To integrate Azure Active Directory (AD) with IAM enabled MVISION Cloud, you must add MVISION Cloud from the Azure Gallery, configure SAML SSO in MVISION Cloud, then reconfigure Azure AD SSO.
Before you configure, make sure you have the following prerequisites:
- An Azure AD account with Azure AD Premium Subscription. Activate the subscription from the Azure free account.
- Access to MVISION Cloud tenant with the provisioned user.
Step 1: Add MVISION Cloud from the Gallery
To add MVISION Cloud from the gallery, perform the following activities:
- Log in to the Azure portal.
- On the left pane, click the Azure Active Directory icon.
- Go to Enterprise applications and then select All applications.
- To add a new application, click New application.
- In the search box, enter Mvision and select MVISION Cloud Azure AD SSO Configuration from the result pane. To add the application, click Add.
- Click the MVISION Cloud Azure AD SSO Configuration application. Click Set up single sign on.
- Edit the Basic SAML Configuration and configure it with default values.
NOTE: The default generated values for the Azure AD SSO URL, Identifier, and Certificates are used in MVISION Cloud SAML Configuration.
- Download the Certificate (Base64) and save the Login URL, Azure AD Identifier to use it in MVISION Cloud.
- Do not close the session, as you need to reconfigure this page after the MVISION Cloud configuration is completed.
Step 2: Configure SAML SSO in MVISION Cloud
- Login to MVISION Cloud .
- Go to Settings > User Management > SAML Configuration.
- Enter these details copied from Azure AD:
- Azure AD Issuer. Enter the copied URL.
- Login URL. Enter the App Federation Metadata Url copied from Azure AD.
- Upload the Azure AD certificate.
- Click Save.
Once the configuration is saved in MVISION Cloud, the Audience and Assertion Consumer Service URL is displayed under Service Provider.
Step 3: Reconfigure MVISION Cloud Azure AD SSO
- Go to the Azure AD Configuration and edit Basic SAML Configuration.
- Update Identifier and Reply URL (Assertion Consumer Service URL) and click Save.
Assign the Application to Users
- Click Users and groups.
- Click Add User.
- Search the required users to provide access to MVISION Cloud and select the Users and assign the application.
Step 4: Validate the Azure AD SSO
As of now, IAM enabled tenant only supports IDP initiated SSO only.
IDP Initiated Login
- Log In to https://myapps.microsoft.com/ with the user assigned MVISION Cloud application.
- Click MVISION Cloud application.
You are successfully login to IAM enabled MVISION Cloud tenant.
Common Errors and Troubleshooting Steps
Azure SSO Errors
Misconfigured identity Provider. Check your configuration and try again. This error occurs when you have User Attributes & Claims using the Namespace URL format.
In order to verify and resolve the above error, perform the following activities.
- Go to MVISION Cloud application created in Azure AD.
- Under User Attributes & Claims, edit and make sure that the below claims are configured accordingly:
- firstName = user.givenname
- lastName = usere.surname
- email = user.userprincipalname
- Under Additional claims, if you see URLs for Claim name, then those URLs need to be removed.
- Edit the respective Claim name and remove the URL from the Namespace and leave it blank.
- After removing the Claim name URLs, the attributes are displayed as shown below and this resolves your error.