Configuring Single Sign On (SSO) with Entra ID (formerly Azure AD) for iPaaS + Conversational AI

Overview

This article covers how other TeamDynamix clients have configured Entra ID to allow Single Sign On authentication with iPaaS and Conversational AI.

Step 1: Gather Assertion Consumer Service URL from iPaaS + Converational AI Metadata

Before configuring SSO in Entra ID, you will need the AssertionConsumerService URL from iPaaS + Conversational AI.

1. Log in to iPaaS + Conversational AI
2. On the top navigation bar, go to Administration > Organization Settings
3. Click on the Settings tab
4. Set the User Authentication Requirements dropdown to SAML
5. In the top right corner, click the Service Provider Metadata link
   1. The metadata will open in a new tab
6. Find the link that starts with "<md:AssertionConsumerService Binding", and copy what's in the "Location=" section
   1. US example: https://us1.teamdynamix.com/tdapp/SAML/SingleLogoutService?__cust=CUSTOMERNAME
   2. CA example: https://ca1.teamdynamix.com/tdapp/SAML/SingleLogoutService?__cust=CUSTOMERNAME
7. Copy this value. You will need it when configuring Entra ID
8. Click Cancel to cancel out of the SAML configuration for now

Step 2: Create SAML Application in Entra ID

Step 2a. Create the SAML Application

1. Login to the Azure Portal at https://portal.azure.com/ and click on Entra ID.
2. n your Azure Portal, navigate to Microsoft Entra ID > Enterprise Applications and choose + New Application.
3. Select the Non-gallery application option.
4. Enter a Name for the application and click Add to finish.

Step 2b. Configure Basic SAML Configuration

1. In the application you just created, go to the Single sign-on tab and choose the SAML box.
2. Choose the edit icon in the Basic SAML Configuration box.
3. Click Create New App.
4. Click SAML 2.0 and click Create.
5. Give the app an appropriate Name and tick both boxes to not display the app icon to users. This will confuse the users.
6. Click Next.
7. For Single-sign on URL, copy and paste the Consumer Assertion URL you copied from iPaaS in the "Step 1" section above
8. In the Identifier (Entity ID) field, copy and paste the appropriate value for your region and environment:
   1. For United States Customers: https://us1.teamdynamix.com
   2. For Canadian Customers: https://ca1.teamdynamix.com
9. In the Reply URL (Assertion Consumer Service URL) field, enter the Assertion Consumer Service URL you copied earlier, from the from iPaaS + Converational AI Metadata
10. Click Save to complete the basic configuration.

Step 2c. Configure the User Attributes & Claims:

1. Choose the edit icon in the User Attributes & Claims box.
2. Remove any existing claims except for the default one used by the Name Identifier value.
3. Click the + Add new claim button.
4. In the Name field, select the SAML attribute the iPaaS + Conversational AI platform will use as the username value for authentication. This value must be a scoped, or fully qualified value in the format of user@domain.
5. Leave the Namespace field blank.
6. Click the Save button to create the attribute.
7. Repeat steps 3 - 6 to add any other SAML attributes you wish to release to iPaaS + Conversational AI. Common attributes released include givenName (first name), sn (surname, last name), and mail (email address). 

Step 2d. Determine Who Can Use the App

The organization must decide how they want to grant access to the Entra ID application to their users. There are two general ways to do this, with pros and cons to each approach.

Application Level Access

If you grant Application Level Access, any user in the Entra ID directory can pass through the Entra ID application for authentication to iPaaS + Conversational AI. This does not, however, implicitly grant them access to iPaaS + Conversational AI. iPaaS + Conversational AI still requires an internal user record, with a username value matched to the Entra ID value released in the eppn attribute, to be authorized for iPaaS + Conversational AI sign in.

To use this method, go to Manage > Properties > User assignment required? and select No. You should read the help text by clicking the icon next to this option to understand the full options for this method.

Explicit User/Group Access Grants

If you want to have more specific control over who is allowed to pass through the Entra ID application for authentication into iPaaS + Conversational AI, leave the application level setting above set to Yes. Instead, go to Manage > Users and groups and assign specific users and/or groups who can pass through this application. Any user/group not specified in this page will be prevented at the Entra ID side of the SSO authentication flow from continuing on into iPaaS + Conversational AI! Again, users/groups allowed in this page will not be implicitly granted access to iPaaS + Conversational AI. iPaaS + Conversational AI still requires an internal user record, with a username value matched to the Entra ID value released in the eppn attribute, to be authorized for iPaaS + Conversational AI sign in.

Step 3: Store Entra ID Metadata URL in iPaaS + Conversational AI

The last step before you can enable and test Entra ID authentication into iPaaS + Conversational AI is a metadata exchange.

First, get the identity provider metadata URL in Entra ID:

1. In Entra ID, navigate to the application you created.
2. Copy the App Federation Metadata Url link from the SAML Signing Certificate box.
   

Next, input it into iPaaS + Conversational AI:

1. Log in to iPaaS + Conversational AI
2. On the top navigation bar, go to Administration > Organization Settings
3. Click on the Security tab
4. Set the User Authentication Requirements dropdown to SAML
5. In the SAML Definition URL box, paste the metadata URL you copied from Entra ID, then click the refresh icon
6. At the bottom of the window, click Save Changes

Testing SSO Authentication

To test SSO authentication, use your organization-specific login URL to log in to iPaaS + Conversational AI.

Organization-Specific Sign-In Links

If you are logged in to SSO and access the generic iPaaS + Conversational AI URL for your region (e.g., https://ca1.teamdynamix.com), you will be automatically redirected to SSO and signed in to the environment. If you are not signed in to SSO, you will need to use your organization-specific SSO login link.
To access your organization-specific SSO URL:

1. Log in to iPaaS + Conversational AI
2. On the top navigation bar, go to Administration > Organization Settings
3. Click on the Security tab
4. Scroll to the bottom of the page
   1. The SSO Login URL is your organization-specific SSO URL

Best Practices for Testing SSO

When testing, a recommended approach is to use one browser (for instance Google Chrome) to have the iPaaS + Conversational AI SAML Settings page open in. Use a second browser (such as Firefox) in in-cognito or private browsing mode to actually test that SSO authentication is in fact working.

With this approach, if SSO authentication is not working or is in some way broken, you may quickly toggle SSO off back in the first browser. You can then safely troubleshoot the issues found and not be locked out of the system until you are ready to test again.

SSO Bypass URLs

If you misconfigured your SSO setup and you need to log back into iPaaS and Conversational AI to correct it, use the appropriate SSO bypass URL:

• United States: https://us.ipaas.teamdynamix.com/?__cust=0
• Canada: https://ca.ipaas.teamdynamix.com/?__cust=0

This URL will send you to the iPaaS and Conversational AI login screen where you can use your local iPaaS and Conversational AI account to log in.