Microsoft Azure AD: Enterprise Application setup
This article will provide guidance to configure Azure Enterprise application for ClickView Online with Microsoft Azure Active Directory.
1. Sign in to Azure portal via https://portal.azure.com -> Azure Active Directory -> Enterprise applications -> +New application:
2. Within the ‘Enterprise applications’ select ‘+Create your own application’:
3. Enter the name for ClickView application, and select the option of ‘Integrate any other application you don't find in the gallery (Non-gallery)’ and click on the ‘Create’ button:
Within 'Single sign-on' option on the left-hand-side pane, click on 'SAML' tile on the right-hand-side:
4. In step 1 : Basic SAML Configuration - Enter the 'Reply URL (Assertion Consumer Service URL)' and 'Identifier (Entity ID)' as follows:
A: Identifier (Entity ID)
https://saml-in1.clickview.us/shibboleth
B: Reply URL (Assertion Consumer Service URL)
https://saml-in1.clickview.us/Shibboleth.sso/SAML2/POST
C: Sign on URL
Leave blank as it is optional, this will be provided once the onboarding process is completed.
Sign on URL will be used to authenticate to ClickView directly.
D: Logout URL (Default across all regions)
https://login.windows.net/common/oauth2/logout
Upon completion, the field will look like as depicted in the example below:
5. Moving on to the 'User Attributes & Claims' section:
The standard four attributes will be displayed by default:
A: givenname
B: surname
C: emailaddress
D: name
To add a Group Claim, click on '+ Add a group claim', select Security Groups and appropriate 'Source attribute' then 'Save'.
Any additional/new claims can be provisioned by adding a new claim, click on ‘+ Add New Claim’, select appropriate Source 'Attribute' and 'Name' then ‘Save’, and proceed to add claims using the following standard:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
Below is an example shown for 'Extensionattribute10':
NOTE: Additional attributes are used for identification of the students' year levels and differentiation of staff members.
Most commonly used attributes for mapping students into their respective year levels and assigning staff groups are 'memberOf', 'groups' or 'department', however the attribute list can also be edited and any attribute of your preference can be nominated for user identification as well.
6. SSO Onboarding
This is the final step of the setup process, for the completion of this setup, please provide us with:
A. App Federation Metadata URL which can be retrieved as follows:
Single sign-on -> SAML Signing Certificate -> App Federation Metadata Url
B. A list of all staff and student Security groups. This will allow us to map users to relevant year group in ClickView. This can be found in: Home -> Groups -> All Groups -> Search for relevant groups
Below is an example shown for staff group and its corresponding 'objectId':
C. Synchronising Security Groups from your Active Directory (Azure Active Directory Connect)
In case that you would like to use the security group from your local AD instead, Azure AD Connect can be used to synchronize these values, as described in the official Microsoft knowledge-based article: Azure AD Connect sync.
D. Adding Group Claims in Azure AD
For synchronizing group claims and avoiding the use of 'ObjectIDs' as described in 6B, group claims can be configured in Azure as per the steps in Add group claims to tokens for SAML applications using SSO configuration.
NOTE: The number of user groups that Azure Active Directory adds to a SAML token is limited to 150. If this limit is exceeded, a link to the Graph API endpoint is returned instead of a group list. ClickView doesn’t support retrieving user groups this way, because it would require additional authentication between ClickView and Azure AD.
If you exceed the 150 limit, consider one of the following options:
- Limit the number of groups that users are assigned to.
- Configure Azure AD to send only security groups.
E. Test student and test staff account credentials that have all attributes (including group membership) correctly populated so that we can test the single sign-on integration and confirm claims are exposed.
7. Assign groups
Security groups of students and staff members can be assigned from the 'Overview' page of the ClickView Enterprise application: https://portal.azure.com/ -> Home -> Enterprise Applications -> ClickView -> Assign users and groups
Once in the 'Users and Groups' section, add the desired group via the '+Add user/group' button to the ClickView application:
8. Submitting your information
To start a new onboarding form, please click SSO Onboarding form,otherwise please continue with the form if you are already in the process of completing.