Setup SAML SSO Integration using Microsoft Entra ID
You can use Microsoft Entra ID (previously Azure Active Directory) as an Identity Provider (IdP) to enable SSO in Collaborate.
Before you Start
Ensure you have administrative access to add an application in Microsoft Entra ID
Ensure you have the Assertion Consumer URL and Entity ID from Collaborate
Ensure you have View and Update permissions to configure SAML 2.0 in Collaborate
The Assertion Consumer URL is an endpoint in Collaborate, which the identity provider (Microsoft Entra ID) will redirect to with its authentication response. An entity ID is a globally unique name for the service provider or the identity provider.
You require these values while setting up the SAML 2.0 application in Microsoft Entra ID. To fetch these values from Collaborate, follow these steps:
Sign in to the Collaborate Analyst Portal.
Go to Administration > Integrations > Authentication Method.
If you are configuring SAML for the Analyst Portal, click Analyst Dashboard. Similarly, to configure SAML for the Member Portal, select Member Portal.
Copy and retain the following values:
Assertion Consumer URL
Entity ID
Sign in to Microsoft Azure.
Search and select Enterprise applications.
Click New Application > Create your own application.
In what's the name of your app field, enter Collaborate and select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create to create the application.
Set up SSO for the Application
After creating the application, you can set up SSO for it.
In Getting Started, select Set up single sign on. Alternatively, you can select Single sign-on in Manage.
Click SAML.
In Basic SAML Configuration, click Edit.
Enter the Entity ID in Identifier (Entity ID) and Assertion Consumer Service URL in Reply URL. In Reply URL, indexing is optional.
In Attributes & Claims, click Edit.
In Required claim, select the Unique User Identifier (Name ID) and enter the value as user.userprincipalname.
In Additonal claims, you must add the claims for email, first name, and last name. Note that the Namespace field is optional. You must remove the value of Namespace present in each additional claim.
Enter the following values to add a claim for email:
Name: Enter the name as email
Source: Select the source as Attribute
Source attribute: The source attribute must be what your organization uses as the email property. For example, user.mail.
Enter the following values to add a claim for the first name:
Name: Enter the name as first_name
Attribute: Select the source as Source
Source attribute: The source attribute must be what your organization uses as the first name property. For example, user.givenname.
Enter the following values to add a claim for the last name:
Name: Enter the name as last_name
Attribute: Select the source as Source
Source attribute: The source attribute must be what your organization uses as the last name property. For example, user.surname
After adding the details, click Save to set up SAML authentication.
Go to SAML Certificates and download the Certificate (Base64) or Certificate (Raw), Federation Metadata XML, and copy the App Federation Metadata URL to use while configuring the SSO in Collaborate.
Ensure that you have created users in Microsoft Entra ID. For more information on creating users in Azure AD, see Add or Delete Users. You must assign the created users or user groups to the Collaborate application you created in Microsoft Entra ID.
To assign users to the Collaborate application, follow these steps:
Sign in to the Microsoft Azure portal as an administrator.
Go to Enterprise Applications, and select the Collaborate application that you created.
In Manage, select Users and groups.
Click Add user/group. You can select and add your users to the application.
The users you added in Microsoft Azure AD must be added to Collaborate. To create analyst (privileged users) or member users, see Onboard Privileged Users and Onboard Members.
You must configure a single sign-on for Microsft Entra ID in Collaborate to allow users to seamlessly and securely sign in to Collaborate's Analyst or Member Portal.
To configure SAML 2.0 in Collaborate, follow these steps:
Sign in to Collaborate's Analyst Portal.
Go to Administration > Integrations > Authentication Method.
To configure SAML SSO for the Analyst Portal, click Analyst Dashboard. To configure SAML for the Member Portal, click Member Portal.
Select SAML 2.0 and click Edit
In IDP (Identify Provider), upload the Federation Metadata XML file that you downloaded from Microsoft Entra ID in Metadata XML. Ensure that the .xml file is less than 40 MB.
In SSO URL, enter the App Federation Metadata URL that you retrieved from Microsoft Entra ID.
In SAML Group Mapping for Users, you can associate analyst users with specific roles available in the IdP. These roles help manage access permissions for analyst users within an organization.
In Certificate, click View Certificate and subsequently upload the certificate (Base64 or Raw) file.
Encrypt is optional. You can enable the SAML authentication process to be encrypted.
Enable AuthnRequest to send authentication requests from Collaborate to Microsoft Entra ID.
Click Save. Switch on Activate Authentication to ensure that SAML 2.0 is enabled as the authentication method.