Skip to main content

Integrations - How To Set Up a Microsoft Azure Integration for Authentication

Kristiana Trifonova
  • Updated

Introduction

In this article, we’ll go through how you can set up Azure Identity Management Solution so users can sign in to it through Reward Gateway.

 

Enable the Azure Integration

1. Sign in to Reward Manager.

2. Click Integrations, on the left-hand side.

3. Under the Explore tab locate the Azure application and enable it.

If you don’t have access, please speak with your Client Success Manager or a member of the Client Support team to request the necessary permissions.

integrations dashboard

 

Setup

Reward Gateway is available on the Azure Marketplace. To install the application, please visit Azure Marketplace.

If you require assistance with the installation, please follow this step-by-step setup guide from Azure: Tutorial: Azure Active Directory integration with Reward Gateway.

Configuration Name

Enter a unique name for the integration. This is what users will see if a Sign in with... button is displayed on the Reward Gateway login page (e.g. Sign in with Azure).

configuration name text field

Upload Certificate

The certificate can be found by navigating the following: Azure > Enterprise Applications > Single Sign-On > SAML Signing Certificate > Download Base64

SAML signing certificate

Please note:

  • If you are copy-pasting the certificate, it must be in .PEM format.
  • If you are uploading the certificate file, use .CRT or .CERT format.

upload certificate

Signature Check To Be Performed On

Specify what part of the SAML response is signed with the certificate:

  • In most cases, select SAML Assertion unless configured otherwise.

signature check to be performed on options

Identity Provider Login URL

identity provider login URL

The Identity Provider Login URL can be located by navigating the following: Azure > Enterprise Applications > Properties > User Access URL

User access URL

Ensure the User Access URL starts with: https://launcher.myapps.microsoft.com (any other format will not be accepted.)

You will also be required to enter an Identifier and a Reply URL in Azure.

SAML configurations page

  • Identifier (Entity ID): Copy this value from the Integration page in Reward Manager.
  • Reply URL (SAML Consumer URL (ACS)): Also listed on the Integration page in Reward Manager.

Entity ID and SAML consumer URL info

Mapping

  • Select the Identifier: This will be the main detail passed over to us to authenticate the user. If it’s a self-registration scheme, the identifier will be the Employee/Payroll Number by default.
  • When using the Employee/Payroll Number as the Identifier, you should choose user.employeeid as the value for the Unique User Identifier (Name ID) claim.

claim name info employee ID

  • When using an Email address as the Identifier, the Unique User Identifier (Name ID) claim will be user.mail.

claim name info user mail

  • If you use the UPN as the unique identifier, please note that it will be generated as hashed IDs in our system (hashed ID example: f9678f41-bba4-41a2-h2e6-8d36a75769d5)

  • Select the SAML Identity Location: This tells our system where to look for the identifier.
    Identity is in the Name Identifier - our system will look for the ID in the NameID.
    Identity is in an Attribute Element - it will look for the ID but under a different name.

Identifier and SAML identity location info

When setting up attributes, please note that you need to use Claim name and not Value. You can copy the URLs by going to Single Sign-On > Attributes & Claims in Azure.

additional claims info

Just-in-Time Provisioning

When enabled, employees will be automatically provisioned. It will allow them to create an account, even if we don’t have their details (ID/Email Address).

just-in-time provisioning info

Testing

Before you test the integration, please assign users to the application first.

Go to AzureAD > Enterprise Applications > Select the Reward Gateway application > Users and Groups > Add user/group > Click None Selected and then add your users. You can do this individually or by selecting a security group.

If you haven't assigned the users to the application, they will see this error when trying to access the SSO.

error message

Once you are ready to test, log in to Azure and click the following: Enterprise Applications > Single Sign-on > Test this application

test application info

Successful Setup: Once you have completed the steps above, Reward Manager will display a confirmation message letting you know the integration is ready to be published.

successful log in message

Unsuccessful Setup: If there are any issues, you will see an error message in the Integration Dashboard. Review the details, adjust your configurations as needed, and then try again.

unsuccessful log in message

Review and Publishing

To publish your integration:

1. In Reward Manager, go to the Integrations dashboard.

2. Locate your integration (its status should show as Pending).

3. Click Options > Publish.

Your Integration will then appear as Live.

publish connection info

Related to

Related articles