How can we help you?

SSO - Set up enableHR as a service provider on Microsoft Azure Active Directory

Follow

This article details the steps that need to be taken within Azure Active Directory before attempting to configure SAML 2.0 SSO setup with enableHR and Azure Active Directory serving as the Identity Provider.

These instructions illustrate how to configure Microsoft Azure Active Directory (AD) as the IdP for enableHR. Please refer to the Azure documentation for additional information about the steps in the Azure portal.

Please Note: Configuring and installing Azure Active Directory is beyond the scope of this guide.

Additionally, this guide is for setting up Azure Active Directory as "Authentication Only" mode in enableHR.

Pre-requisites

Please ensure that you have the following before you start configuring Azure AD as the IdP:

  • a Premium Azure Active Directory subscription (Premium P1 is the minimum level at which SAML SSO becomes available with non-gallery applications);

  • An Existing instance of Azure Active Directory.

Steps

Adding enableHR as a Non-Gallery Application

1.  In the Azure portal, on the left navigation pane, click "Azure Active Directory".

1Dashboard_-_Microsoft_Azure.png
2. Click "Enterprise applications".

Dashboard_-_Microsoft_Azure.png
3. Click "New application".

Enterprise_applications_-_Microsoft_Azure.png
4. Click Non-gallery application in the Add an application window.

2Add_an_application_-_Microsoft_Azure.png

5.  Type "enableHR".

3Add_your_own_application_-_Microsoft_Azure.png6.  Click "Add".

Configuring SAML SSO in Azure To configure SAML SSO in Azure:

1. In the Azure portal, on the left navigation pane, click "Azure Active Directory".

1Dashboard_-_Microsoft_Azure.png

2. Click "Enterprise applications".

Dashboard_-_Microsoft_Azure.png


3.  Click the "enableHR" application you added in step 5 above.

4.  Click "Single sign-on".

5Dashboard_-_Microsoft_Azure.png 

5.  For "Single Sign-on Mode", choose "SAML-based Sign-on".

For the field "Identifier (Entity ID)" use https://login.enablehr.com/app/saml

For the field "Reply URL (Assertion Consumer Service URL" use https://login.enablehr.com/app/saml

User Attributes - for "User Identifier", select "user.mail".

Select the checkbox "View and edit all other attributes"

Enter the following values and then click "Save".
mceclip4.png

 Please note: The name of the attribute MUST be exactly as shown below (spaces included). It will cause issues if there are any deviations to the name.

NAME

VALUE

Email / User ID

user.mail

Name ID

user.mail

First Name

user.givenname

Last Name

user.surname

 

Please see below for a visual reference of how the screen should look like.

SSO_finalconf.png

6.  Download the Metadata XML file as you will need the contents of this XML in the enableHR settings.

mceclip1.png

 

After the Metadata XML is downloaded, it needs to be made available to Client Success team so that we can continue with the rest of the set up on our side.

Additionally, you will need to send enableHR your User Access URL. You can find your User Access URL in the "Enterprise Application" -> "Properties" section (Please see screenshot below)

mceclip6.png

Once SAML SSO has been configured, we will test the login by getting you to try to login from Azure AD.

Note #1: If you get this screen, try to login once more from enableHR/Office Portal and you will be redirected to the correct screen. This issue only occurs for the first time a user is trying to login via SSO. This is issue is on our bug backlog and will be fixed soon FIXED DECEMBER 2021

mceclip5.png

Note #2: If you or your users receive this error screen

mceclip0.png

the Login URL in your enableHR SSO setup page needs to have the correct login URL entered. For example: 

mceclip1.png

against the enablehr Settings > Account Settings > Security > SSO > Login URL

mceclip2.png

Have more questions? Submit a request

Comments