Configuring AzureAD for SAML

Figure 1 - Basic SAML Configuration

6. If your users have email addresses assigned in AzureAD, you can use the default User Attributes & Claims. If the users don’t have email addresses in AzureAD, the SAML login fails. You need to add the email addresses or update the emailaddress claim to use user.userprincipalname (UPN) instead of the default user.mail.

7. To check if you have assigned email addresses, click Users in the AzureAD portal and select a name. The emails fields display under the Contact Info section, and either contain values or not.

If users have email fields in the directory, use the default set of claims.

If users do not have email fields in the directory, use the following steps:

  1. If the UPN login names do not match the user's email address, add the email address to the directory. Please contact Observe support for further assistance.
  2. If the UPN login names do match the user's email address, update the attribute value for emailaddress claim by clicking Edit. Then click emailaddress and enter the email address.
  3. Change the Source field to user.userprincipalname.
  4. Click Save and then exit from the configuration.

8. You can add the Observe SSO logo on the Properties page using the https://s3-us-west-2.amazonaws.com/observeinc.com/assets/saml-icon.png URL.

9. AzureAD does not provide a way to directly copy the SAML Signing Certificate. Download the Base64 version and copy the entire contents into a text editor.

10. Copy the Login URL. It has the format https://login.microsoftonline.com/1abcdef-2g3h-45ii-6789j-klmnopqrstuv0w/saml2.

11. Navigate to https://${CUSTOMER_ID}.observeinc.com/settings/customer.

12. Scroll down to Add SAML.

13. Paste the Login URL into the ENTRY POINT field.

14. Paste the Base64 certificate into the CERT field.

15. Click Add SAML Provider.