Single sign on with Microsoft 365
To configure Altamira HRM for single sign on with Microsoft 365 do the following:
1. Claim your custom domain name
See Claiming your custom domain name
2. Create an Enterprise Application in Microsoft 365
- Log on to the Azure portal and select Azure Active Directory from the Azure Services
- Click on Enterprise Applications\New application
- Select Non-gallery application and enter the display name, usually Altamira HRM, and click Add
- From the newly created application click on Single sign-on and then SAML
- From the SAML Signing Certificate box, click on Download for the Federation Metadata XML and save to local storage
3. Upload the Azure Enterprise Application metadata to Altamira
- click Setup\Account\Custom domains and click on the custom domain you wish to map claims for
- in the Single Sign on tab, in the Configure from identity provider metadata file click on Choose file and select the ADFS metadata XML from local storage
- click Save
4. Download the Altamira HRM metadata file for your domain
- click Setup\Account\Custom domains and click on the custom domain you wish to map claims for
- click Actions\Download SSO metedata and save the fiel to local storage
5. Upload the Altamira metadata to the Azure Enterprise Application
- In the Enterprise Application in Azure, Single sign-on blade, click on Upload metadata
- Click the Browse button, select the Altamira Metadatafile and click Add
- Check the properties and click Save
Optionally configure Azure claims to be sent to Altamira HRM:
- In the Enterprise Application in Azure, Single sign-on blade, User attributes and claims box click on Edit
- Leave the default claims user.mail, user.givenname, user.userprincipalname and user.surname
- If you need any other claims, click on Add new claim. In the new claim form enter the name of the claim and select the source attribute then click on Save
- If you wish to use group synchronization click on Add a group claim. In the Group claim form select wich groups you with to send to Altamira HRM and select the source attribute (we recommend Group ID). If you customize the name of the group claim you will have to update the Altamira single sign on configuration. Click on Save
6. Assign users and groups to the Enterprise Application
- In the Enterprise Application in Azure, Users and groups blade, click on Add User
- Select one or more users or groups you wish to allow access to the application
- Click Assign
7. Test your implementation
For the test you will need to have either enabled self provisioning or created a user with a matching user name in both Azure Active Directory and Altamira.
For service provider initiated login:
- in a private browser session, navigate to your custom domain URL. You will be redirected to the Azure login page: enter your credentials and sign in. You will be redirected to Altamira HRM where you will be authenticated based on the SAML reponse
For identity provider initiated sign in
- in a private browser session, navigate to the homepage of your https://youradfsendpoint.com/adfs/ls/idpinitiatedsignon.htm. Enter your credentials and then select Altamira HRM from the list of applications. You will be redirected to Altamira HRM where you will be authenticated based on the SAML reponse
8. Troubleshooting
In an SP initiated login, if Azure reports an error you can view diagnostic information in the login page. If there is an error processing the SAML response, Altamira will give minimal diagnostic information at the browser login prompt; you will find more detailed information in the Altamira event log available in the Reports section.
Comments
0 comments
Please sign in to leave a comment.