Roles

These are the roles that are needed:

  • Admin

Microsoft Entra ID

Microsoft Entra ID (Formerly known as Azure Active Directory) is a directory service provided as part of Microsoft Azure cloud.

Azure Configuration

You need to start by setting up an Enterprise Application in Microsoft Entra ID. To do this, log into https://portal.azure.com and select Microsoft Entra ID -> Enterprise Applications. Enterprise App List

Add a new application and select Create your own application. This will open a popup where you should enter a suitable name for your application and select the option to create a Non-Galery application.

Add Enterprise App

Assign the users you want to grant access to iconik for. This allows you to control which users in your directory has access to iconik.

Assing Users

After this, go back to the overview page and select 2. Set up single sign on.

Set up single sign on

Select SAML as the sign-on method.

Select SAML

This brings you to a screen labeled Set up Single Sign-On with SAML. You must first enter some required dummy values into Section 1 before we can proceed. Click on the Edit button for Section 1.

Empty SAML Configuration Form

This brings up the Basic Saml Configuration form. Enter a dummy URL into the values for Identified (Entity ID) and Reply URL (Assertion Consumer Service URL). The actual values does not matter as long as Azure accepts them. We will go back and edit these fields later on.

Basic SAML Configuration Dummy Values

Save and close the form and go back to the Set up Single Sign-On with SAML page.

In section 3, download the Federation Metadata XML which will be used to create the configuration on the iconik side.

Download Federation Metadata XML

iconik configuration

Now, switch to another tab in your browser and log into iconik.

Go to Admin -> Settings -> Identity Providers and select NEW IDENTITY PROVIDER.

Identity Provider List

This will open a popup where you can upload the XML downloaded in the previous step. This will automatically configure iconik with the correct settings for Microsoft Entra ID. You can change the name of the Identity Provider but leave the other settings as they are.

Add Identity Provider Popup

Finalize the creation and then open the settings for the newly created Identity Provider. On the left-hand side of the screen you will see a list of URLs. These will be used to configure the Microsoft Entra ID side of the integration.

Autoconfigured Identity Provider Settings

Azure SAML Configuration

Now switch back to the Azure tab and go back to the Set up Single Sign-On with SAML page if you have navigated away from it.

Azure SAML settings

Open section 1 Basic SAML Configuration again. You will have to copy the settings from iconik into Azure. On the iconik Identity Provider Settings page, you can copy the values by clicking the little icon next to the text url.

  • Copy Entity ID url from iconik into the field labeled Identifier (Entity ID) in Azure.
  • Copy Assertion Consumer Service url from iconik into the field labeled Reply URL (Assertion Consumer Service URL) in Azure.
  • Copy Logon URL from iconik into the field labeled Sign on URL in Azure.
  • Copy Single Logout Service from iconik into the field labeled Logout Url in Azure (this is optional and only required if you want iconik to log the user out from Microsoft Entra ID when they log out from iconik).

Finally, save the settings.

Azure SAML settings

Next, open section 2 User Attributes & Claims. In this section you need to change the attribute Azure sends as the Unique User Identifier. By default, this is a generated identifier but iconik expects an email address as the identifier. Change the value for Unique User Identifier (Name ID) to user.mail. The other settings can remain set to their defaults.

Azure Attributes and Claims

If groups are included in the listed claims then iconik will add the user to any groups provided which already exists in iconik. If a user was added to a group from Azure which they no longer are a member of then they will also be removed from the group in iconik when they log in. If groups are synced to Microsoft Entra ID from an on-premise Active Directory then you can set the group Source Attribute to be sAMAccountName. This will make sure Azure sends the group name rather than the group identifier, which Microsoft Entra ID sends as the default. If the group is a Cloud group in Azure then the option to send sAMAccountName does not exist and groups cannot be sent via SAML.

Azure Group Claims

You should now be able to test the Azure Login at the bottom of the Set up Single Sign-On with SAML page.

Test Azure Login

You should now be logged into iconik.

iconik login

Learn more