Child pages
  • 18.3. Azure

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Go to "Azure Active Directory" > "Enterprise applications"
  2. Click "New application", then "All", then "Non-gallery application"
  3. Enter "Vivi" for the name and click "Add" and wait until you end up at "Quick start"

  4. Click "Configure single sign-on"
  5. For "Single Sign-On Mode" select "SAML-based Sign-on"
  6. For "Identifier" enter the SAML metadata URL, "https://api.vivi.io/api/v1/users/saml_metadata/<your organisation id>"
  7. For "Reply URL" enter "https://api.vivi.io/api/v1/users/saml"
  8. Download the "SAML Signing Certificate" as "Certificate (Base64)"
  9. Copy the contents of this file into "SAML Token-Signing Certificate" on Vivi
  10. Press "Save"
  11. Press "Configure Vivi"
  12. Copy the "SAML Single Sign-On Service URL" value into "SAML SSO URL" on Vivi, "https://login.microsoftonline.com/<your application id>/saml2"
  13. Ignore the rest of the values, especially the "Sign-Out URL", leave "SAML SLO URL" blank on Vivi

  14. Go back to "Azure Active Directory" and then to "App registrations"
  15. Find the "Vivi" application and select it
  16. Click "Manifest" to view the JSON configuration
  17. Find "groupMembershipClaims" and change the value from null to "SecurityGroup" (with quotes)
  18. Click "Save"
  19. Go back to the application and click "Settings" and then "Properties"
  20. For "Logout URL" enter "https://api.vivi.io/api/v1/users/saml_logout/<your organisation id>"
  21. Click "Save"

  22. Go back to "Enterprise applications" > "Vivi" > "Users and Groups"
  23. Only users and groups explicitly added here will be able to sign in to the applicationVivi App
  24. Nested groups can't be assigned yet according to Microsoft: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15718164-add-support-for-nested-groups-in-azure-ad-app-acc
  25. Alternatively, you can disable "User assignment required?" in "Vivi" > "Properties" to allow all users to sign in

  26. For "SAML Name Attribute" enter "http://schemas.microsoft.com/identity/claims/displayname"
  27. For "SAML Email Attribute" enter "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  28. For "SAML Group Attribute" enter "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
  29. For "SAML Presenter Group" and "SAML Student Group" use the "Object ID" found on the groups you want to use