Documentation Index

Fetch the complete documentation index at: https://docs.eshare.com/llms.txt

Use this file to discover all available pages before exploring further.

Entra ID SAML configuration - SSO trigger

  • 4 minute(s) read
Prev Next

Setup SAML Authentication for e-Share in Azure Active Directory

Basic SAML Setup for e-Share

This setup instructions provide information for configuring SAML based sign-in for all users in the organization to e-Share application. The Entity ID and ACS Url, referenced in this document, will be provided to you by e-Share when the tenant for your organization is provisioned on e-Share platform.

  1. Login to https://portal.office.com using the account with Global Administrator rights to Office 365, expand “Admin centers” and click on “Azure Active Directory”

  2. In “Azure Active Directory admin center” screen, click on “Enterprise applications > Create your own application”

Azure Active Directory admin center screenshot showing Browse Azure AD Gallery with the Create your own application area highlighted

  1. In “Create your own application” pane, input a descriptive name for the SAML application (e.g., e-Share SAML App), select the “Integrate any other application you don't find in the gallery (Non-gallery)” option and click on “Create” at bottom of the pane.

Create your own application pane screenshot showing app name field with example e-Share SAML App and the Integrate any other application you don't find in the gallery (Non-gallery) radio option selected

4. When the new application is created and the page opens, click on “Single sign-on” in Manage section, followed by “SAML” method.

Screenshot of Azure AD e-Share SAML App | Single sign-on page showing the left Manage menu with “Single sign-on” highlighted and the SAML sign-on method tile highlighted on the right

5. In “Set up Single Sign-On with SAML” page, click on “Edit” under section #1 for “Basic SAML Configuration”

Screenshot of the Set up Single Sign-On with SAML page showing the Basic SAML Configuration panel with the Edit pencil button highlighted

6. In the “Basic SAML Configuration” pane:

  1. Paste the Entity ID provided by e-Share in “Identifier (Entity ID)” field. Make sure “Default” is selected for the new entry. Optionally, you may delete the existing entry created by Microsoft

  2. Paste the ACS URL provided by e-Share in “Reply URL (Assertion Consumer Service URL)” field

  3. Paste the ACS URL provided by e-Share in “Reply URL (Assertion Consumer Service URL) field

c. Click on “Save” button to save the changes

Screenshot of Basic SAML Configuration in Azure AD. The top-left Save button is highlighted; red boxes emphasize the Identifier (Entity ID) field showing a custom application URL and the Reply URL (Assertion Consumer Service URL) field showing the application SSO endpoint. Blue bordered configuration dialog is visible.

7. Back in “Set up Single Sign-On with SAML” page, click on “Edit” under section #2 for “Attributes & Claims”

Attributes & Claims pane screenshot showing a list of claims (givenname, surname, emailaddress, name, Unique User Identifier) mapped to user attributes (user.givenname, user.surname, user.mail, user.userprincipalname). The Edit button is highlighted on the right side.

8. In “Attributes & Claims” pane, click on “Add new claim” menu button

Screenshot of the Attributes & Claims toolbar with the + Add new claim button highlighted in a red box; the claims table with Unique User Identifier (Name ID) is visible below.

9. In “Manage claim” page, input values below and click on “Save” to update changes:

  1. For Name: ncckey

  2. For Source attribute: user.

Screenshot of Azure portal Manage claim dialog — top left Save button highlighted in red; Name field populated with ncckey (outlined in red); Source attribute field populated with user.objectid (outlined in red)

10. (Optional) In “Attributes & Claims” page, click on “Add new claim” to include email alias in SAML response. Input values below and click on “Save” to update changes:

Screenshot of Azure portal Manage claim dialog — Name field populated with alias (outlined in red); Source attribute field populated with user.secondaryauthoritativeemail (outlined in red)

11. Back in “SAML-Based Sign-on” page, in section #3 for “SAML Signing Certificate”, click on the button to copy “App Federation Metadata Url” and send it to your e-Share Customer Success Manager.

Screenshot of SAML Signing Certificate panel showing App Federation Metadata Url text box with URL and the copy button highlighted in red

Provision e-Share Access to Specific Users/Groups

In situations where access to e-Share application needs to be provisioned only for specific users and/or group, the below steps may be followed, after the SAML app has been created.

  1. In the e-Share SAML app previously configured, click on “Properties” under “Manage” section.

  2. Set “Assignment required?” to “Yes” and click on “Save” to save changes

Screenshot of the e-Share SAML App | Properties page in the Azure portal — shows the left navigation with Properties highlighted, the top toolbar with the Save button highlighted, the properties pane displaying application fields and the e-Share logo, and the Assignment required? toggle set to Yes highlighted with red boxes

  1. Click on “Users and group” menu in “Manage” section.

  2. Click on “Add user/group” menu button, select the user(s) and group(s) members to whom e-Share application access should be allowed, click on “Assign” to complete the change.

4. Click on "Add user/group" menu button, select the user(s) and group(s) members to whom e-Share application access should be allowed, click on "Assign" to complete the change.

Screenshot of the Azure AD e-Share SAML App | Users and groups page — left navigation shows Users and groups selected; main pane shows the + Add user/group button highlighted with a red rectangle and the assignments table with No application assignments found

Microsoft 365 customers can configure SSO login for e-Share and include Group attribute of users for auto-linking of existing users or auto-provisioning of new users. This section describes steps to configure Azure AD group and associate it for SSO trigger in e-Share after the corporate cloud provider is authorized.

Step 1: Create Group in Azure AD

Steps to create Security Group in Azure Active Directory. If the designated Security Group already exists, proceed to 'Step 2: Update Azure AD SSO config' section below:

  1. Login to Microsoft 365 as administrator and navigate to “Azure Active Directory” tab

  2. Under Manage, select Groups. Click on “New group” to create new group

  3. Click on “No owners selected” and assign owners to manage the group

  4. Click on “No members select” to assign group members. This should include all users for whom OneDrive should be auto-linked (and auto-provisioned, if applicable) in e-Share

  5. When done, click on “Create” to create the security group

Azure Active Directory admin center New Group screen — form showing Group type, Group name and Group description with a red highlighted box

  1. When back in Groups tab in Azure AD, note the Group ID of the newly created group (listed under Object ID column). The group ID will be used for SSO trigger value in e-Share portal

Step 2: Update Azure AD SSO config

Steps to update e-Share SAML application with Security Group info in Azure Active Directory.

Note: This section assumes, AAD SSO was already configured for e-Share and only Group info is updated for SSO trigger.

  1. Login to Microsoft 365 as administrator and navigate to “Enterprise Applications” tab

  2. Search for e-Share SSO application and navigate to “Users and group” menu under “Manage” section

  3. In “Users and groups” page, click on “Add user/group”. Search for the group created in above section (e.g. esharemeoddb)

Azure Active Directory portal screenshot showing the Add Assignment page. Left pane shows application details; right pane shows Users and groups picker with a user/group highlighted and selected. Red outline indicates the selected item

  1. In “Add Assignment” tab, click on “Assign”

    Close-up screenshot of the Assign button on the Azure Add Assignment page, with a red box highlighting the Assign button

  2. When back in “Users and groups” tab, confirm the group assigned is listed on the page for assigned group

    Azure portal Users and groups view showing the assigned group listed on the page with a highlighted checkbox and group display name eshareyouddb in a red rectangle

  3. Switch to “Single sign-on” tab, navigate to “User Attributes & Claims” section, click to edit it

  4. Click on “Add a group claim”

[IMAGE PLACEHOLDER: Azure portal screenshot of Single sign-on configuration and User Attributes & Claims area, showing where to add a group claim — red box highlights relevant area]

  1. In “Group Claims” pane, select “Groups assigned to the application”. Confirm “Group ID” is selected in “Source attribute” drop down list

  2. Under “Advanced Options”, select “Customize the name of the group claim” and “Emit group as role claims” check boxes. When done, click on “Save”

Azure portal screenshot showing User Attributes & Claims list on the left and a Group Claims configuration pane on the right with Groups assigned to the application, Source attribute: Group ID, Advanced options including Customize the name of the group claim and Emit groups as role claims highlighted

10. When back in “User Attributes & Claims” tab, a new claim name would be listed for “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” and value of “user.groups [ApplicationGroup]”

Step 3: Update Corporate Cloud Provider

Steps to update corporate cloud provider to enable SSO trigger for auto-linking/auto-provisioning (performed by the org’s e-Share admin)

Note: This section assumes the org admin for e-Share already completed the steps to authorize corporate cloud provider and enabled “Team member access” and “Team management access”

  1. Login to e-Share vanity domain portal, navigate to Manage Organization > Management Dashboard > Corporate Cloud Providers.

  2. For the designated corporate cloud provider, enable “SSO trigger” option

  3. For “SAML attribute name” type “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” and for “SAML attribute value” copy/paste the Group ID (see step #6 in “Create Group in Azure AD” section above)

E-SHARE | 470 ATLANTIC AVE, 4TH FLOOR, BOSTON, MA 02210 | 617.520.4120 | INFO@E-SHARE.US | WWW.E-SHARE.US

Related articles