Single sign-on is a logon procedure in which a user needs access data for only one system in order to be able to log on to all linked systems. For this, settings have to be made at your identity provider.


Note

Since many different third party solutions can be used as identity providers, these instructions can only give an example for the setup of an identity provider. The example is only valid for the mentioned software in the mentioned version. This example may not be applicable to other versions of the same software. For information on how to set up your identity provider, please refer to the product documentation or contact the manufacturer.


Feel free to contact us if you need assistance with setup.


To the configuration guide for ADFS: Setting up Single Sign-on (using "ADFS" as an example)

Instructions

  1. Log in at https://portal.azure.com, search for "Enterprise applications" and press on it.
  2. Press +New application. This will add a new enterprise application in Azure Active Directory.
  3. Press +Create your own application.
  4. Enter a name for the app and press Create.
  5.  Call Single sign-on in the menu and select SAML.
  6. Switch to d.vinci and open the Basic Settings page. Press the SSO tab there.
  7. Press the Edit icon  and download the Service Provider Metadata XML.
  8. Switch back to the Active Directory.
  9. Press Upload metadata file and upload the file from d.vinci.
  10. Press Save to save the imported configuration.
  11. Scroll to 3 SAML Signing Certificates. Press Edit to edit the SAML signing certificate.
  12. Set Signing Option to Sign SAML response and assertion.
  13. Scroll to 3 SAML Signing Certificates. Press the Copy icon to copy the App Federation Metadata URL.
  14. Switch to d.vinci. Enter the copied URL in the basic settings in the SSO tab at IdP Metadata XML URL and press Update to save the setting.
  15. Switch to Active Directory. Press Users and Groups in the menu. Then press Add user/group and add the users and groups that have access to the application so that they can use the SSO functionality. If you use the Windows login name instead of the users/groups, continue reading below.
    If the username in your d.vinci system matches the Azure user's email address, the login should work.

If the username in your d.vinci system matches the Azure user's email address, the login should work.


When using the Windows login name instead of the e-mail address

  1. Go to Single Sign-on in the menu and scroll to item 2 Attributes & Claims and press Edit.
  2. Press the three dots to edit Required Claim.
  3. Set Name identifier format to Default and Source attribute to user.onpremisessamaccountname To use user.onpremisessamaccountname, the attribute must exist in Azure Active Directory. This usually happens when synchronizing the on-premises Active Directory with AzureAD.

To use user.onpremisessamaccountname, the attribute must exist in the Azure Active Directory. This usually happens when synchronizing the on-premises Active Directory with AzureAD.