Enterprise Authentication: Adding the Azure AD Enterprise App

Introduction

This is a guide to create an Enterprise Application in your Azure AD to allow Single Sign On (SSO) for Resimion. Resimion uses AWS Cognito and federates using SAML to allow this integration to occur, and your users will be constrained to a separate user pool.

The process of enabling SSO for Resimion is as follows:

1. Request SSO Enabled via Resimion Support
2. Customer Creates the Enterprise App in your Azure AD
3. Resimion change configuration and ask you to test the integration is working with one of your accounts
4. Resimion Switch users to SSO transparently.

Step 1: Requesting SSO is enabled

To do this, send an email with your Azure AD domain name (i.e. force.police.uk or university.ac.uk) to hello@resimion.com. You must have a site license and active agreement with us to have SSO enabled.

IMPORTANT: Resimion will then provide you with an Entity ID and Reply URL which. you will need during Step 2. Do not perform Step 2 until you have these details.

Step 2: Creating the Enterprise App for Resimion

To add new application in Azure AD

1. Log in to the Azure Portal.
2. In the Azure Services section, choose Azure Active Directory.
3. In the left sidebar, choose Enterprise applications.
4. Choose New application.
5. On the Browse Azure AD Gallery page, choose Create your own application.
6. Under What’s the name of your app?, enter the name ‘Resimion’ for your application and select Integrate any other application you don’t find in the gallery (Non-gallery). Choose Create.
    

It will take few seconds for the application to be created in Azure AD, then you should be redirected to the Overview page for the newly added application.

Note: Occasionally, this step can result in a Not Found error due to an Azure Portal bug, even though Azure AD has successfully created a new application. If that happens, in Azure AD navigate back to Enterprise applications and search for Resimion by name.

Set up Single Sign-on using SAML

1. On the Getting started page, in the Set up single sign on tile, choose Get started, as shown in Figure 3.
    

2. On the next screen, select SAML.
3. In the middle pane under Set up Single Sign-On with SAML, in the Basic SAML Configuration section, choose the edit icon.
4. In the right pane under Basic SAML Configuration, replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) provide at the start of this page. In the Reply URL (Assertion Consumer Service URL) field, enter the Reply URL provided at the start of this document. Choose Save.

(Note this will look similar to the screenshot below, with your own Entity ID and Reply URLs from the top of this page).
 

5. In the middle pane under Set up Single Sign-On with SAML, in the User Attributes & Claims section, choose Edit.
6. Choose Add a group claim.
7. On the User Attributes & Claims page, in the right pane under Group Claims, select Groups assigned to the application, leave Source attribute as Group ID, as shown above. Choose Save.
    

8. Please screenshot the Claim names under Additional claims, as shown above and send to Resimion.
9. Close the User Attributes & Claims screen by choosing the X in the top right corner. You’ll be redirected to the Set up Single Sign-on with SAML page.
10. Scroll down to the SAML Signing Certificate section, and copy the App Federation Metadata Url by choosing the copy into clipboard icon and send to Resimion.

Lastly, assign users to be able to use the application. If you have a site license, typically this is everyone.

• Click ‘Users and Groups’ under the Resimion Enterprise Application on the left hand side,
• Click ‘Add User/Group’ and add groups such as ‘All Staff’ and ‘All Students’.

The process of setting up the Enterprise App is then completed, and Resimion will complete the next step.

Please send to hello@resimion.com:

• The screenshot from Step 8 above
• The App Federation Metadata URL from Step 10 above

We can then complete setup and once complete will ask you to test the integration with one of your user accounts.