In this article, we’ll go through how you can integrate Azure Identity Management Solution to allow users to sign in to Reward Gateway through it.

Before continuing, we recommended reading: Guide to SAML Integration Settings

How do I enable the Azure integration?

To enable Azure, log into Reward Manager, click on the Integrations tab on the left, and under the ”Explore” tab you will see the “Azure” application. 

If you don’t have access please speak with your Client Success Manager or a member of the Client Support team who will assign your permissions.

Setup

Reward Gateway is listed as an application on the Azure Marketplace. To install the application please go here. 

To finish the installation, please follow this setup guide from Azure: Tutorial: Azure Active Directory integration with Reward Gateway. 

Watch the following video which demonstrates the setup process step-by-step:

Configuration Name

A name to uniquely identify the integration. This name will be used if a “Sign In with” button is displayed on the login page, i.e. “Sign in with Azure”.

Upload Certificate

The certificate can be found in Azure>Enterprise Applications>Single Sign-On>SAML Signing Certificate>Download Base64

Please note this should be in a .PEM format if you are copy-pasting or in a .CRT/.CERT format if you are uploading it. 

Signature check to be performed on

What element of the SAML Response is signed using the certificate above? Is it the full SAML Response or just the SAML Assertions?

In most cases, this should be SAML Assertion unless configured otherwise. 

Identity Provider Login URL

The Identity Provider Login URL can be found in Azure>Enterprise Applications>Properties>User Access URL

You will be required to enter an Identifier and a Reply URL in Azure.

• The identifier is the Entity ID listed on your Integration page on Reward Manager.

• The Reply URL is the SAML Consumer URL (ACS) on your Integration page found on Reward Manager. 

Mapping

• Select the Identifier - this will be the main detail passed over to us to authenticate the user. If it’s a self-registration scheme, the identifier will be Employee/Payroll Number by default.
• Select the SAML Identity Location - this tells our system where to look for the identifier.
  - Identity is in the Name Identifier - our system will look for the ID in the NameID
  - Identity is in an Attribute Element - it will look for the ID but under a different name

If setting up attributes, please note that you need to use Claim name and not Value. You can copy the URLs by going to Single Sign-On> Attributes & Claims in Azure

Just-In-Time Provisioning

If enabled, employees will be automatically provisioned. It will allow them to create an account, even if we don’t have their details (ID/Email Address).

Testing

To test the integration and in general, for it to work for the users, please assign users to the application first. 

Go to AzureAD >  Enterprise Applications >> Select the Reward Gateway application > Users and Groups > Add user/group > Click on None Selected and add your users. You can do this individually or by selecting a security group.

If you haven't assigned the users to the application, they will see this error when trying to access the SSO.

Once you are ready, in order to test, log into Azure > Enterprise Applications > Single Sign-on > Test this application

If the test is passed successfully, you will receive a confirmation message in Reward Manager that your integration is ready to be published. 

In case the attempt is unsuccessful, you will be able to see the error details on the Integration Dashboard. You will then need to rectify and re-attempt a login. 

Review and Publishing

To publish your integration, you need to go back to the Integrations dashboard, find your integration (which should be at a Pending status), then click Options > Publish > click ‘Publish’ button. Your Integration will then appear as Live.