Azure AD SAML Setup

Authentication and SSO

You are able to use Azure AD (Active Directory) as an Identity Provider (IdP) to log users and agents into Deskpro. We will use the SAML setup instructions, which will assist to set up this integration.

Note

You will require Global Administrator access to your Azure Active Directory platform to complete this set up. This is something your IT provider/administrator will have.

Creating a custom Azure App

  1. Log into your https://portal.azure.com management area, and navigate to Azure Active Directory > Enterprise Applications

image.png

  1. Under All Applications, select New Application

image.png

  1. Select Non-gallery Application - specify any name for this application, and press Add

Note

The name you define here is arbitrary and does not affect functionality. It can be anything you choose, in this example I have gone for "Deskpro SAML Login" for simplicity.

image.png

It may take a minute of so for the app creation to complete.

  1. Press "Single sign-on" and select SAML as the method.

image.png

Creating a Deskpro SAML Connector

  1. Populate the SAML setup information with the data provided to you in Azure.

Note

You will be asked for some configuration options. You will now need to jump over to your Deskpro admin area, and create a SAML connector using the SAML setup information.

  • Tick the Enabled? checkbox.
Deskpro Azure Required
SSO: Single Sign On URL Login URL Yes
SLO: Single Log Off URL Logout URL No (Recommended)
Metadata: Issuer XML metadata URL App Federation Metadata URL Yes
X509 Certificate Certificate (Base64) Yes
X509 Certificate Fingerprint Thumbprint No (Recommended)
Custom Metadata XML Federation Metadata XML Yes

image.png

  • The Certificate will download as a .cer file. This is fine to upload into Deskpro.
  • The Federation Metadata XML will download as a .xml file. You will need to open this in a text editor (e.g Notepad) and copy the contents into Deskpro.
  • Sign Authentication Request can be left blank.
  • Name ID Format can be left as default. This would usually be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Note

It is up to you whether you want to go for Automatic or Disabled SSO.

If you are not sure, we would recommend Disabled mode, and specifying a Login Button Text - this can be any text you desire, in this example I will use Azure Login. This can be changed later.

When all the data is populated in the Deskpro Application, press "Install App"

image.png

Configuring the Azure SAML SSO

After the SAML app completes loading, it will give a "SAML Authentication has been installed successfully." message. Press Continue.

  1. Similar to the previous step, we need to grab some configuration data from Deskpro and input this back into the Azure SAML App

image.png

Deskpro Azure Required
Metadata URL (Entity ID) Identifier (Entity ID) Yes
Consumer Service URL (ACS) Reply URL (Assertion Consumer Service URL) Yes
Single Logout Service URL (SLS) Logout Url No
Your Deskpro Homepage Sign on URL No

image.png

  1. Press the Pencil icon to modify your basic configuration.

image.png

  1. Press Save after filling out the required details.

Managing Azure group policies

You must allow your users to make use of this application by setting correct user/group policies. Otherwise you may hit an error like so:

image.png

AADSTS50105: The signed in user 'demouser01@deskprotest.onmicrosoft.com' is not assigned to a role for the application '36ec2a82-1328-4549-84d5-e84567649900'(Deskpro SAML Login).

You are able to add permissions for any group of users, and specific users to the new azure app you have created. You will need to add to navigate to "Users and Groups" and press Add User

image.png

Navigate through your account to find the staff you would like to associate with the app. You may want to allow different groups, which is certainly possible. Here we have a Support Staff group.

image.png

Any users in that group will now be allowed access to the system.

Published: 08/08/2019

Last updated: 12/11/2019