Configuring Azure Single Sign-on

On this page

Prerequisites

Use your Archer Community credentials to sign into AIM.

Task 1: Add an existing instance

  1. On the Instances section of the AIM dashboard, click Add new.

  2. Enter the instance name.

  3. Enter the sysadmin account credentials for this instance.

  4. Select the environment in which this instance exists.

  5. Review your details and click Submit.

Your instance will be available on the AIM dashboard.

Task 2: Configure instance settings

On the Instances section of AIM, do one of the following to update instance details:

  • Click the instance name.

  • In the Actions column, click Edit.

AIM displays the new instance in blue text.

Task 3: Configure the Single Sign-on settings

In the Single Sign-on section, set your Archer instance SSO login settings, including customizing the login page, user provisioning settings, and identity provider connection settings. You can enable Single Sign-on with the identity providers configured in this section.

  1. Select “Enable Single Sign-on using SAML with the identity providers configured below”.

  2. Go to the Identity Provider settings > Archer Service Provider Metadata section. This section provides you with the following data needed for SSO setup in Azure:

    • Archer Service Provider Metadata

    • Assertion Consumer Service URL

    • Audience URI

  3. Click Download. Provide the downloaded metadata file to your Azure administrator.

Task 4: Review your existing Archer users

  1. Go to your Archer instance that you added to AIM in Task 1.

  2. From the Administration menu, click Admin menu > Access Control > Users.

    Review your existing Archer users. In the Domain \ User Name column, review the format in which Archer displays the usernames.

    Archer displays the usernames in a variety of formats, including:

    • fred.flintstone@bedrock.com

    • fred.flinstone

    • fflintstone@bedrock.com

    • fflintstone

    • f1341345

Important: The value that you send from Azure as the NameID must match the respective value format noted above.

Task 5: Create a new application in Microsoft Azure

  1. In Microsoft Azure, go to Home > Default Directory | Enterprise applications > Enterprise applications.

  2. On the left panel, in the Manage section, click All applications.

  3. Click New application to create a new Enterprise application in Azure AD.

  4. Click Create your own application. As Archer is not an available application, you must create a new application.

  5. In the Create new application dialog, enter an application name, and click Create.

    Important: In the Create new application dialog, do not use an existing application because the new application is not in the gallery.

    Azure displays a new application screen.

    Note: At this point, users and groups must be assigned to the application. The assignment will be Identity Provider (IDP) organization specific, and is not covered in this help.

  6. In the left panel, in the Manage section, select Single sign-on to cover the integration with the new Archer SSO system.

  7. On the Archer | Single sign-on page, select SAML as the single sign-on method.

  8. On the Archer | SAML-based Sign-on page, click Upload metadata file to upload the metadata file that was downloaded from AIM in Task 3.

  9. Once this file is uploaded into Azure, the Basic SAML Configuration dialog displays the Identifier (Entity ID) and the Reply URL (Assertion Consumer Service URL). Click Save.

    Note: If Azure prompts you to test single sign-on, select “No, I’ll test later”.

  10. In the Set up Single Sign-On with SAML section, go to section 2: Attributes & Claims, and click Edit.

  11. In the Attributes & Claims page > Required claim section, ensure that the value sent for the Name ID Claim matches the username in Archer.

  12. Complete the remaining claims. Ensure the following property values are included in the section: FirstName, LastName, EmailAddress

    Note: On the Manage claim page there should not be a namespace URI associated with the claims.

  13. Go back to the Archer | SAML-based Sign-on page. Go to section 3: SAML Certificates.

  14. In the Federation Metadata XML field, click Download.

Task 6: Import the metadata file from Azure into AIM

  1. Go to your AIM dashboard. On the Instances section of the AIM dashboard, click your instance name.

  2. In the SSO tab > Identity Providers > Customer Identity Provider Metadata, click Import to import the metadata file you downloaded from Azure into AIM.

  3. After you have successfully imported the metadata into AIM, review the Login Page and Identity Providers settings.

  4. In the Login Page section, set the following.

    Note: If you have an existing SSO setup in Archer, to ensure that your user experience does not change, configure the text on the user’s login page to match what it was set to previously.

    The following table describes the login page settings.
    Option Description
    Page title

    The text that appears as the heading on the Archer login page. This option corresponds to the Decision Page Header in the Archer Control Panel.

    For example, for the Archer instance login page, this option may correspond to “Archer Login”.
    Login header

    The text that appears on the login page as the label for the drop-down that lists all identity providers.

    For example, on the Archer instance login page, this option may correspond to “Please select your login type”.
    Allow manual bypass

    Activates manual login to Archer. When this option is selected, users see the username and password fields rather than an identity provider selection field. Users can log into the associated Archer instance using their instance specific credentials.

    If this option is not selected, users must log into the associated Archer instance using SSO.
    Deeplink Bypass

    Generates deep links to pages in Archer that when clicked, bypass the Archer login page, and automatically log users into Archer through the SSO process.

    Important: Deep link bypass is only available for users that do not use multiple identity providers on their Archer instance.

  5. In the Identity Providers settings section, enter the Identity provider dropdown name, which is the user-friendly name of the identity provider that you linked to the Archer instance.

    For example, on the Archer instance login page, this option may correspond to the dropdown text “Single Sign On”.

  6. In the User Provisioning section, set the following fields.

    The following table describes the User Provisioning fields.
    Option Description
    Default user role

    The default user role that Archer uses if no user roles were specified at the time of user creation in your IDP. You can manually update the user role in your Archer instance.

    By default, this role is “General User”. This role must be a valid role that exists in Archer.
    Default first name and Default last name The default name that Archer assigns to a user if no name was specified at the time of user creation in your IDP. You can manually update the first and last name in your Archer instance.
    Enable auto user provisioning

    If any new users are added to the identity provider, Archer automatically creates a user record in the instance if that user does not already exist.

    By default, the new user is given the role of “General User”. If a role is being sent with the user assertions, then the role must be a valid role that exists in Archer.

    FirstName and LastName are required fields. If the SAML assertions do not provide a FirstName and LastName the default FirstName and LastName will be used for user creation. If you are not using auto provisioning, then this section can be ignored.
    Enable user update on Single Sign-on login If any updates are made to existing users based on values sent from Azure, the next time updated user accounts log into Archer, Archer automatically updates the user records in the instance.
    Enable group update on Single Sign-on login

    If any updates are made to existing user groups based on values sent from Azure, the next time updated user accounts log into Archer, Archer automatically updates the user group records in the instance.

    The group name must be sent exactly as it appears in Archer. By Default, Azure sends Groups as a security ID, which Archer cannot map. Sometimes, using the Group SAMAccountname sends this value as desired. If you do send Groups in the “Group” claim, select this box to have groups apply when a user logs in.

  7. At the top of the Single Sign-on section, ensure that the Enable Single-on using SAML with the identity providers configured below option is still selected.

  8. Click Save. Your setup should now be completed.