- Azure Premium subscription.
- Global administrator privileges on the Azure portal.
Step 1: Add Amplify as an Enterprise Application
The first step is to add Amplify as an Enterprise application so that Single Sign-On can be set up. If this has already been done, move to step 2.
- On the Azure portal, click on Azure Active Directory in the left pane. If it has not been favourited, use the All Services option to search for it.
- Click on All Applications , then New Application. In the Add your own app section, click on the 'Non-gallery application' tile.
- Type in the name of the app in the Name text box, and click on Save.
Adding a new non-gallery application
Step 2: Configure Single Sign On for Amplify on Azure
On successful creation of the application, Azure will redirect to the application settings page. Click on Single Sign-On on the application's pane. This will bring up the settings with four different sections.
Section 1 - Basic SAML configuration
- Set Identifier (Entity ID) as the Amplify instance URL.
- Set 'Reply URL (Assertion Consumer Service URL)' to be 'users/saml/auth' appended to the Amplify instance URL.
Screenshot showing the basic settings of Single Sign On
Note: Replace your-instance with the actual instance name.
Section 2 - User attributes and claims
Set the 'Name identifier value' to something that will uniquely identify a user. In most cases, user.mail would work.
Amplify requires the user email and user name attributes. To set these up, click the edit icon in the User attributes and claims section.
- Click on Add Claim, and add the 'email' attribute as shown in the screenshot. It is mandatory that 'email' should be all lowercase.
- In most cases, the 'userprincipalname' is the email. In some cases, it might just be 'user.mail'. Please verify which source attribute holds the user email before setting this up.
- Namespace should be blank.
Screenshot of creating the 'email' attribute.
- Click on the Add Claim again, and add the 'name' attribute as shown in the screenshot. Just as with the 'name' attribute, it is compulsory that 'name' should be all lowercase.
- Set up the name attribute in the format 'FirstName LastName' (Eg: 'Michael Bluth')
- Namespace should be blank.
- Separator is one blank space.
Creating the 'name' attribute in the format 'FirstName LastName'
Section 2, after the email and name attributes, have been set up.
If the attributes are set up correctly, without namespaces, and the attribute names in all lowercase, the attributes in SAML response from Azure look something like this.
Section 3 - SAML Signing certificate
Click on the Download link next to the 'Federation Metadata XML'. You can use this to configure SSO on the Amplify app.
SAML certificate download section
Section 4: Set up Amplify
This section has the login, logout and the Azure AD Identifier URLs. These URLs can be used to configure SSO on Amplify.
Set up Amplify section
Step 3: Add Users to AD
Now that SSO has been successfully configured on Azure, the next step is to add users to the AD group. The users in this group will then have access to Amplify.
From the application's pane, click on Users and Groups (just above the Single Sign-On option).
- Click on Add User to add a user. Search for and add the user. Select a role for the user.
- Repeat the process until all users who will have Amplify access have been added.
Step 4: Configure Amplify to work with Azure SSO
After setting up SSO on Azure, contact the Amplify team to finalise the settings on the application. From section 3 and section 4 in step 2, please provide the following details -
- Login URL
- Logout URL
- Azure AD Identifier
- Signing certificate
After updating Amplify with these settings, users should be able to log in to Amplify via Single Sign-On.