How to integrate Azure Active Directory using SAML with MediaValet

 

Pre-requisites:

  • Please contact your Customer Success Manager to kick-off the Single-Sign-On enablement process.  

  • Identity Provider = Azure Active Directory

  • Protocol selected = SAML

 

The steps below describe the configuration to be completed by the client to set up the custom MediaValet SAML application in their Azure AD Tenant. 

 

Single Tenant Enterprise Application Option:

Users must have the appropriate permissions required to register a new Enterprise application under their Azure AD Tenant

 

  1. Sign in to the Azure portal using your Azure Active Directory administrator account.

  2. Browse to your organization's Azure Active Directory > [Directory] > Enterprise Applications, and select "New Application"
    mceclip0.png


  3. From the next page that appears, select "+ Create your own application" and ensure the "non-gallery" option is selected as shown below:
    mceclip3.png

    • Please note, the MediaValet - Add-On prompt that appears is specifically for integrating with Azure AD using our native integration which uses OIDC protocol.

    • If you are using the old app gallery experience, select “Non-gallery application" from the app options that appear:
      mceclip2.png



  4. Next, click on the Set up single sign on option from the Overview page or click on the "Single Sign-on" option found from the navigation menu on the left-hand pane:
    mceclip5.png

  5. Select "SAML" from the options that appear:
    mceclip6.png


  6. Edit the Basic SAML Configuration and ensure the EntityId value provided by MediaValet's Support team is set up for both the Identifier (Entity ID) and Reply URL fields as shown in the example below: 
    com009.svgNote: Please ensure that the Sign on URL, Relay State and Logout URL are left blank
    image (7).png
  7. Next click to edit the "Attributes & Claims" in order to add a new group claim (Required)

    • Click "+Add a group claim" and ensure the following is configured:

      • Which groups associated with the user should be returned in the claim?
        • All groups = sends over all user group information in the response details

        • Groups assigned to the application = only sends authorized group information that have been explicitly assigned to the MediaValet SAML app. 
          • This option is preferred by organizations that wish to only send relevant user group information set up in Azure AD for MediaValet. 

          • If this option is selected, please ensure you assign user groups to the MediaValet-SAML application setup in order to allow users in your Azure AD Tenant to use their SSO credentials to sign into MediaValet. 

      • Source Attribute = Group ID
      • Check off the option "Customize the name of the group claim" and ensure the following is setup:
        • Name = groups
        • Namespace:
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims

          mceclip8.png


  8.  Once the above has been completed, copy the App Federation Metadata URL found under the SAML Signing Certificate section and send this to MediaValet Support:
    mceclip9.png


-------------------------------------------------------------------------------------

com009.svgNotes

  • For the Single-Sign-On form sent by MediaValet's team (also found attached to this article), it is possible to find all relevant user attributes and claims in the Single-Sign-On section on the custom enterprise application's setup page:
    mceclip11.png


  • Click on the "Users and groups" section to manage which users and groups assigned to the custom MediaValet-SAML app setup will be able to sign into MediaValet using their Single-Sign-On credentials:
    mceclip0.png

    • Please be advised this option is required for users that selected the "Groups assigned to the application" option in Step 7 above. 

  • Please ensure the users being assigned to the groups mapped to the SAML application are licensed in Azure and have a mailbox assigned to them. Microsoft AAD poses a limitation whereby unlicensed users that have no mailbox assigned will not be able to sign into third party applications using their Single-Sign-On credentials.
Was this article helpful?
1 out of 1 found this helpful