This page covers the SAML 2.0 authentication requests and response sequence that Azure Active Directory (Azure AD) supports for Single Sign-On (SSO) on the Brand Toolbox application.

Contents

• Azure Enterprise application claims
• Mapping Brand Toolbox groups to Azure AD group/identity names
• Authenticate Azure AD apps and services

 

The protocol diagram below describes the Single Sign-On sequence:

The Brand Toolbox Application (the Service Provider) uses an HTTP Redirect binding to pass an AuthnRequest (authentication request) element to Azure AD (the Identity Provider).

Azure AD then uses an HTTP post binding to post a Response element to the Brand Toolbox Application.

 

Following are the claims that should be mapped (in an Azure Enterprise SAML-based Application) to the Brand Toolbox application’s property names:

Required claim

Note that the ‘Unique User Identifier’ element maps to both the username and email.

Brand Toolbox property name	Claim name	Value
Login and Email	Unique User Identifier (Name ID)	user.userprincipalname [nameid-format:emailAddress]

 

Additional claims

Brand Toolbox property name	Claim name	Value
Full name (node name)	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	user.displayname
First name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	user.givenname
Last name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	user.surname
Email	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	user.mail
Member Group	http://schemas.microsoft.com/ws/2008/06/identity/claims/role Custom claim. In “Attributes & Claims”, add by clicking “Add a group claim” and configure with the following Group Claims: Which groups associated with the user should be returned in the claim? Groups assigned to the application Source attribute: Group ID Under Advanced options, check the boxes: “Customize the name of the group claim” and “Emit groups as role claims”. Leave all other fields blank.	user.groups [All] or user.groups [ApplicationGroup]
Company name	companyname Custom claim. In “Attributes & Claims”, add by clicking “Add new claim”.	user.companyname
Department	department Custom claim. In “Attributes & Claims”, add by clicking “Add new claim”.	user.department
Job title	jobtitle Custom claim. In “Attributes & Claims”, add by clicking “Add new claim”.	user.jobtitle
Contact phone number	telephonenumber Custom claim. In “Attributes & Claims”, add by clicking “Add new claim”.	user.telephonenumber

Following is an example of the configured Member Groups and User Groups in the Brand Toolbox application:

Frontend ‘Member Groups’

Brand Toolbox ‘Member’ Group	Mapped to [clientName] AD integration group name
[clientName] Employees	AD integration group: Brandtoolbox-read-only^^ Description: All [clientName] Employees^^ Automatic access via Azure AD (SSO) SAML integration.
[clientName] Brand Team Admin	AD integration group: Brandtoolbox-admin^^ Description: [clientName] Brand Team (Admin)^^ Automatic access via Azure AD (SSO) SAML integration.

^^ Examples only

 

Backoffice ‘User Groups’

Brand Toolbox ‘User’ Group

Mapped to [clientName] AD integration group name

[clientName] Brand Team Admin

AD integration group: Brandtoolbox-admin^^ Description: [clientName] Brand Team (Admin)^^ All new backoffice Administrators and Editors must first be invited to become a backoffice ‘User’. Once successfully logged into the backoffice, the User can link their Active Directory account and, thereafter, automatically gain access via Azure AD (SSO) SAML integration. View further information on Creating a new backoffice User with SSO workflow.

^^ Examples only

 

Mapping Brand Toolbox groups to Azure AD group/identity names

To map Member Group names to Azure AD group/identity names:

1. Go to the Content section and open Settings > Member Groups
   
   
   
   
2. Choose the individual Member Group^
3. In the “Integration” tab, enter the Azure AD group/identity name into the “SSO User Group” property...
   
   
   
   
4. Remember to Save and publish.

^ Note that you must map each member group to its relevant Azure Ad group/identity name.

Create a service principal using the Azure portal

The link below contains the instructions on how to create an app id on Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

Once the Azure AD application has been created, please supply the Brand Toolbox team with the following three values:

• tenantId – Directory (tenant) ID
• appId – App (client) ID
• wtrealm – Identifier (Entity ID), usually the site Url, e.g. “https://clientname.brandtoolbox.com.au”

Note
If required, the “redirectUrl”, e.g. Replay URL (Assertion Consumer Service URL) is usually the same as the “wtrealm” Identifier (Entity ID).

If authenticating with MSAL/Microsoft Graphs, an “appSecret” value must also be provided.

SSO/Active Directory (AD) claims

To view the SSO/AD claims that are captured by Brand Toolbox each time a member attempts to access the application, go to Developer > Trace Logs, and select the last log file (a new one is created every day).

Then filter by the following:

Level: DEBUG
Logger: SessionTokenStore

Note that "debug" must be set to "true" in the web.config for these claims to be viewable in the trace logs. Therefore change the following to view the claims:

<compilation defaultLanguage="c#" debug="false"

to

<compilation defaultLanguage="c#" debug="true"