Skip to main content

Celonis Product Documentation

Microsoft Azure: Setting up SSO via SAML

This article describes how you can set up SSO via SAML on Microsoft Azure

How to configure SAML SSO via Azure
  1. Go to Azure portal.

  2. Open "Azure Active Directory" section.

  3. Go to "Enterprise applications" section.

  4. Click "+ New Application".

  5. Select "Non-gallery application".

  6. Name the new app and save it.

  7. Within the settings of a new app go to "Single sign-on" section and select "SAML". In "Basic SAML Configuration" section set the following settings:

    1. Identifier (Entity ID) = [customer].[realm].celonis.cloud → e.g. customer1.eu-1.celonis.cloud

    2. Reply URL (Assertion Consumer Service URL) = https://[customer].[realm].celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client → e.g. https://customer1.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

      Note

      The URL must be HTTPS.

  8. In the "User Attributes & Claims" section new assertion "email" must be exposed (see the section below).

  9. In the "SAML Signing Certificate" section, the final metadata XML can be downloaded. For this use the "Federation Metadata XML" link.

  10. This file must be uploaded to the team settings and by this, the configuration is done

How to expose user's attributes in the SAML response
  1. Open Azure Active Directory.

    15564871.png
  2. Open Enterprise Applications.

    13566399.png
  3. Open SSO application.

  4. Select Single Sign-On.

    13566401.png
  5. Scroll to User Attributes & Claims and press Edit.

    13566402.png
  6. Select Add new claim.

  7. In a new dialog set name = "email" and source attribute = "user.mail" and press Save

    For SAML JIT, do this also for the user's first name and last name, as well as his group memberships. You can set the attribute names to your liking.

    The Azure documentation on how to reveal group memberships is quite extensive: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

    Warning

    Make sure to write the attribute name in lower case - it will not work in a capitalized manner!

    13566400.png