Set up Single Sign-On (SSO) for Entra ID (formerly Azure Active Directory)
- 05 Sep 2024
- 3 Minutes to read
- Print
Set up Single Sign-On (SSO) for Entra ID (formerly Azure Active Directory)
- Updated on 05 Sep 2024
- 3 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
This document provides a step-by-step guide on configuring Entra ID for Single Sign-On (SSO) authentication using Security Assertion Markup Language (SAML).
Best Practices
Use a unique identifier for each application. This will help avoid conflicts and confusion between different applications that use SAML-based SSO with Entra ID.
Verify the SAML configuration values. Make sure the values for the entity ID, reply URL, sign on URL, and logout URL match the ones provided by Skillable and Entra ID. Any mismatch could cause authentication errors or unexpected behavior.
Test the SSO functionality before deploying it to production. Use a test account or a test environment to verify that the SSO works as expected and that the user attributes and claims are mapped correctly.
Keep the Entra ID and Skillable accounts in sync. If there are any changes to the user accounts, such as adding, deleting, or updating users, make sure to reflect them in both Entra ID and Skillable. This will ensure a consistent and seamless user experience.
Set Up Single Sign On (SSO) for Entra ID
Note: While this document describes the steps to configure Entra ID to support SSO authentication via SAML, any SAML Identity Provider should be able to be configured using the steps described.
SAML is an open standard that allows Identity Providers (IdP) and Service Providers (SP) to send authorization credentials to each other, to authenticate a user. This allows using one set of credentials to log in to multiple services and/or websites.
Create an Entra ID Enterprise App
If your Identity Provider is Azure, you must create an Enterprise Application in Entra ID.
In Azure, navigate to the Enterprise Applications section. You can get to this by searching for Enterprise Application in the top search bar in Azure.
Select New application in the upper-left corner of the page.
Select Create your own application.
Provide a name for your application.
Select the option to Integrate any other application you don't find in the gallery (non-gallery).
Select Create.
Modify Application Configuration for Single Sign On with SAML
Navigate to your application, if you are not there already.
Select Set up single sign on.
Select SAML.
Basic SAML Configuration
Select the Edit button on the Basic SAML Configuration section.
Add the following Configuration values for each platform.
Replace the following information in the URL before configuring these values:
Skillable Studio
Sign on URL: replace {customer} with your customer name.
Training Management System:
Sign on URL: replace {TMS-Site} with your TMS site.
Logout URL: replace {TMS-Site} with your TMS site.
Insights:
Sign on URL: replace {customer} with your customer name.
Skillable Studio
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD |
Reply URL (Asserstion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://labondemand.com/AuthenticationProvider/SamlIdpRedirect?idp=B2C_1A_signup_signin_LOD_SAML-PROD-{Customer} |
Relay State | Leave this blank. Configuring Relay State is not neccessary for this configuration. | N/A |
Logout URL | This URL is used to send the SAML Logout response back to the application. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/logout |
Training Management System (TMS)
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS |
Reply URL (Assertion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://{TMS-Site}.learnondemand.net/User/CurrentTraining (or any designated landing page) |
Relay State | Leave this blank. Configuring Relay State is not neccessary for this configuration. | N/A |
Logout Url | This URL is used to send the SAML Logout response back to the application. | https://{TMS-Site}.learnondemand.net/User/Logout |
Insights
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_portal |
Reply URL (Assertion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://portal.learnondemandsystems.com/Authentication/SamlIdpRedirect?idp=B2C_1A_signup_signin_TMS_SAML-PROD-{Customer} |
Relay State | Leave this blank. Configuring Relay State is not neccessary for this configuration. | N/A |
Logout Url | This URL is used to send the SAML Logout response back to the application. | https://portal.learnondemandsystems.com/Authentication/LogOut |
User Attributes and Claims
Ensure the following User Attributes are configured.
Attribute Name | Attribute Syntax |
|---|---|
Givenname |
|
Surname |
|
Emailaddress |
|
Name |
|
Unique User Identifier |
|
If these are not configured, selecte the Edit button on the User Attributes and Claims section, and modify each value.
Application Setup with Skillable
Open a support ticket and provide Skillable with the following URLs The values in these URLs will vary. The following is an example of how these may look.
Value Name | Example |
|---|---|
SAML Single Sign-On Service URL | https://login.microsoftonline.com/{Tenant ID}/saml2 |
SAML Entity ID | https://sts.windows.net/{Tenant ID}/ |
Sign-Out URL | https://login.microsoftonline.com/{Tenant ID}/saml2 |
Was this article helpful?