Azure AD Single Sign-On SAML protocol

This page covers the SAML 2.0 authentication requests and response sequence that Azure Active Directory (Azure AD) supports for Single Sign-On (SSO) on the Brand Toolbox application.

The protocol diagram below describes the Single Sign-On sequence:

The Brand Toolbox Application (the Service Provider) uses an HTTP Redirect binding to pass an AuthnRequest (authentication request) element to Azure AD (the Identity Provider).

Azure AD then uses an HTTP post binding to post a Response element to the Brand Toolbox Application.

SSO SAML Protocol Diagram Azure AD
 

Azure Enterprise SAML-based Application claims

Following are the claims that should be mapped (in an Azure Enterprise SAML-based Application) to the Brand Toolbox application’s property names:

Required claim

Note that the ‘Unique User Identifier’ element maps to both the username and email.

Brand Toolbox property name Claim name Value

Login and
Email

Unique User Identifier (Name ID)

user.userprincipalname [nameid-format:emailAddress]

 

Additional claims

Brand Toolbox property name Claim name Value

Full name
(node name)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

user.displayname

First name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.givenname

Last name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.surname

Email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

Member Group

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

user.groups [All]

Company name

companyname

user.companyname

Department

department

user.department

Job title

jobtitle

user.jobtitle

Contact phone number

telephonenumber

user.telephonenumber

Brand Toolbox ‘Member/User Groups’ mapped to AGL Azure AD group/identity names

Following is an example of the configured Member Groups and User Groups in the Brand Toolbox application:

Frontend ‘Member Groups’

Brand Toolbox
‘Member’ Group
Mapped to [clientName] AD integration group name

[clientName] Employees

AD integration group: Brandtoolbox-read-only^^

Description: All [clientName] Employees^^

Automatic access via Azure AD (SSO) SAML integration.

[clientName] Brand Team Admin

AD integration group: Brandtoolbox-admin^^

Description: [clientName] Brand Team (Admin)^^

Automatic access via Azure AD (SSO) SAML integration.

^^ Examples only

 

Backoffice ‘User Groups’

Brand Toolbox
‘User’ Group
Mapped to [clientName] AD integration group name

[clientName] Brand Team Admin

AD integration group: Brandtoolbox-admin^^

Description: [clientName] Brand Team (Admin)^^

All new backoffice Administrators and Editors must first be invited to become a backoffice ‘User’. Once successfully logged into the backoffice, the User can link their Active Directory account and, thereafter, automatically gain access via Azure AD (SSO) SAML integration.

View further information on Creating a new backoffice User with SSO workflow.

^^ Examples only

 

Mapping Brand Toolbox groups to Azure AD group/identity names

To map Member Group names to Azure AD group/identity names:

  1. Go to the Content section and open Settings > Member Groups

    SSO mapping Brand Toolbox Member Groups to Azure AD identity names - Choose group

  2. Choose the individual Member Group^
  3. In the “Integration” tab, enter the Azure AD group/identity name into the “SSO User Group” property...

    SSO mapping Brand Toolbox Member Groups to Azure AD identity names - Enter Azure identity name

  4. Remember to Save and publish.

^ Note that you must map each member group to its relevant Azure Ad group/identity name.

Free
demo