Configuring Azure Active Directory

Follow these steps:

1. Sign in to the Azure Active Directory portal (https://portal.azure.com).
   Ensure that the account you use to sign in has global administrator rights and is part of an Azure Active Directory Premium Plan.
2. On the Microsoft Azure Dashboard page, in the left panel, click Azure Active Directory.
   
3. In the left panel, click Enterprise Applications.
   
4. On the Enterprise Applications page, click Add.
5. Click Non-gallery application.
   
6. In the Name field, enter the application name, such as prysmsso.
7. In the left panel, click Single sign-on.
   
8. In the Mode field, select SAML-based Sign-on.
   
   Tip: You can leave the Relay State field blank, because it isn't needed for integration with Prysm.
9. In the Identifier field, enter the same value you entered in the Realm field in Step 8 of your Prysm configuration.
   
   Tip: You create your own identifier/realm, using this format: PrysmSSOYourCompanyName (replace YourCompanyName with the customer's company).
10. In the Reply URL field, enter the string from the Callback URL field in Prysm Admin Portal. (See Step 6 of your Prysm configuration.)
11. Check the check box for Show advanced settings.
12. In the Sign on URL field, again enter the string from the Callback URL field in Prysm Admin Portal. (See Step 6 of your Prysm configuration.)
13. In the User Identifier field, enter user.userprincipalname.
14. Check the check box for View and edit all other user attributes.
15. In the SAML Token Attributes section, map the following items in the Name field to the following Values:
    givenname to user.givenname
    surname to user.surname
    emailaddress to user.userprincipalname
    name to user.userprincipalname
    email to user.mail
    
    
    Tip: The SAML Token Attributes are often specific to your organization's SAML configuration. Contact your IT administrator if you are not sure of which attributes to map.
    
    You can also find the specific values to map for your organization by navigating to Azure AD's Users and Groups page, selecting a user or group, and clicking Edit.
    
16. In the Notification Email field, enter the administrator's email address.
17. Click Save.
18. In the left panel, click Azure Active Directory.
19. In the left panel, click App Registrations.
    
20. Find the app (with the name you gave it above in Step 6), and click it.
21. In the Settings section, click Required Permissions.
22. In the Required Permissions section, click Add.
23. In the Add API Access section, click Select an API.
24. In the Select an API section, click Windows Azure Active Directory.
25. In the Enable Access section, check the boxes next to these items:
    Sign in and read user profile
    Read all users' basic profiles
    Read all users' full profiles
    Read all groups
    
    Note: Enabling access to these items is required to enable group to role mapping.
26. Click Save.
27. In the Settings section, click Reply URLs.
28. In the Reply URLs section, enter the Reply URL that you added above in Step 10.
    
29. Click Save.
30. Download the metadata XML file at this URL (replace the italicized text with your specific domain):
    https://login.microsoftonline.com/yourdomain/FederationMetadata/2007-06/FederationMetadata.xml
    Here is an example portion of a metadata XML file:
    
    You use the metadata XML file to find information such as Identity Provider URL and Thumbprint needed for Steps 9 and 10 of your Prysm configuration.

Follow these steps:

1. Impersonate the account you want to configure.
2. In Admin Portal, click Identity Provider.
   
3. On the Identity Providers page, set the Enable SSO toggle to On.
4. In the Identity Provider field, select ADFS/Azure-AD.
   When you select ADFS/Azure-AD, the Protocol field is automatically set to SAML 2.0.
5. In the Auto Provisioning field, set the toggle to On or Off.
   On: When Auto Provisioning is On, users who attempt to sign in to Prysm for the first time see the Azure Active Directory sign in page. When they sign in to Azure Active Directory, Prysm automatically creates that user in Prysm.
   Off: When Auto Provisioning is Off, a Prysm administrator must create a user record for each user before that user signs in to Prysm for the first time. Then, when the user attempts to sign in to Prysm, she enters her Azure Active Directory sign in information and is able to access Prysm.
   Note: If you turn on Auto Provisioning, contact Prysm support at support@prysm.com. Prysm support must add your domain to a whitelist.
6. In the Callback URL field, verify that the URL matches the URL you entered in the Reply URL field in Step 10 of your Azure configuration.
7. In the Attach SAML Request field, set the toggle to On or Off. Prysm supports On or Off. If you don't know which one to use, contact your IT department to determine whether your specific SAML configuration requires the SAML request to be attached.
   On: When Attach SAML Request is On, the request to redirect to the Azure Active Directory sign in page is attached.
   Off: When Attach SAML Request is Off, the request to redirect to the Azure Active Directory sign in page is not attached.
8. In the Realm field, enter the identifier from Step 9 of your Azure configuration.
   Tip: You create your own identifier/realm, using this format: PrysmSSOYourCompanyName (replace YourCompanyName with the customer's company).
9. In the Identity Provider URL field, enter the URL of the Azure Active Directory sign in page.
   This is the Location value from the node <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> in the SAML Metadata file you downloaded in Step 30 of your Azure configuration.
10. To get the value for the Thumbprint field, follow these steps:
    1. Copy the X.509 Certificate from the metadata file you downloaded in Step 30 of your Azure configuration. (Use the certificate located in the metadata file's <KeyDescriptor use="signing"> node.)
    2. Go to https://www.samltool.com/fingerprint.php, which is a free thumbprint/fingerprint calculator.
    3. Paste the X.509 Certificate and follow the site's directions to calculate a fingerprint.
    4. Copy the fingerprint from the calculator, and paste it into Prysm Admin Portal's Thumbprint field.
11. In the Org_Admin field, map the group from Step 15 of your Azure configuration.
12. In the Basic_User field, map the group from Step 15 of your Azure configuration.
13. If the Auto-Provisioning toggle is set to On, the PAS User Field Name field is automatically set to IdP Attribute Name when a user is auto-provisioned.
14. In the First Name and Last Name fields, enter the values that you mapped in Step 15 of your Azure configuration.
15. In the Role Mapping section's PAS Group/Role Name fields, enter names for user groups you want to map. In the IdP Group Name fields, enter the unique GUID from Azure AD's group details page for each group. (See Step 15 of your Azure configuration.)
    Tip: The PAS Group/Role Name does not have to match the Azure AD group name. However, the IdP Group Name must match the group GUID displayed in Azure AD, which has the format xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx.
    For more information, see Associating Prysm permission groups and identity provider groups.
    Warning: Role mapping must be configured for at least one group.
16. In the Enforce SSO field, set the toggle to On or Off.
    On: When Enforce SSO is On, users can sign in only one way — with their Azure Active Directory credentials.
    Off: When Enforce SSO is Off, users can sign in two ways — with their Azure Active Directory credentials or with their Prysm credentials.
    Warning: Before you change this setting and click Save in the next step, be sure to test your IdP configuration with at least one user. If you click Save to convert all your users to IdP authentication without testing, and something in your configuration is not correct, you can lock all users out of their accounts.
17. Click Save.
18. To ensure a successful identity provider integration, move on to Step 3 and complete the entire Process for Configuring Identity Providers.