Table of Contents | ||||
---|---|---|---|---|
|
Info |
---|
This guide assumes you have the appropriate level of permissions to configure your Federated Identity Provider (IdP). |
Prerequisite Step: We will provide you with the metadata URL, which includes the custom Entity ID and Reply URL.
In the following example, <Connection>
is a placeholder unique to each customer.
...
Info |
---|
Reply URL (ACS): |
Create a new enterprise app within your
...
Entra ID Tenant
...
Provide your new application with a name, we suggest ‘TeamForm’
Select ‘Non-gallery’
Click ‘Confirm’
Set SSO method as SAML
Once the App is created, select ‘Single Sign-On’ on the left-hand menu.
Under ‘Select a single sign-on method’, select ‘SAML’ for the sign-on method.
Configure Single Sign-On with SAML
...
In Basic SAML Configuration - enter your TeamForm Identifier (Entity ID) and Reply URL(ACS) (from the prerequisite step above, provided by your TeamForm nominated representative)
In Attributes & Claims
add
user.groups
as a ‘Group Claim’ - this informs TeamForm who should have accessselect ‘Groups assigned to the application’ which will return the groups associated with the TeamForm application in the claim back to TeamForm:
Record the SAML Signing Certificate - copy the ‘App Federation Metadata url’ in the following example format
https://login.microsoftonline.com/352beba7-c317-4dc2-8a9b-6a7888639a4f/federationmetadata/2005-09/federationmetadata.xml?appid=92a263fd-974b-4098-b13e-0212a143a8b6
Create TeamForm’s Application Groups in
...
Entra ID
To access TeamForm, users will be assigned to the user authorisation groups (referred to in Azure AD Entra ID as ‘Application Groups’) based on their assigned role.
...
Please create the following Application Groups (The group names suggested here are not mandatory if you have your naming convention, however, we suggest the following naming standard to support future troubleshooting):
TeamForm_sso_admin_group
- Users assigned to this group can perform administrative-level functions within TeamFormTeamForm_sso_wfreporting_group
- Users assigned to this group can access TeamForm’s workforce reporting capabilityTeamForm_sso_leader_group
- Enables leaders to perform workforce management, team or work planning roles in TeamForm or Team DirectoryTeamForm_sso_everyone_group
- The default and lowest authentication group enabling read-only access to TeamForm
Record the Object ID of each of the above Application Groups
Assigning TeamForm’s Application Groups to the TeamForm enterprise application
Select ‘Users and groups’:
Select ‘None selected’:
Associate the 4 Application Groups created in ‘Create TeamForm’s Application Groups in Azure ADEntra ID’ above
Send your configuration to TeamForm
So that we may configure our side of the connection following your security processes, please send (or via a help request) to TeamForm:raise a support request using the
contact us
option below.App Federation Metadata URL
Azure AD Entra ID Application Group Object ID’s
Once we have received and configured your connection, we will inform you that the connection is set up and provide you with your Vanity URLs, so you can verify that the connection is set up by following the steps below:
Testing the Connection
See Testing your Single Sign-On connection to TeamForm
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...