Azure AD SSO Setup

Updated 1 month ago by Amy Tranter

If you use Azure as your Single Sign-On provider, here are the steps you or your IdP admin need to complete in order to create an integration between your Azure and Criteria accounts.

Create an Azure SAML Application

  1. Visit the Azure Active Directory Page on your Azure Portal
  2. In Active Directory Menu Blade click on Enterprise Applications
  3. Select New Application at the top left
  4. Select Non-Gallery application and type in Criteria as the application name

Edit the SSO Configuration

  1. On the App Overview screen select Set up single sign on
  2. Select SAML
  3. Click to Edit the Basic SAML Configuration
  4. For the Identifier (Entity ID) field enter urn:amazon:cognito:sp:ap-southeast-2_htcOeRF9C
  5. For the Reply URL (Assertion Consumer Service URL) field enter https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
  6. For the Sign on URL enter https://app-au.criteriacorp.com/?companyAccountId=<companyAccountId>
  7. Click Save
  8. Click to Edit the User Attributes & Claims
    1. Click on the Required Claim with the Claim Name of Unique User Identifier (Name ID) to edit it.
    2. Change the name identifier format to Persistent and the Source Attribute to user.objectid
    3. Click Save
    4. Edit the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim value to user.userprincipalname
    5. Add another claim with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/identifier and set the value to user.objectid

Download the SAML Metadata URL

On the Single Sign-On Screen copy the App Federation Metadata URL and send this to Criteria.

 Click here for the next steps in the SSO integration setup process.

Parameters Needed

Here is a recap of the parameters required to set up an integration between Azure and Criteria.

Criteria Provided Parameters
  1. Entity ID (Audience URI): urn:amazon:cognito:sp:ap-southeast-2_htcOeRF9C
  2. Assertion Consumer Service URL: https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
  3. First-Time Sign-On URL/BookMark: https://app-au.criteriacorp.com/?companyAccountId=<companyAccountId>
  4. Our Required SAML Attributes
    1. Idp Immutable Global Unique Identifier (Varies by Idp)
    2. First Name
    3. Last Name
    4. Email Address
  5. Optional Recommended SAML Attribute
    1. Job Title
Customer Provided Parameters
  1. Federation Metadata Document endpoint URL (Can also be an XML Document but URL preferred)


How did we do?