Azure Integration

Customer IT / SpaceIQ Onboarding Team

 

This article describes how to configure the Azure integration for SiQ.

Contents

Prerequisites

Before you configure SCIM-based provisioning for SiQ, make sure you are familiar with SCIM-based authentication.

You will need Microsoft Azure admin privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.

If you are looking for SiQ Sign on with Office 365, you will need a paid subscription to Office 365 which comes with Azure Active Directory.

Integration Activities

Step 1. Activate the SiQ Integration in SiQ

From the SiQ Web App, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.

You can either search for Azure in the Search field or navigate to Azure tile. To navigate complete the following:

  1. From the left menu, click Provisioning & SSO.
  2. For Azure, click the Activate button.

The Azure dialog displays and it contains a Provisioning tab and an SSO tab.

Provisioning Tab

This is where the SCIM Bearer Token is found, refer below for this setup.

siq_provisioning_tab.png

SSO Tab

This is where the SSO integration is set up, refer below for this setup.

siq_sso_tab.png

  1. In the SAML Issuer URL field, paste the Azure AD Identifier value copied from the Azure AD application configuration window.
  2. Copy the SAML CallBack Endpoint URL (read-only) value and paste the value in the Reply URL box in the Basic SAML Configuration section in the Azure portal.
  3. Copy the SAML Audience URI (read-only) value and paste the value in the Identifier box in the Basic SAML Configuration section in the Azure portal.
  4. In the X.509 Certificate field, paste in the copy from Azure. In Azure, download the certificate file in notepad, copy the X.509 Certificate content.
  5. Click the Activate button.

Step 2. Create a new custom SiQ app in Azure

In Azure you will need to create a custom app (or non-gallery app).

From Azure complete the following:

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory Enterprise Applications.
  3. Click the + New application button.

azure_new_application.png

4. Click the + Create your own application button.

azure_create_your_own_application.png

The Create your own application screen displays.

azure_create_your_own_application1.png

5. In the What's the name of your app? field, enter the name. For example SiQ or SpaceIQ4.

6. Click the Create button.

The custom SiQ app is created.

azure_create_your_own_application2.png

Step 3. Copy the SiQ app Sign On Details

From Azure's SiQ app, you will need to copy the Sign On details from Azure into your SiQ Web App.

1. From the screen above, click the 2. Set up sign sign on tile.

The Single Sign On screen displays.

azure_create_your_own_application3.png

2. Click the SAML tile.

The SAML based sign on screen displays.

azure_create_your_own_application4.png

 

Step 3.1  Copy and paste the SAML Identify Provider Issuer

1. Scroll to the  SAML Signing Certificate area.

azure_sso1.png

2. For the App Federation Metadata Url field, click the copy copy_icon.png icon.

3. In a new browser tab, paste in the App Federation Metadata Url. Note: You can paste this into a text or code editor.

azure_sso2.png

4. Highlight and copy the entityID.

Return to your SiQ Web App and complete the following:

1. From the SSO tab, in the SAML Identify Provider Issuer field, paste in the entityID.

azure_sso3.png

Step 3.2 Copy and paste the X.509 Certificate

Return the XML file and complete the following:

1. Highlight and copy the X509Certificate.

azure_sso_copy_x509_certificate.png

In your SiQ Web App, complete the following:

1. In the X.509 Certificate field, paste in the certificate.

azure_sso_paste_x509_certificate.png

Step 3.3  Copy and paste SAML Redirect URL

Return the XML file and complete the following:

1. Scroll to the end of the file to find the SingleLogoutService Binding.

azure_sso4.png

2. Highlight and copy the HTTP-POST entry.

Return to your SiQ Web App and complete the following:

3. From the SSO tab, in the SSO Redirect URL (SiQ Portal) field, paste in the HTTP-POST entry.

azure_sso5.png

Step 3.4  Optional - Azure Poral URL

1. In the Azure Portal URL field, enter the https//myapps.microsoft.com.

azure_sso_portal_url.png

Step 3.5 Activate the Azure Interaction

1. Click the Activate button.

The Azure Integration displays in the active integrations list.

Step 3.6 Copy and paste the SAML Identifier (Entity ID) URL and the SAML Callback Endpoint URL

1. Click the Azure Integration. The Azure dialog displays.

2. Click the SSO tab.

The SAML Callback Endpoint URL is now generated.

azure_sso_copy_saml_reply_url.png

3. For the SAML Identifier (Entity ID) URL field, click the Copy copy_icon.png icon.

4. For the SAML Reply URL, click the Copy copy_icon.png icon.

Return to Azure.

1. Navigate to the SAML Single-On with SAML screen.

2. From the Basic SAML Configuration area, click the Edit button.

azure_basic1.png

The Basic SAML Configuration form displays.

3. In the Identifier (Entity ID) field, paste in the SAML Identifier (Entity ID) URL and then check the Default check box to set this as the default.

4.  In the Reply URL (Assertion Consumer Service URL) field, paste in the SAML Reply URL.

azure_basic2.png

5. Click the Save button.

When saved the following fields will be populated.

azure_saved.png

Step 4. Add Users and Groups

1. From the left-menu, click Users and groups.

2. From this area add your users and groups.

Note: Refer to Microsoft Azure's official documentation to learn how to add users and groups.

azure_users_groups.png

Step 5. Set up Provisioning with the SCIM Bearer Token

1. From the left-menu, click Provisioning.

azure_provisioning1.png

2. Click the Get started button.

The Provisioning screen displays.

3. From the Provisioning Mode drop-down, select Automatic.

azure_provisioning2.png

4. In the Tenant URL field, enter the URL of the application's SCIM endpoint: https://api.spaceiq.com/scim 

Return to your SiQ Web App and complete the following:

5. Click the active Azure integration. The Azure dialog displays.

azure_provisioning3.png

6. For the SCIM Bearer Token click the Generate Token generate_icon.png icon to generate the token.

7. Click the Save button.

8. Click the active Azure integration

9. For the SCIM Bearer Token, click the Copy copy_icon.png icon to copy the token and past it to a secure temporary location as you will use this to configure Azure's SiQ instance.

Return to Azure.

azure_provisioning4.png

10. Click the Test Connection button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, the error information will display. Save this information for further troubleshooting.

11. If the attempts to connect to the application succeed, click Save to save the admin credentials.

Step 6. Attribute Mappings from SiQ to an Azure User Profile

From Azure, complete the following:

1. From the left-menu, click Provisioning. The Provisioning screen displays.

2. Click the Edit attribute mappings.

azure_edit_attribute_mappings.png

3. Click the Mappings drop-down.

azure_edit_attribute_mappings1.png

4. Click the Provision Azure Active Directory Users.

The Attribute Mapping screen displays.

Note: It is important the Target Object Actions check boxes for Create, Update, and Delete remain checked as this pushes JSON data to SiQ.

azure_edit_attribute_mappings2.png

5. Scroll down to see the attribute mapping. This displays the attribute mapping defaults.

The columns consist of:

  • Azure Active Directory Attribute
  • Custom App SSO Attribute

azure_edit_attribute_mappings3.png

As shown in the Azure Mapping Editor, the base profile that Azure imports from SiQ consist of 20+ attributes. Some of these attributes are mapped to the Azure user profile by default.

Custom Attributes

Azure's SiQ application has been enhanced to support user-defined custom attributes, which enables Azure to import more than 20 attributes to SiQ.

  1. These attributes must be created and mapped in Azure. The recommended mappings from SiQ to Azure are preconfigured in SiQ's based profile. See Azure Custom Attribute Mapping
  2. Then from SiQ define the custom fields name mapped to the SiQ app. In the SCIM schema custom attributes field, enter the mapping code.

For example:

{"CostCenter*.*Cost_Center","Department*.*Department"}

azure_custom_attributes.png

Step 7. Start Provisioning

When your configuration is complete, then:

1. Navigate to the Provisioning screen and click the Start provisioning button. 

2. Click Save to start the Azure Active Directory provisioning service.

Troubleshooting

User and Department Data

  • Users without First Name and/or Last Name in their SiQ profiles cannot be imported to Azure as new users
  • Azure users without Departments cannot be imported to SiQ as new users.
  • In the event that a department also has teams (sub-departments), SiQ expects. Organizations/Divisions that contain top-level organization and departments to also contain a Team name

Example: Organization: Engineering with Department : QA

Additional Resources

Additional instruction details can be found in Microsoft's Azure Help Center.