With SAML SSO for Microsoft Azure Active Directory, your users will be able to login with their Microsoft login, simplifying and securing their login to the Together.
Click here for a general overview of the SAML SSO setup and login processes.
Setting up SAML SSO
The setup is similar for different IdPs. Below we provide the detailed steps for setting up a SAML SSO application using Microsoft Azure Active Directory.
1. Login to Together
Once you have been invited as an IT Admin and have signed into Together, you can make your way to the Integrations page found here. This can be found under Settings > Integrations:
From the Integrations page, you can click on the Set Up button beside the SSO integration:
-
Select Sign-in Method:
Setting up the SSO integration in Together is simple, first, you start by selecting your sign-in method, in this case, we will be selecting SAML:
Once you select your sign-in method, you will also see an option to enter an Integration Owner. You may enter an email to be notified in case the integration/connection fails at any point.
After filling out an integration owner, click the Save & Continue button:
From here, you will see Together's Service Provider information in the form of our Metadata XML, or parsed into the Assertion URL (ACS), Entity ID, and Certificate. You can copy this information directly from the tool itself - or from our chart below:
Field | Value |
Entity ID | https://api.togetherplatform.com/mentoring/authorize/saml/metadata.xml |
ACS URL | https://api.togetherplatform.com/mentoring/authorize/saml/assert |
Login URL | https://my.togetherplatform.com/login |
SAML Attributes
The following SAML attributes are supported by the Together SAML integration
Instructions | SAML Attribute | Description |
Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | User's first name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | User's last name | |
Required | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | User's Email |
NameID | User's Identifier (Employee ID or Email |
2. Create your SAML Application in Azure
Next you'll need to use the information provided by Together in the SSO Settings panel to create and set up your SAML application in Microsoft Azure Active Directory.
- Open a new browser tab and login to Microsoft Azure
- Click the Manage Azure Active Directory option
- Click Create a tenant
a. By default Azure Active Directory will be selected - Click Next configuration
- Enter Organization name and Initial domain name
- Click Next
a. A Validation Passed message will appear on the final screen. - Click Create.
a. It will take a few minutes to create the tenant. - In the side menu of the tenant you just created, click Enterprise application.
- Click + New application near the top of the screen.
- Select the Non-gallery application option
- Type a name for the application and click Add
- In the screen that appears, select the Set up single sign on option
- Select SAML
- Click Edit in the Basic SAML Configuration panel.
- In the Basic SAML Configuration popup, enter the following information by copying-and-pasting from the Integrations tab in Together, or from our chart above in this article.
- Click Edit in the User Attributes & Claims panel.
- Choose Name ID as the Claim name and employeeid for Value
- The NameID assertion format in your configuration should be employee ID when possible. If that is not possible, the email address value can be used instead.
- Click Save. Remove or keep other additional claims.
- Click the Download button for the Federation Metadata XML in the SAML Signing Certificate panel and name it metadata.xml.
- Copy the Login URL from the Set up {Application_Name} panel.
3. Enter your IdP Details in Together
- Head back to your Together tab
- Open your metadata.xml file that you downloaded from Azure, copy the contents, and paste them into the Metadata text box in Together.
Note: if you need to add multiple Identity Providers, you can do so by clicking the Add Another Identity Provider button and then pasting your second IDP's metadata in the corresponding text box.
Important: Please enter the full URL in the attribute value field of your IdP when configuring custom attributes for givenname and surname. It will not work if only the variable names givenname and surname are entered in the value field.
After pasting in your metadata, double-check to make sure each of the fields looks correct. Once you have confirmed these are correct, be sure to click the Save & Continue button near the bottom to continue on to test signing in through your SSO:
4. Finish your SAML App Setup
- Switch back to the Microsoft Azure browser tab.
- Click Users and groups in the side menu.
- Click + Add user near the top of the screen.
- Select and assign all relevant users.
a. Make sure that the email addresses your users use to sign in to Together match the email addresses they use to sign into Microsoft Azure.
5. Testing SSO
After you have saved your Identity Providers metadata, you will be prompted to our Testing flow. Please read through the instructions carefully on this window, and when you're ready, click the Test button to verify you can successfully authenticate via SSO.
Clicking the Test button will run you through a sign-in attempt via your new SSO configuration, and return you back to Together if it is successful.
6. Finish Setup:
Now that you have finished configuring and testing your new SSO setup, you will see one final page asking you to confirm a few things, namely, that you have assigned all your relevant users the proper permissions in order to be able to log into Together via your SSO.
Once you have read this page, you can confirm with the checkbox near the bottom and click the Finish button to finalize the SSO integration:
-
Enable SSO:
By default, once you finish the configuration, SSO will be disabled by default until you or your admin team turns it on from the Integrations Page. If you're ready to enable this right after finishing the setup, you can toggle it on immediately, or you can wait until your admin team is ready. In either case, the configuration steps will be saved and can be enabled with the toggle switch at any time:
Note:
- We currently only support SHA256 hashing at this time, not SHA512.
- We support multiple organizations on Together using the same identity provider. However, please note that Just-in-Time provisioning (JIT) is not supported via identity provider-initiated logins. For organizations that share one identity provider, please prompt users to begin signing in from your organization-specific link that can be found under Settings > General > Copy Link to Platform.
- If your team has configured a Microsoft O365 calendar/video integration with Together already, you still must create a new enterprise application for your SSO configuration. Configuring SSO cannot be done within the same application approved for the O365 calendar/video integration.
- We support staging environments for testing. Please submit a request here to request access to our staging environment.
Have more questions? Submit a request here and let us know how we can help!
Comments (0 comments)