Microsoft Azure, formerly known as Windows Azure, is Microsoft’s public cloud computing platform. It provides a range of cloud services, including compute, analytics, storage and networking. Users can pick and choose from these services to develop and scale new applications, or run existing applications in the public cloud.
Configuration of the SSO between Microsoft Azure application and VMS Account
- Microsoft Azure account
- VMS branded account
Microsoft Azure settings
- Creating new application
1.1. Log in to Azure portal (https://portal.azure.com)
1.2. Go to Azure Active Directory service
1.3. Select Enterprise applications in the left menu
1.4. Choose New application
1.5. Select Non-gallery application
1.6. Provide application name and click add
1.7. Go to Set up single sign-on section
1.8. Choose SAML as an SSO method
2. Application SSO settings
2.1. Basic SAML Configuration section
2.1.1. Identifier (Entity ID)
2.1.2. Reply URL (Assertion Consumer Service URL)
2.2. User attributes & Claims section
2.2.1. Required claim
2.2.2. Additional claims (required for VMS integration)
2.3. SAML Signing Certificate section
2.3.1. Signing Option: Sign SAML assertion
2.3.2. Signing Algorithm: SHA-1
2.4. Set Up section
This section holds data needed in VMS account configuration
VMS Account settings
Master account Identity provider settings (sub-account settings are parallel)
- Single Sign-On URL
Copy Login URL from Azure’s Set Up section
Copy Azure AD Identifier from Azure’s Set Up section
Copy downloaded certificate from SAML Signing Certificate section
EXAMPLE For MxCloud - Reseller Account SSO Configuration
Step 1: Enable Branding
To enable SSO, the reseller must first enable branding by going to Account Settings→ Branding as shown below and enable branding - since the MX Cloud is already branded the important setting here is the sub-domain. The sub-domain CAN NOT be left empty. Please see screenshot from the test account:
Step 2: Enable Identity Provider
Once branding is configured and the page is refreshed there will be a new security tab that will be available in the Account Settings. Using the Identity Provider tab under this, an Identity provider can be set up.
MOBOTIX Cloud allows two variations of SSO:
IdP enabled to sign in for all users.
In this option there will be one IdP allowed to be set up. Reseller is responsible for setting up the SSO and users (including sub accounts) will use the same identity provider. In order to configure this select the option: “Use my own Identity Provider to sign in (Single Sign-On”).
Allow only sub-accounts to enable SSO
In this option each sub-account can set up their own SSO. they can also choose not to enable SSO. In this case each sub-account can configure a unique IdP. This is the most used configuration in MOBOTIX Cloud VMS.
EXAMPLE For MxCloud - Sub-account SSO Configuration
Step 1: Enable Identity Provider
Please note on the reseller level it needs to be allowed for the sub-account to use SSO:
Login to MOBOTIX CloudVMS as an end user account (sub account). Go to Account Settings, Security and Identity Provider. You enable SSO by clicking on “Use my own identity provider to sign in.”. The following screen will appear:
Step 2: Configure Identity Provider via SAML
To set up IdP there are configurations that need to be shared between the service provider (MOBOTIX) and the account IdP. Below are the MOBOTIX SAML information that needs to be added in the IdP :
|Reply URL(Assertion Consumer Service URL)||https://<>.mobotixcloud.com/g/aaa/sso/SAML2/Authenticate|
|Sign-on URL||The URL to which MOBOTIX will redirect the user to login.|
|Issuer (Identifier)||The unique name for the identity provider|
|X.509 certificate||The certificate to set up secure communication.|
There are some known limitations with SSO that you need to be aware before configuring though.
SSO using IdP can be enabled only at reseller level or at sub account level. Combining is not possible. Due to this, when the SSO is enabled only for sub accounts, the reseller can no longer set up SSO.
Due to the same limitation, when SSO is set up at reseller level, all users including sub accounts need to use the IdP provider of the reseller.
Sub account enabled SSO allows only IdP initiated SSO, logging in via https://www.mobotixcloud.com is not possible.
With SSO setup users can no longer use MOBOTIX Mobile App since it does not support SSO currently.
The welcome email to set password is automatically sent to the user even when the sub account has SSO enabled. This email can be ignored.
Currently MOBOTIX Cloud does not restrict users to login using email/password when SSO is enabled.