Skip to main content

Integrations - How to Set Up a Microsoft Azure integration for Authentication

Sarwat Maruf
  • Updated

Introduction

In this article, we’ll go through how you can integrate Azure Identity Management Solution to allow users to sign in to Reward Gateway through it.

How do I enable the Azure integration?

To enable Azure, log into Reward Manager, click on the Integrations tab on the left, and under the ”Explore” tab you will see the “Azure” application. 

If you don’t have access please speak with your Client Success Manager or a member of the Client Support team who will assign your permissions.

Screenshot_2022-06-23_at_13.50.02.png

Setup

Reward Gateway is listed as an application on the Azure Marketplace. To install the application please go here

To finish the installation, please follow this setup guide from Azure: Tutorial: Azure Active Directory integration with Reward Gateway

Watch the following video which demonstrates the setup process step-by-step:

Configuration Name

A name to uniquely identify the integration. This name will be used if a “Sign In with” button is displayed on the login page, i.e. “Sign in with Azure”.

Screenshot_2022-06-23_at_15.35.29.png

Upload Certificate

The certificate can be found in Azure>Enterprise Applications>Single Sign-On>SAML Signing Certificate>Download Base64

Screenshot_2022-06-27_at_9.12.37.png

Please note this should be in a .PEM format if you are copy-pasting or in a .CRT/.CERT format if you are uploading it. 

Screenshot_2022-06-23_at_15.35.37.png

Signature check to be performed on

What element of the SAML Response is signed using the certificate above? Is it the full SAML Response or just the SAML Assertions?

In most cases, this should be SAML Assertion unless configured otherwise. 

Screenshot_2022-06-23_at_15.35.45.png

Identity Provider Login URL

Screenshot_2022-06-23_at_15.35.51.png

The Identity Provider Login URL can be found in Azure>Enterprise Applications>Properties>User Access URL

Screenshot_2023-04-19_at_18.02.31.png

Please note: the correct User Access URL is the one starting with: https://launcher.myapps.microsoft.com. Any other URL will not be accepted by the system.

You will be required to enter an Identifier and a Reply URL in Azure.

Screenshot_2022-06-27_at_9.51.33.png

  • The identifier is the Entity ID listed on your Integration page on Reward Manager.

  • The Reply URL is the SAML Consumer URL (ACS) on your Integration page found on Reward Manager. 

Screenshot_2022-06-27_at_9.36.36.png

Mapping

  • Select the Identifier - this will be the main detail passed over to us to authenticate the user. If it’s a self-registration scheme, the identifier will be Employee/Payroll Number by default.
  • When using the Employee/ Payroll Number as the Identifier, you should choose ‘user.employeeid’ as the value for the Unique User Identifier (Name ID) claim.

Picture1.png

  • When using Email address as the Identifier, the Unique User Identifier (Name ID) claim would be ‘user.mail’.

Picture2.png

  • In case you are going to use the UPN as unique identifier, please note that they will be generated as hashed IDs in our system (hashed ID example: f9678f41-bba4-41a2-h2e6-8d36a75769d5 )

  • Select the SAML Identity Location - this tells our system where to look for the identifier.
    Identity is in the Name Identifier - our system will look for the ID in the NameID
    Identity is in an Attribute Element - it will look for the ID but under a different name

Screenshot_2022-06-24_at_14.54.15.png

If setting up attributes, please note that you need to use Claim name and not Value. You can copy the URLs by going to Single Sign-On> Attributes & Claims in Azure

Screenshot_2022-06-27_at_9.55.37.png

Just-In-Time Provisioning

If enabled, employees will be automatically provisioned. It will allow them to create an account, even if we don’t have their details (ID/Email Address).

Screenshot_2022-06-27_at_10.33.37.png

Testing

To test the integration and in general, for it to work for the users, please assign users to the application first. 

Go to AzureAD >  Enterprise Applications >> Select the Reward Gateway application > Users and Groups > Add user/group > Click on None Selected and add your users. You can do this individually or by selecting a security group.

If you haven't assigned the users to the application, they will see this error when trying to access the SSO.

Screenshot

Once you are ready, in order to test, log into Azure > Enterprise Applications > Single Sign-on > Test this application

Screenshot_2022-06-24_at_17.16.09.png

If the test is passed successfully, you will receive a confirmation message in Reward Manager that your integration is ready to be published. 

Screenshot_2022-06-24_at_17.18.17.png

In case the attempt is unsuccessful, you will be able to see the error details on the Integration Dashboard. You will then need to rectify and re-attempt a login. 

Screenshot_2022-06-24_at_17.19.32.png

Review and Publishing

To publish your integration, you need to go back to the Integrations dashboard, find your integration (which should be at a Pending status), then click Options > Publish > click ‘Publish’ button. Your Integration will then appear as Live.

Screenshot_2022-06-24_at_17.21.13.png

Related to

Related articles