Setup SSO on Azure Active Directory

Azure Active Directory is Microsoft's enterprise cloud-based identity provider and enables SSO access to Microsoft Office 365. It can sync with on-premise Active Directory and provide authentication to other cloud based systems. 

Azure Active Directory supports OpenID Connect, which is the SSO protocol that SmartSurvey uses for its SSO functionality. 

Pre-requisites

This article outlines how to set up SSO with Azure Active Directory and assumes you have the access and the ability to set up new enterprise applications within your Microsoft account. 

Single-Sign-On for SmartSurvey is available as an option on Enterprise accounts. 

Add a new enterprise application

In Azure Active Directory admin center, go to Enterprise Applications > All Applications and click on "New Application" and then "Create your own application". 

Choose "Register an application you're working on to integrate with Azure AD" and click next. 

You can now name your application and add a Redirect URI. You can find the URI on your SSO Set up page within SmartSurvey:

https://app.smartsurvey.co.uk/c/sso/redirecturi

Setting up your registered application 

To set up your registered application go to Azure Active Directory > App Registrations.

On the overview page you'll find your Client ID, which you'll need to add to the first field "Client ID" on the SSO set up page in SmartSurvey.

On the overview page you'll also find a list of Endpoints. SmartSurvey SSO uses OpenID Connect, so you'll need to add the following URL to the "Discovery Origin" field on the SSO Set up page in SmartSurvey. 

https://login.microsoftonline.com/21bd7304-2c4a-40c5-a847-663277826826/v2.0

Next you'll need to generate a client secret and add it to the "Secret" field on the SSO Set up page in SmartSurvey. The application needs a client secret to prove it's identity when requesting tokens from Azure Active Directory. 

Make sure you copy the Value and paste it into the "Secret" field. Once the page has refreshed, the secret value will be masked and you'll be unable to copy it. You'll then need to generate a new secret to be able to copy it again. 

Map Azure AD data to returned claims

By default, the data needed for SmartSurvey to login is not returned from Azure Active Directory and these claims need to be manually mapped using a rule.

To do this go to your API Permissions and choose Microsoft Graph:

Then choose Delegated Permissions and select the following permissions via the search bar:

  • email
  • profile 
  • User.Read

Your SSO Set up page in SmartSurvey

You should now have the 3 pieces of information required to set up your SSO with Azure Active Directory. 

  • Client ID
  • Secret
  • Discovery origin

You can add a warning threshold that determines when SmartSurvey sends a notification that you're reaching your user limit and a support message to ensure your sub users know who to contact with any questions regarding their SSO login. This support message will be shown as part of any error messaging within the SSO login journey. 

Once you've saved your changes, SSO will be enabled and you will see a Login URL. This Login URL is to be used for logging in via your SSO configuration and can be shared with sub-users or added to your intranet for example. Whilst SSO is enabled, you will not be able to log in via the usual log in page. 

 

 

Was this guide helpful?