-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
migrating tutorial mdx from mintlify
- Loading branch information
1 parent
0decdbb
commit d42ca9d
Showing
6 changed files
with
670 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| --- | ||
| title: 'SSO with Entra' | ||
| description: 'How to set up SSOReady connections with Entra (formerly Azure Active Directory)' | ||
| --- | ||
|
|
||
| {/* ==================================================== */} | ||
| {/* Entra */} | ||
| {/* ==================================================== */} | ||
|
|
||
|
|
||
|
|
||
| Entra -- formerly Azure Active Directory -- ranks among the more common IDPs. Like many Microsoft products, it can appear complicated. Hopefully it feels a little bit easier with this guide. | ||
|
|
||
| <Steps> | ||
| ### Create an application in Entra | ||
|
|
||
| Entra needs to associate a SAML connection with an *Application*, so our first step will require us to create an application. From any page in Entra, we can find *Applications* > *Enterprise applications* in the left navigation bar. We'll want to click here to navigate to the next page. | ||
|
|
||
| <Frame caption="In the left sidebar, navigate to Applications > Enterprise applications"> | ||
| <img src="/docs/assets/idp-assets/entra/entra1.png" /> | ||
| </Frame> | ||
|
|
||
| We'll reach a page that says **Enterprise applications** in bold typeface. We simply need to press the *New application* button right under this header. | ||
|
|
||
| <Frame caption="Select 'New application'"> | ||
| <img src="/docs/assets/idp-assets/entra/entra2.png" /> | ||
| </Frame> | ||
|
|
||
| On the next page, we'll see a header: **Browse Microsoft Entra Gallery.** We'll also see a few prominent cards with major cloud providers. Ignore all this; we won't use the gallery. Simply click *Create your own application*, which triggers a slideover from the right. | ||
|
|
||
| <Frame caption="Select 'Create your own application'"> | ||
| <img src="/docs/assets/idp-assets/entra/entra3.png" /> | ||
| </Frame> | ||
|
|
||
| Entra requires a display name for the application. The name we choose doesn't matter much. In most cases, you'll want your product's name to go here. | ||
| <Info>As we type a display name for the application, Entra will try to find matching apps from the Entra Gallery and suggest them as alternatives. In most cases, we should ignore this.</Info> | ||
| <Frame caption="Assign a display name to the Entra application"> | ||
| <img src="/docs/assets/idp-assets/entra/entra4.png" /> | ||
| </Frame> | ||
|
|
||
| Under the display name, Entra offers three radio button options. We want to select the last one, which reads *Integrate any other application you don't find in the gallery (Non-gallery)*. | ||
|
|
||
| <Frame caption="Tell Entra we're creating a non-gallery application"> | ||
| <img src="/docs/assets/idp-assets/entra/entra5.png" /> | ||
| </Frame> | ||
|
|
||
| Then we hit *Create* in the lower left of the slideover, and we're free to configure our Application. | ||
|
|
||
| <Frame caption="Create the application"> | ||
| <img src="/docs/assets/idp-assets/entra/entra5b.png" /> | ||
| </Frame> | ||
|
|
||
| Entra may require a few seconds to create the Application. Once it has finished, you will land on a page detailing the application we've just created. | ||
|
|
||
|
|
||
| <Frame caption="When you see this page, you have created your Entra Application"> | ||
| <img src="/docs/assets/idp-assets/entra/entra5c.png" /> | ||
| </Frame> | ||
|
|
||
| For now, we'll skip assigning users to your Application, but an Entra admin will need to assign them before long. | ||
|
|
||
| <Warning>Users cannot sign in until assigned to your Application by an Entra admin.</Warning> | ||
|
|
||
|
|
||
|
|
||
| ### Configure SAML Connection | Enter SSOReady details in Entra | ||
|
|
||
| Now that we have a SAML Connection created in SSOReady and an Application in Entra, we can configure each of them to communicate with the other. We'll start by entering details about our SSOReady SAML Connection into our Entra Application. Select the *Set up single sign on* card. | ||
|
|
||
| <Frame caption="Choose to set up single sign-on"> | ||
| <img src="/docs/assets/idp-assets/entra/entra6.png" /> | ||
| </Frame> | ||
|
|
||
| Entra will then present a few options. We need to select the *SAML* card marked with a puzzle piece icon. | ||
|
|
||
| <Frame caption="Select SAML as the single sign-on method"> | ||
| <img src="/docs/assets/idp-assets/entra/entra6b.png" /> | ||
| </Frame> | ||
|
|
||
| Entra will route us to its *SAML-based Sign-on* configuration page, where we'll direct our attention first to the *Basic SAML Configuration* card. It has two required values. SSOReady supplies both. | ||
|
|
||
| Click the *Edit* button in the top right corner of the *Basic SAML Configuration* card; we'll see a slideover triggered on the right. | ||
|
|
||
| <Frame caption="Select SAML as the single sign-on method"> | ||
| <img src="/docs/assets/idp-assets/entra/entra7.png" /> | ||
| </Frame> | ||
|
|
||
| In the slideover, Entra requires us to enter two values: an *Identifier (Entity ID)* and a *Reply URL (Assertion Consumer Service URL)*. | ||
|
|
||
| 1. Let's start with the *Identifier (Entity ID)* field. In SSOReady, we call this the *SP Entity ID*, which you can find by navigating to your SAML Connection in the SSOReady app. Paste the URL from SSOReady into Entra. | ||
|
|
||
| 2. Next we'll do the *Reply URL (Assertion Consumer Service URL)* field. In SSOReady, we call this the *Assertion Consumer Service (ACS) URL*. It should look just like the *SP Entity ID* field, only it ends with `/acs`. Paste the URL from SSOReady into Entra. | ||
| <Frame caption="Enter details from SSOReady into Entra"> | ||
| <img src="/docs/assets/idp-assets/entra/entra8.png" /> | ||
| </Frame> | ||
|
|
||
| Make sure to hit *Save* toward the top of the page. | ||
|
|
||
| <Frame caption="Save changes"> | ||
| <img src="/docs/assets/idp-assets/entra/entra9.png" /> | ||
| </Frame> | ||
|
|
||
| Once we've completed this step, Entra knows everything it needs about the SSOReady Connection. Next, we need to supply the SSOReady app with information about Entra. | ||
|
|
||
|
|
||
| ### Configure SAML Connection | Enter Entra details in SSOReady | ||
|
|
||
| Having set up Entra with information about SSOReady, we then supply SSOReady with information about the Entra Application. SSOReady needs three pieces of information from the Entra Application: an *IDP Entity ID*, a *Redirect URL*, and a *Certificate*. | ||
|
|
||
| For convenience, we'll actually start with the last of these, the *Certificate*. In Entra, you'll find this on the third card, closer to the bottom of the page. Next to the *Certificate (Base64)* heading, Entra shows a blue download link. Click this link. It will download a file named for your application. For example, if we've named the application `new_application`, Entra will share a `new_application.cer` file. Upload this file to SSOReady on the page detailing the SAML Connection. | ||
|
|
||
| <Frame caption="Download the Certificate (Base64) from Entra and upload it to SSOReady"> | ||
| <img src="/docs/assets/idp-assets/entra/entra10.png" /> | ||
| </Frame> | ||
|
|
||
| For the final two pieces of information, we'll need to scroll down to the fourth card. Copy the *Microsoft Entra Identifier* field from Entra and paste it into SSOReady's *IDP Entity ID* field. Then copy the *Login URL* field from Entra and paste it into SSOReady's *Redirect URL* field. | ||
| <Frame caption="Save changes"> | ||
| <img src="/docs/assets/idp-assets/entra/entra11.png" /> | ||
| </Frame> | ||
|
|
||
|
|
||
| </Steps> | ||
|
|
||
| Once you've entered that data in SSOReady, you're finished with Entra configuration! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| --- | ||
| title: 'SSO with Google Identity' | ||
| description: 'How to set up SSOReady connections with Google Identity' | ||
| --- | ||
|
|
||
| {/* ==================================================== */} | ||
| {/* Google */} | ||
| {/* ==================================================== */} | ||
|
|
||
| Some companies will use Google Identity for SAML single sign-on. Please note that SAML single sign-on via Google Identity differs from "Sign in with Google," which uses the [OAuth protocol](https://datatracker.ietf.org/doc/html/rfc6749). If you want to offer your customers "Sign in with Google" functionality, you may wish to consult [Google's documentation](https://datatracker.ietf.org/doc/html/rfc6749) or use another authentication vendor. | ||
|
|
||
| <Warning>Before proceeding, please confirm that you indeed need SAML single sign-on via Google.</Warning> | ||
|
|
||
| As a first step, we will need a Google Workspace administrator to create an *App*. | ||
|
|
||
| <Steps> | ||
| ### Creating a custom SAML app in Google Identity | ||
|
|
||
| Starting from the Google Workspace admin page, i.e. [admin.google.com](admin.google.com), we'll need to navigate to *Apps* > *Web and mobile apps* in the left navigation bar. This link will send us to a new page. | ||
|
|
||
| <Frame caption="Selecting Apps > Web and mobile apps in the Google Workspace admin console"> | ||
| <img src="/docs/assets/idp-assets/google/google0.png" /> | ||
| </Frame> | ||
|
|
||
| We'll land on a page with the header *Apps* > *Web and mobile apps*. Right under the header, we'll see a few tabs. We want to click *Add app* > *Add custom SAML app*. This link will send us to another new page. | ||
|
|
||
| <Frame caption="Navigating to Add app > Add custom SAML app"> | ||
| <img src="/docs/assets/idp-assets/google/google1.png" /> | ||
| </Frame> | ||
|
|
||
| We'll land on a page with a large blue header reading *Add custom SAML app*. This page requires us to assign the application an *App name*. The *App name* matters solely for display purposes, so you'll typically want the *App name* to match your product's name. | ||
|
|
||
| After typing the *App name*, we'll hit the blue *CONTINUE* button in the lower right. | ||
|
|
||
| <Frame caption="Naming the application after your product"> | ||
| <img src="/docs/assets/idp-assets/google/google2.png" /> | ||
| </Frame> | ||
|
|
||
|
|
||
| ### Configure SAML Connection | Enter Google details in SSOReady | ||
| Clicking *CONTINUE* in the previous step will direct us to a new page, again with the same blue header. | ||
|
|
||
| <Info>The previous page enumerated a few steps directly below its header. It's totally normal for those to have disappeared. We're likely still on the right track. Scroll up on this page to display the steps again. </Info> | ||
|
|
||
| Here, we'll find a few important details about the new Google Identity app that SSOReady needs to know about. We'll copy each of these from Google into SSOReady. | ||
|
|
||
| First, let's scroll down to the field marked *SSO URL*. SSOReady calls this the *Redirect URL* on the *Identity Provider Configuration* card for your SAML Connection. Copy this URL from Google and paste it into the SSOReady web application. | ||
|
|
||
| <Frame caption="Copying Google's 'SSO URL' and pasting into SSOReady as the 'Redirect URL'"> | ||
| <img src="/docs/assets/idp-assets/google/google3.png" /> | ||
| </Frame> | ||
|
|
||
| From here, we'll direct our attention to Google's *Entity ID* field. It sits directly under the *SSO URL* from the previous step. | ||
|
|
||
| Copy this *Entity ID* URL and paste it into SSOReady as the *IDP Entity ID*. You'll find the input field for the *IDP Entity ID* adjacent to the *Redirect URL* input field from the previous step. | ||
|
|
||
| <Frame caption="Copying Google's 'Entity ID' and pasting into SSOReady as the 'IDP Entity ID'"> | ||
| <img src="/docs/assets/idp-assets/google/google3b.png" /> | ||
| </Frame> | ||
|
|
||
| We need just one more detail from Google. | ||
|
|
||
| Navigate to the next field marked *Certificate*. Then, toward the top right corner of this *Certificate* field, we'll see a download icon. We want to press the download icon; doing so downloads a `.pem` file. Its name will match the header you see here, something starting with `Google` and ending in `SAML2_0`. | ||
|
|
||
| We need to upload this `.pem` file to SSOReady as the *Certificate* in SSOReady's web application. | ||
|
|
||
| <Frame caption="Downloading a .pem certificate from Google and uploading it to SSOReady"> | ||
| <img src="/docs/assets/idp-assets/google/google3b-1.png" /> | ||
| </Frame> | ||
|
|
||
| Once we're done with this step, SSOReady has all the information it needs. Now we simply need to supply Google with the relevant information about SSOReady. | ||
|
|
||
| A blue *CONTINUE* button sits toward the bottom right of the page. It may not be visible until you scroll down. Press this *CONTINUE* button. | ||
|
|
||
|
|
||
| ### Configure SAML Connection | Enter SSOReady details in Google | ||
|
|
||
| Once SSOReady knows about the Google app we've created, we need to tell Google about SSOReady. Google needs two pieces of information. | ||
|
|
||
| First, Google asks for an *ACS URL*. In SSOReady, we call this an *Assertion Consumer Service (ACS) URL*. You'll find it on the *Service Provider Configuration* card for your SAML Connection. It ends in `/acs`. | ||
|
|
||
| Copy this *Assertion Consumer Service (ACS) URL* and paste it into Google's *ACS URL* input field. | ||
|
|
||
| <Frame caption="SSOReady's 'Assertion Consumer Service (ACS) URL' equates to Google's 'ACS URL'"> | ||
| <img src="/docs/assets/idp-assets/google/google4.png" /> | ||
| </Frame> | ||
|
|
||
| We'll walk through a similar pattern for an additional set of fields. | ||
|
|
||
| Directly below its *ACS URL* field, Google asks for an *Entity ID*. In SSOReady, we call this the *SP Entity ID*. You'll find this URL right next to the *Assertion Consumer Service (ACS) URL* in SSOReady's web application. As it turns out, the *SP Entity ID* looks exactly like the *Assertion Consumer Service (ACS) URL*, only it lacks the `/acs` ending. | ||
|
|
||
| Copy the *SP Entity ID* from SSOReady and enter it as the *Entity ID* in Google. | ||
|
|
||
| <Frame caption="SSOReady's 'SP Entity ID' equates to Google's 'Entity ID'"> | ||
| <img src="/docs/assets/idp-assets/google/google4b.png" /> | ||
| </Frame> | ||
|
|
||
| Click the blue *CONTINUE* button in the lower right corner. | ||
|
|
||
| <Frame caption="Press 'CONTINUE' to complete the SAML app configuration"> | ||
| <img src="/docs/assets/idp-assets/google/google5.png" /> | ||
| </Frame> | ||
|
|
||
| Once we've completed this step, we're done! You now have your product hooked up to your customer's Google Identity instance. | ||
|
|
||
| Please note that your users can not successfully log in until your customer's Google Identity administrator assigns them to the application we created. This, however, requires no input from you. | ||
|
|
||
| </Steps> |
Oops, something went wrong.