Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
minLevel1
maxLevel7
Info

This guide assumes you have the appropriate level of permissions to configure your Federated Identity Provider (IdP).

Prerequisite Step: We will provide you with the metadata URL, which includes the custom Entity ID and Reply URL.

In the following example, <Connection> is a placeholder unique to each customer.

...

Info

Reply URL (ACS): https://id.orchestrated.io/login/callback?connection=<Connection>

Create a new enterprise app within your

...

Entra ID Tenant

...

  1. Provide your new application with a name, we suggest ‘TeamForm’ (smile)

  2. Select ‘Non-gallery’

  3. Click ‘Confirm’

Set SSO method as SAML

  1. Once the App is created, select ‘Single Sign-On’ on the left-hand menu.

  2. Under ‘Select a single sign-on method’, select ‘SAML’ for the sign-on method.

Configure Single Sign-On with SAML

...

  1. In Basic SAML Configuration - enter your TeamForm Identifier (Entity ID) and Reply URL(ACS) (from the prerequisite step above, provided by your TeamForm nominated representative)

  2. In Attributes & Claims

    1. add user.groups as a ‘Group Claim’ - this informs TeamForm who should have access

    2. select ‘Groups assigned to the application’ which will return the groups associated with the TeamForm application in the claim back to TeamForm:

  3. Record the SAML Signing Certificate - copy the ‘App Federation Metadata url’ in the following example format https://login.microsoftonline.com/352beba7-c317-4dc2-8a9b-6a7888639a4f/federationmetadata/2005-09/federationmetadata.xml?appid=92a263fd-974b-4098-b13e-0212a143a8b6

Create TeamForm’s Application Groups in

...

Entra ID

To access TeamForm, users will be assigned to the user authorisation groups (referred to in Azure AD Entra ID as ‘Application Groups’) based on their assigned role.

...

  1. Please create the following Application Groups (The group names suggested here are not mandatory if you have your naming convention, however, we suggest the following naming standard to support future troubleshooting):

    • TeamForm_sso_admin_group - Users assigned to this group can perform administrative-level functions within TeamForm

    • TeamForm_sso_wfreporting_group - Users assigned to this group can access TeamForm’s workforce reporting capability

    • TeamForm_sso_leader_group - Enables leaders to perform workforce management, team or work planning roles in TeamForm or Team Directory

    • TeamForm_sso_everyone_group - The default and lowest authentication group enabling read-only access to TeamForm

  2. Record the Object ID of each of the above Application Groups

Assigning TeamForm’s Application Groups to the TeamForm enterprise application

  1. Select ‘Users and groups’:

  2. Select ‘None selected’:

  3. Associate the 4 Application Groups created in ‘Create TeamForm’s Application Groups in Azure ADEntra ID’ above

Send your configuration to TeamForm

  1. So that we may configure our side of the connection following your security processes, please send (or via a help request) to TeamForm:raise a support request using the contact us option below.

    • App Federation Metadata URL

    • Azure AD Entra ID Application Group Object ID’s

  2. Once we have received and configured your connection, we will inform you that the connection is set up and provide you with your Vanity URLs, so you can verify that the connection is set up by following the steps below:

Testing the Connection

See Testing your Single Sign-On connection to TeamForm

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@9e4
showSpacefalse
sorttitle
typepage
reversetrue
labelsqueries reporting fields tables
cqllabel in ( "sso" , "identity" , "federated-idp" , "single-sign-on" , "azure" , "ad" , "login" ) and type = "page" and space = "OS"

...