The following instructions are the required steps necessary to integrate Microsoft Azure's IdP functionality with AnyClip Single Sign-On capabilities. Once these steps are implemented, end-users relying on Azure as an IdP will be able to sign in to AnyClip using SSO.
Please note setting up Azure Single Sign On involves setup tasks in both the AnyClip and Azure Administration user interfaces. The procedure detailed below includes instructions for both, meaning that you need both user interfaces before you.
Azure Account Administrator View
Log into the Azure Portal.
In the Azure Services section, choose Azure Active Directory
In the left sidebar, choose Enterprise applications
Choose New Application.
On the Browse Azure AD Gallery page, choose Create your own application.
Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery), as shown in the figure below. Choose Create.
It will take a few seconds for the application to be created in Azure AD, then you should be redirected to the Overview page for the newly added application.
Note
Occasionally, this foregoing step can result in a Not Found error, even though Azure AD has successfully created a new application. If this happens, navigate in Azure back to Enterprise applications and search for your application by name.
Set up a Single Sign-on using SAML
In the Getting Started section, where the Set up single sign-on tile is, choose Get started.
On the next screen, select SAML.. In the middle pane under Set up Single Sign-On with SAML, in the Basic SAML Configuration section, choose the edit (pencil ) icon.
In the right pane under Basic SAML Configuration, replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL) with the Single Sign-on URL and Audience URI data in AnyClips Azure administration window. To see this information do the following in AnyClip:
Choose the Gear icon in the main AnyClip navigation bar and choose Single Sign-On. The following appears
Click the Add button and choose Azure AD. The following profile setup dialogue appears. Create a profile by adding a unique name in the Profile Name field.
Copy the Single Sign-On URL and Audience URI onto the fields Reply URL and Identifier ID respectively in the Azure Administration screen shown below:
In the middle pane under Set up Single Sign-On with SAML in the User Attributes & Claims section, choose Edit.
Choose Add a group Claim. On the User Attributes &Claims page in the right pane under Group Claims, select Groups assigned to the application, The Source attribute value should be Group ID for example. Choose Save
In a text editor, note down the Claim names under Additional claims. You’ll need these when creating attribute mapping in AnyClip Azure profile setup dialogue screen.
Close the User Attributes Claims screen by choosing the X in the top right corner. You’ll be redirected to the Set up Single Sign-on with SAML page.
Scroll down to the SAML Signing Certificate section, and copy the App Federation Metadata URL by choosing the copy into the clipboard icon (highlighted with red arrow below). Keep this URL in a text editor, as you’ll need it later.
Copy the App Federation Metadata URL and paste into the AnyCLip Azure Administration screen in the field IDP Metadata shown below:
AnyClip Account Administrator View - Azure Profile Setup
The following section describes additional setup tasks required in the AnyClip Azure Single Sign-On Administration page. Proceed as follows:
From the main AnyClip navigation menu go to the gear icon and choose Single Sign-On
Once you choose the SSO menu option, the main SSO Profiles page is displayed where you can add new SSO profiles and edit existing profiles. To edit an existing SSO Profile, click on it. The instructions for editing profiles correspond to those below regarding creating new profiles. To activate or deactivate a profile, choose the proper setting in the Actions menu.
To create a new SSO profile click Add and select your organization's IdP, in this case Azure AD. The SSO Profile setup screen appears:
In this case, choose the Azure SSO profile you already created above. In the dialogue screen shown above, note the toggle Allow users to use any domain when they use Single Sign On. This toggle option allows you to decide whether users can or cannot use any domain when they use SSO. Note that if you set another profile and chose to allow users to use any domain to login, this toggle will be disabled,
In the same dialogue shown above, you set the domain names you want to enable with Single Sign-On. For example if an organization has three domains: anyclip.com, anyclip.uk and anyclip.ai.uk, and users from all domains require SSO, then set up each domain in a different line. Enter the SSO Profile Name and the valid organizational Domain name. Use Add Domain to add multiple domains. Once the profile name and domain name(s) are entered, click Save to create the profile.
In the image above you will notice that the toggle "Only existing users can use Single Sign-On" is selected. This setting is selected by default and means that only existing users in AnyClip will be able to use SSO for the selected profile.
If you want an SSO profile that allows logging in of users who at the time of login, are NOT users in the platform, deselect this toggle. When the toggle is off, users that are successfully authenticated will be added as users in AnyClip with the following credentials: first name, last name, and email. Deselecting the foregoing toggle will cause the following additional setup fields to appear:
You can either set default hubs to which new users signing in to the system using SSO will be assigned or create custom rules which will automatically determine the hub assignment of each user. This is done using the field named Assign New Users to Hubs. In order to create custom rules, click Add
In the screen above enter the rule Name and then rule Attributes. Attributes are key and value pairs. You may enter more than one attribute. A logical AND operator exists between any two sequential attributes. Lastly, select one or more Hubs you want to associate with the rule and click Save. Once the rule is created you will be navigated back to the main SSO Profile screen where you need to click Save again
End-User View
The following presents end-users' view as they log into the system using SSO:
Users who wish to log in AnyClip using SSO choose Sign in with Single Sign On
The Microsoft Azure login screen will appear. When the user enters his/her relevant organizational credentials, such user will be logged into the platform. If the user enters the wrong credentials, an error message appears instead.