This guide assumes you have the appropriate level of permissions to configure your Federated IdP.
Prerequisite Step: We will provide you with the metadata URL, which includes the custom Entity ID and Reply URL.
In the following example, <Connection>
is a placeholder unique to each customer.
Metadata URL: https://id.orchestrated.io/samlp/metadata?connection=<Connection>
The metadata URL provides the following configuration information:
Identifier (Entity ID): urn:auth0:orchestrated-integration:<Connection>
Reply URL (ACS): https://id.orchestrated.io/login/callback?connection=<Connection>
Create a new enterprise app within your Azure AD tenant
Provide your new application with a name, we suggest ‘TeamForm’
Select ‘Non-gallery’
Click ‘Confirm’
Set SSO method as SAML
Once the App is created, select ‘Single Sign-On’ on the left-hand menu.
Under ‘Select a single sign-on method’, select ‘SAML’ for the sign-on method.
Configure Single Sign-On with SAML
In Basic SAML Configuration - enter your TeamForm Identifier (Entity ID) and Reply URL(ACS) (from the prerequisite step above, provided by your TeamForm nominated representative)
In Attributes & Claims
add
user.groups
as a ‘Group Claim’ - this informs TeamForm who should have accessselect ‘Groups assigned to the application’ which will return the groups associated with the TeamForm application in the claim back to TeamForm:
Record the SAML Signing Certificate - copy the ‘App Federation Metadata url’ in the following example format
https://login.microsoftonline.com/352beba7-c317-4dc2-8a9b-6a7888639a4f/federationmetadata/2005-09/federationmetadata.xml?appid=92a263fd-974b-4098-b13e-0212a143a8b6
Create TeamForm’s Application Groups in Azure AD
To access TeamForm, users will be assigned to the user authorisation groups (referred to in Azure AD as ‘Application Groups’) based on their assigned role.
We strongly recommend that all employees within an organisation are automatically added to the TeamForm_sso_everyone_group
Application Group by default
Please create the following Application Groups (The group names suggested here are not mandatory if you have your naming convention, however, we suggest the following naming standard to support future troubleshooting):
TeamForm_sso_admin_group
- Users assigned to this group can perform administrative-level functions within TeamFormTeamForm_sso_wfreporting_group
- Users assigned to this group can access TeamForm’s workforce reporting capabilityTeamForm_sso_leader_group
- Enables leaders to perform workforce management, team or work planning roles in TeamForm or Team DirectoryTeamForm_sso_everyone_group
- The default and lowest authentication group enabling read-only access to TeamForm
Record the Object ID of each of the above Application Groups
Assigning TeamForm’s Application Groups to the TeamForm enterprise application
Select ‘Users and groups’:
Select ‘None selected’:
Associate the 4 Application Groups created in ‘Create TeamForm’s Application Groups in Azure AD’ above
Send your configuration to TeamForm
So that we may configure our side of the connection following your security processes, please send (or via a help request) to TeamForm:
App Federation Metadata URL
Azure AD Application Group Object ID’s
Once we have received and configured your connection, we will inform you that the connection is set up and provide you with your Vanity URLs, so you can verify that the connection is set up by following the steps below:
Testing the Connection
See Testing your Single Sign-On connection to TeamForm
Related articles
Filter by label
There are no items with the selected labels at this time.