Configuring SAML 2.0 with Microsoft Azure AD

This guide provides information on how to configure SAML 2.0 integration between Mursion and Microsoft Azure AD.

Supported Features

The Mursion and Microsoft Azure AD SAML 2.0 integration currently supports the following features:

  • SP-initiated SSO
  • JIT (Just In Time) Provisioning

Configuration Steps

Add Non-Gallery Application In Microsoft Azure AD

  1. In the Azure portal, select Azure Active Directory on the left navigation pane.
  2. In the Azure Active Directory pane, select Enterprise applications.
  3. In the Enterprise applications pane, select New Application.
  4. Select Non-gallery application.
  5. Enter Mursion as the name of the application and click Add.
    1. This  Mursion logo can be used as the application’s logo. 
  6. In the Manage section of the left navigation page, select Single sign-on.
  7. Select SAML to open the SSO configuration page.
  8. In the SAML Signing Certificate section, click Download for the Certificate (Base64) option and download the certificate in PEM format. The PEM formatted certificate will be needed to set up the SSO configuration in Mursion Portal.
  9. In the Set up Mursion section, locate Login URL, Azure AD Identifier, and Logout URL, which will be needed to set up the SSO configuration in Mursion Portal.

Create SSO Configuration in Mursion Portal

  1. In a  new tab/browser, sign in to Mursion Portal.
  2. Select Settings on the top menu then select the SSO sub-tab.
  3. Click Create SSO Configuration.
  4. On the New SSO Configuration dialog, enter the following:
    1. Protocol: Select SAML 2.0.
    2. Configuration Name: Enter a descriptive name of your choice.
    3. Single Sign On Service Endpoint: Copy and paste the Login URL from the Set up Mursion section of the Mursion Azure AD application. 
    4. Logout Endpoint: Copy and paste the Logout URL from the Set up Mursion section of the Mursion Azure AD application. 
    5. Entity ID: Copy and paste the Azure AD Identifier from the Set up Mursion section of the Mursion Azure AD application. 
    6. X.509 Certificate: Copy and paste the PEM formatted text of the SAML Signing certificate downloaded from the Mursion Azure AD application.  Make sure to include the -----BEGIN CERTIFICATE----- header and
    7. -----END CERTIFICATE----- footer.
    8. Email Claim Name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    9. First Name Claim Name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    10. Last Name Claim Name: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    11. Single Logout Enabled: Optionally, check this option to initiate a request to end the Microsoft Azure AD user’s session when the user’s Mursion Portal session ends due to explicit logout or session timeout. 
    12. Team Claim Name: Optionally, to externally manage team assignment through a SAML user attribute, specify the name of the attribute that contains the value that should be used to assign users to a Mursion Portal team.
    13. Team Mapping: If a Team Clain Name is specified, click the Add + button to add a mapping. Select a Mursion Portal team from the Team drop down. Enter the value of the attribute that should be mapped to the Portal team. To remove a mapping, click the x on the right of the mapping.
  5. Click Create SSO Configuration.
  6. Click the newly created SSO Configuration.
  7. On the Edit SSO Configuration dialog, 
    1. Click Download  SP Metadata. Save the metadata XML file.
    2. Click to copy the SP Initiated SSO URL. Save the URL as it will be entered in a subsequent step.

Complete Microsoft Azure AD Mursion Application SAML Configuration

  1. In the Azure portal, select the Mursion enterprise application and select Single sign-on in the left navigation pane.
  2. Click Upload metadata file and upload the SP Metadata file downloaded from Mursion Portal.
  3. After the metadata uploads, edit the Basic SAML Configuration settings and enter the SP Initiated SSO URL copied from Mursion Portal in the Sign on URL field. The URL will be in the following pattern: https://<Portal Host>/sso/auth/login/<SSO Config ID>.
  4. Edit the User Attributes settings and change the Unique User Identifier (Name ID) attribute mapping to user.mail.  

Testing Mursion Portal SSO

  1. Assign one or more test users to the Mursion application in Azure AD.
  2. As one of the test users, click on the Mursion application to initiate SSO. 
  3. If the configuration is correct, the user will be signed in to Mursion Portal and taken through the following flow: 
    1. the Mursion & User agreement will be displayed for the user to accept
    2. the user profile will be displayed for the user to confirm their profile and timezone
    3. the Calendar page will be displayed