Set up Single Sign-On (SSO) for Entra ID (formerly Azure Active Directory)
    • 05 Sep 2024
    • 3 Minutes to read

    Set up Single Sign-On (SSO) for Entra ID (formerly Azure Active Directory)


    Article summary

    This document provides a step-by-step guide on configuring Entra ID for Single Sign-On (SSO) authentication using Security Assertion Markup Language (SAML).

    Best Practices

    • Use a unique identifier for each application. This will help avoid conflicts and confusion between different applications that use SAML-based SSO with Entra ID.

    • Verify the SAML configuration values. Make sure the values for the entity ID, reply URL, sign on URL, and logout URL match the ones provided by Skillable and Entra ID. Any mismatch could cause authentication errors or unexpected behavior.

    • Test the SSO functionality before deploying it to production. Use a test account or a test environment to verify that the SSO works as expected and that the user attributes and claims are mapped correctly.

    • Keep the Entra ID and Skillable accounts in sync. If there are any changes to the user accounts, such as adding, deleting, or updating users, make sure to reflect them in both Entra ID and Skillable. This will ensure a consistent and seamless user experience.

    Set Up Single Sign On (SSO) for Entra ID

    Note: While this document describes the steps to configure Entra ID to support SSO authentication via SAML, any SAML Identity Provider should be able to be configured using the steps described.

    SAML is an open standard that allows Identity Providers (IdP) and Service Providers (SP) to send authorization credentials to each other, to authenticate a user. This allows using one set of credentials to log in to multiple services and/or websites.

    Create an Entra ID Enterprise App

    If your Identity Provider is Azure, you must create an Enterprise Application in Entra ID.

    1. In Azure, navigate to the Enterprise Applications section. You can get to this by searching for Enterprise Application in the top search bar in Azure.

    2. Select New application in the upper-left corner of the page.

    3. Select Create your own application.

    4. Provide a name for your application.

    5. Select the option to Integrate any other application you don't find in the gallery (non-gallery).

    6. Select Create.

    Modify Application Configuration for Single Sign On with SAML

    1. Navigate to your application, if you are not there already.

    2. Select Set up single sign on.

    3. Select SAML.

    Basic SAML Configuration

    1. Select the Edit button on the Basic SAML Configuration section.

    2. Add the following Configuration values for each platform.

    Replace the following information in the URL before configuring these values:

    Skillable Studio

    • Sign on URL: replace {customer} with your customer name.

    Training Management System:

    • Sign on URL: replace {TMS-Site} with your TMS site.

    • Logout URL: replace {TMS-Site} with your TMS site.

    Insights:

    • Sign on URL: replace {customer} with your customer name.

    Skillable Studio

    Name

    Description

    Value

    Unique Identifier (Entity ID)

    This value must be unique across all applications in your Entra ID tenant.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD

    Reply URL (Asserstion Consumer Service URL)

    The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/assertionconsumer

    Sign on URL

    This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on.

    https://labondemand.com/AuthenticationProvider/SamlIdpRedirect?idp=B2C_1A_signup_signin_LOD_SAML-PROD-{Customer}

    Relay State

    Leave this blank. Configuring Relay State is not neccessary for this configuration.

    N/A

    Logout URL

    This URL is used to send the SAML Logout response back to the application.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/logout

    Training Management System (TMS)

    Name

    Description

    Value

    Unique Identifier (Entity ID)

    This value must be unique across all applications in your Entra ID tenant.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS

    Reply URL (Assertion Consumer Service URL)

    The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer

    Sign on URL

    This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on.

    https://{TMS-Site}.learnondemand.net/User/CurrentTraining (or any designated landing page)

    Relay State

    Leave this blank. Configuring Relay State is not neccessary for this configuration.

    N/A

    Logout Url

    This URL is used to send the SAML Logout response back to the application.

    https://{TMS-Site}.learnondemand.net/User/Logout

    Insights

    Name

    Description

    Value

    Unique Identifier (Entity ID)

    This value must be unique across all applications in your Entra ID tenant.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_portal

    Reply URL (Assertion Consumer Service URL)

    The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML.

    https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer

    Sign on URL

    This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on.

    https://portal.learnondemandsystems.com/Authentication/SamlIdpRedirect?idp=B2C_1A_signup_signin_TMS_SAML-PROD-{Customer}

    Relay State

    Leave this blank. Configuring Relay State is not neccessary for this configuration.

    N/A

    Logout Url

    This URL is used to send the SAML Logout response back to the application.

    https://portal.learnondemandsystems.com/Authentication/LogOut

    User Attributes and Claims

    1. Ensure the following User Attributes are configured.

    Attribute Name

    Attribute Syntax

    Givenname

    user.givenname

    Surname

    user.surname

    Emailaddress

    user.mail

    Name

    user.userprincipalname

    Unique User Identifier

    user.userprincipalname

    1. If these are not configured, selecte the Edit button on the User Attributes and Claims section, and modify each value.

    Application Setup with Skillable

    1. Open a support ticket and provide Skillable with the following URLs The values in these URLs will vary. The following is an example of how these may look.

    Value Name

    Example

    SAML Single Sign-On Service URL

    https://login.microsoftonline.com/{Tenant ID}/saml2

    SAML Entity ID

    https://sts.windows.net/{Tenant ID}/

    Sign-Out URL

    https://login.microsoftonline.com/{Tenant ID}/saml2


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.