This article describes setting up single sign-on (SSO) with Microsoft Azure. This feature must be enabled in your account by a MetaLocator support technician in order to function as shown in this article.

Step 1. Configure Azure

Login to Azure and create a new Enterprise Application

Choose "Create your own"

Specify the name as follows and click Create.

Click Set up single sign on, then SAML

Edit the Basic SAML Configuration

Identifier (Entity ID): metalocator-saml

Sign on URL
https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?sso=&id=XXXXX

Where XXXXX is your primary account owner's User ID as shown in the MetaLocator account as below:

Reply URL (Assertion Consumer Service URL)

https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?acs=&id=XXXXX

Logout URL (Assertion Consumer Service URL)

https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?sls=&id=XXXXX

Configure the MetaLocator Account

Login as the Account Owner and go to My User Profile

Scroll down and expand Show Advanced Options, then update the following options according to your Azure settings.

onelogin_saml_idp_entityid Set this to the "Azure AD Identifier" provided in Azure as shown below.

onelogin_saml_idp_sso Set this to the "Login URL" provided in Azure as shown below.

onelogin_saml_idp_x509cert Set this to the PEM-formatted SAML Signing Certificate as shown below

onelogin_saml_attr_mapping_mail Set this to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

onelogin_saml_idp_domain

Set this to the domain associated with your email address, e.g. customer.com. This ensures that the anonymous link on our login form knows which SSO to invoke based on an incoming email.

Ensure the target user has access to the Enterprise Application under Users & Groups.

Under Single sign on, click Test Application.

You should see a successful test result. The browser should also open a new tab with MetaLocator signed in as the requested user.

New Users

Users will be created on the fly based on the email address coming from Azure. The accounts will be created as "blocked" accounts with no access to any MetaLocator features. The requesting user will receive an email notification that their account is pending review and the account owner will receive an email notification that an account is pending review as shown below:

Click the link provided and login as the account owner. Click the username to edit the user. Choose an appropriate user type:

Click Save, then enable the user as shown below. This triggers an email notification to the new SSO user indicating that their login has been enabled.

The email notification is shown below.

When the user logs in, they will now see the resources available to them, based on the type of user chosen above.

Did this answer your question?