Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This guide assumes you have the appropriate level of permissions to configure your Federated IdP.

Prerequisite Step: We will provide you with the metadata URL, which includes the custom Entity ID and Reply URL.

In the following example, <Connection> is a placeholder unique to each customer.

Metadata URL: https://id.orchestrated.io/samlp/metadata?connection=<Connection>

The metadata URL provides the following configuration information:

Identifier (Entity ID): urn:auth0:orchestrated-integration:<Connection>

Reply URL (ACS): https://id.orchestrated.io/login/callback?connection=<Connection>

Create a new enterprise app within your Azure AD tenant

  1. Provide your new application with a name, we suggest ‘TeamForm’ (smile)

  2. Select ‘Non-gallery’

  3. Click ‘Confirm’

Set SSO method as SAML

  1. Once the App is created, select ‘Single Sign-On’ on the left-hand menu.

  2. Under ‘Select a single sign-on method’, select ‘SAML’ for the sign-on method.

Configure Single Sign-On with SAML

  1. In Basic SAML Configuration - enter your TeamForm Identifier (Entity ID) and Reply URL(ACS) (from the prerequisite step above, provided by your TeamForm nominated representative)

  2. In Attributes & Claims

    1. add user.groups as a ‘Group Claim’ - this informs TeamForm who should have access

    2. select ‘Groups assigned to the application’ which will return the groups associated with the TeamForm application in the claim back to TeamForm:

  3. Record the SAML Signing Certificate - copy the ‘App Federation Metadata url’ in the following example format https://login.microsoftonline.com/352beba7-c317-4dc2-8a9b-6a7888639a4f/federationmetadata/2005-09/federationmetadata.xml?appid=92a263fd-974b-4098-b13e-0212a143a8b6

Create TeamForm’s Application Groups in Azure AD

To access TeamForm, users will be assigned to the user authorisation groups (referred to in Azure AD as ‘Application Groups’) based on their assigned role.

We strongly recommend that all employees within an organisation are automatically added to the TeamForm_sso_everyone_group Application Group by default

  1. Please create the following Application Groups (The group names suggested here are not mandatory if you have your naming convention, however, we suggest the following naming standard to support future troubleshooting):

    • TeamForm_sso_admin_group - Users assigned to this group can perform administrative-level functions within TeamForm

    • TeamForm_sso_wfreporting_group - Users assigned to this group can access TeamForm’s workforce reporting capability

    • TeamForm_sso_leader_group - Enables leaders to perform workforce management, team or work planning roles in TeamForm or Team Directory

    • TeamForm_sso_everyone_group - The default and lowest authentication group enabling read-only access to TeamForm

  2. Record the Object ID of each of the above Application Groups

Assigning TeamForm’s Application Groups to the TeamForm enterprise application

  1. Select ‘Users and groups’:

  2. Select ‘None selected’:

  3. Associate the 4 Application Groups created in ‘Create TeamForm’s Application Groups in Azure AD’ above

Send your configuration to TeamForm

  1. So that we may configure our side of the connection following your security processes, please send (or via a help request) to TeamForm:

    • App Federation Metadata URL

    • Azure AD Application Group Object ID’s

  2. Once we have received and configured your connection, we will inform you that the connection is set up and provide you with your Vanity URLs, so you can verify that the connection is set up by following the steps below:

Testing the Connection

See Testing your Single Sign-On connection to TeamForm

Filter by label

There are no items with the selected labels at this time.

  • No labels