Azure AD SSO Setup
If you use Azure as your Single Sign-On provider, here are the steps you or your IdP admin need to complete in order to create an integration between your Azure and Criteria accounts.
Create an Azure SAML Application
- Visit the Azure Active Directory Page on your Azure Portal
- In Active Directory Menu Blade click on Enterprise Applications
- Select New Application at the top left
- Select Non-Gallery application and type in Criteria as the application name
Edit the SSO Configuration
- On the App Overview screen select Set up single sign on
- Select SAML
- Click to Edit the Basic SAML Configuration
- For the Identifier (Entity ID) field enter urn:amazon:cognito:sp:ap-southeast-2_htcOeRF9C
- For the Reply URL (Assertion Consumer Service URL) field enter https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
- For the Sign on URL enter https://app-au.criteriacorp.com/?companyAccountId=<companyAccountId>
- Click Save
- Click to Edit the User Attributes & Claims
- Click on the Required Claim with the Claim Name of Unique User Identifier (Name ID) to edit it.
- Change the name identifier format to Persistent and the Source Attribute to user.objectid
- Click Save
- Edit the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim value to user.userprincipalname
- Add another claim with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/identifier and set the value to user.objectid
Download the SAML Metadata URL
On the Single Sign-On Screen copy the App Federation Metadata URL and send this to Criteria.
Click here for the next steps in the SSO integration setup process.
Here is a recap of the parameters required to set up an integration between Azure and Criteria.
Criteria Provided Parameters
- Entity ID (Audience URI): urn:amazon:cognito:sp:ap-southeast-2_htcOeRF9C
- Assertion Consumer Service URL: https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
- First-Time Sign-On URL/BookMark: https://app-au.criteriacorp.com/?companyAccountId=<companyAccountId>
- Our Required SAML Attributes
- Idp Immutable Global Unique Identifier (Varies by Idp)
- First Name
- Last Name
- Email Address
- Optional Recommended SAML Attribute
- Job Title
Customer Provided Parameters
- Federation Metadata Document endpoint URL (Can also be an XML Document but URL preferred)