Prerequisites
To set up SSO with Microsoft Entra ID, formerly Azure Active Directory, you will need a Microsoft Azure Premium account. While Microsoft's cloud platform, Azure, remains unchanged, the identity and access management service previously known as Azure Active Directory is now called Microsoft Entra ID.
Step 1: Creating an Enterprise App for Beekeeper
- Navigate to your Microsoft Azure Portal for Enterprise Applications.
- Click on New application.
- Select Create your own application.
- Provide a name for the app, e.g. "Beekeeper SSO".
Choose to Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Step 2: Managing User Assignments for the Application
You can assign specific users and groups to access the application or make user/group assignment optional.
Option 1: Assign Users and Groups
- In the created Application, click on Users and groups.
- Select Add user/group.
- Click on None Selected.
- Choose the desired user or group and click Select.
- Click Assign.
Option 2: Making User/Group Assignment Optional
- Click on Properties.
- Under User assignment required?, select No.
- Click Save.
Step 3: Setting Up Single Sign-On
- For SAML configuration, go to Single sign-on.
- Click on SAML.
- In the Basic SAML Configuration section, click Edit.
Enter the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) in the following format:
- Your Identifier: https://yoursubdomain.us.beekeeper.io/saml/sso/metadata.xml
- Your Reply URL in this form: https://yoursubdomain.us.beekeeper.io/saml/sso/
- Click Save.
Note: Ensure URLs include your Beekeeper subdomain and your datacenter reference (e.g., us, ch, or de, there is no reference for the European data center).
Step 4: Configuring User Attributes
You can populate a user’s Beekeeper profile fields during login by defining which information will be sent in the SAML token. You will need the Placeholder value for each Beekeeper profile field, which you can find in the Beekeeper Dashboard under Settings > Profile Fields.
- In the Attributes & Claims section, click on Edit.
- Select Unique User Identifier (Name ID) field
- Click on the Name identifier format field and select Persistent.
- In the Source attribute field, select the attribute you want to use as the Beekeeper User ID.
- Click Save.
- Optional: Edit the additional claims by clicking on them.
While you can add other claims listed below, please note that the only required claim for successful SSO setup is the Unique User Identifier (Name ID). It's important to note that modifying other profile fields in Beekeeper through SSO is not recommended, especially if you enable automated user sync (e.g.: from Azure).
Below, you can see an example set of token attributes:
Name* | Source Attribute |
firstname | user.givenname |
lastname | user.surname |
user.mail | |
username** | user.samAccountName |
position | user.jobtitle |
* Ensure that each attribute corresponds to the placeholder value of the respective Profile Field in the Beekeeper Dashboard. Note that only the attributes listed above are supported when filling out the related Beekeeper profile fields.
** Please note: The Beekeeper username does not accept special characters except for "_". Therefore, when selecting an attribute, consider this restriction.
- Enter the profile field placeholder value in the Name field.
- Ensure that the Namespace field is cleared and left blank. This is essential because Azure adds a namespace to attribute names by default. If left unchanged, it will send an attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email, which Beekeeper will not recognize, instead of simply "email" as expected by the server.
- Click Save.
-
Optional: Create a claim for the attribute user.jobtitle.
- Click on Add new claim.
- Enter the profile field placeholder value in the Name field.
- In the field Source attribute, search for user.jobtitle and select it.
- Click Save.
- Click on Add new claim.
After you have edited/added all necessary claims, your claim overview should look similar to the following:
Step 5: Copy SAML Signing Certificate
- In the SAML Signing Certificate section, download the Federation Metadata XML file.
- Open the file and copy the content.
- Open the Beekeeper Dashboard and navigate to Settings > General > Single Sign-On.
- Select which authentication option you want to be enabled for the platform (you can find more information on the differences here)
- Paste the content from the downloaded file into the SAML Metadata box.
- Specify your preference for automatic user account provisioning for new users.
Enabling auto-provisioning through SSO can help troubleshoot during setup, but it may not always be the best choice. Depending on your setup, it could create duplicate user accounts, causing data problems.
- Click on Save settings.
Step 6: Test Configuration
Navigate back to the single sign-on configuration window of your SSO enterprise application. In the last box of the configuration overview, click Test to verify the successful configuration.
For any inquiries or assistance, please contact your CSM.
Comments
0 comments
Please sign in to leave a comment.