As a Tethr Admin user you can configure SAML 2.0 single sign-on (SSO) using Microsoft Office 365® (also known as Azure Active Directory, or Azure AD for short) as your identity provider.
What we'll cover:
-
Configuring Microsoft 365 IdP for SAML 2.0 SSO
- Add Tethr as a new Enterprise application
- Complete basic SAML configuration
- Configure user attributes and claims
- Collect the SAML sign-in certificate
- Provide the IdP metadata to Tethr
- Configure SAML SSO for a specific IdP
Before you begin:
Before you can configure SAML 2.0 SSO in Azure AD/Microsoft 365, you'll need:
- to be an Administrator of your organization’s Tethr users so you can activate users and test the integration.
- a Microsoft 365 account with owner privileges of the enterprise application for Tethr.
Configuring Azure AD/Microsoft 365 IdP for SAML 2.0 SSO
This section shows you how to configure the identity provider, Microsoft 365, to enable SAML single sign-on in Tethr.
Within Azure AD/Microsoft 365 you’ll first add Tethr as an Enterprise Application. Then, you’ll complete basic SAML configuration on your new application, configure user attributes and claims and finally provide the SAML signing certificate (containing your IdP metadata) to Tethr.
Add Tethr as a new Enterprise Application
To begin, you’ll need to sign in to your existing Azure AD/Microsoft 365 account using your administrative rights.
-
Starting from Azure Active Directory, select Enterprise applications from the left navigation menu under Manage.
-
Select + New application to create a new enterprise application.
-
On the Add an application page under Category, enter “SAML” as the name in the search bar and select Azure AD SAML Toolkit from the list of options.
-
A sidebar modal will display confirming your selection. Within the sidebar, you’ll want to rename your new enterprise application to “Tethr.” Then, select the Add button at the bottom to confirm you’re adding the Azure AD SAML Toolkit. You’ll receive a confirmation message that you’ve added your application successfully.
Complete basic SAML configuration on your new application
Within the Overview page of your new Enterprise application, you’ll configure SSO.
-
Select Single sign-on from the left navigation menu under Manage.
-
You’ll need to choose a single sign-on method. Choose SAML from the list of options.
-
On the Set up Single Sign-On with SAML page, select the pencil icon at the top right corner of the step 1: Basic SAML Configuration section to edit the Entity ID and the Reply and Sign-on URLs.
-
A sidebar modal will display showing your Basic SAML Configuration.
Note: Microsoft 365’s default encryption signature algorithm (SHA-256) meets Tethr’s encryption strength requirements and does not need to be configured for the purposes of this article. -
To begin, enter https://mycompanyname.tethr.com/AuthServices as your Identifier (Entity ID). Note: Be sure to remove the existing entity ID field using the bin icon (see highlighted text in the image below).
-
In the Reply URL (Assertion Consumer Service URL) field, enter https://mycompanyname.tethr.com/AuthServices/Acs.
-
In the Sign on URL field, enter https://mycompanyname.tethr.com/. Select the floppy disk icon to Save your field entries. Once saved, close out of the Basic SAML Configuration sidebar.
Note: If prompted to test your single sign-on with Tethr choose the option: “No, I’ll test later.”
Configure user attributes and claims
Back on the Set up Single Sign-On with SAML page, under step 2: User Attributes & Claims, select the pencil icon to edit the name and source attributions.
-
Select Single sign-on from the left navigation menu under Manage.
- Select the + Add new claim button.
- On the Manage claim page in the Name field enter user.id.
- For Source attribution you may take one of two routes:
a) If your organization uses Microsoft integrated email as your email provider, begin typing “user.email” in the search field and select this option as your Source attribute.
b) If your organization uses a different email provider (i.e., Google), begin typing “user.othermail” in the search field and select this option as your Source attribute. - Select the floppy disk icon to save your field entries and close out of the User Attributes & Claims section.
Provide the IdP metadata to Tethr
Back on the Set up Single Sign-On with SAML page, under step 3: SAML Signing Certificate, select the Download link to download the Federation Metadata XML file.
To complete Azure AD/Microsoft 365 SAML SSO configuration for your organization, you'll need to provide Tethr with the Federation Metadata XML (also known as the identity provider SAML metadata) file you created above. This file helps Tethr understand how to communicate with Microsoft 365 and how to request user authentication.
Add users to your new Enterprise Application in Azure AD/Microsoft 365
When configuring your application for the first time, you’ll need to add users or groups via Azure AD/Microsoft 365. To do that,
- Within the Overview page of the Enterprise application, select Users and groups from the sidebar menu under Manage.
- As with any SSO application, select + Add user to add any and all users who will be logging into Tethr using single sign-on.
Tethr account activation and sign-in experience for Azure AD/Microsoft 365
When a Tethr user needs to be activated and they’re using SSO, they should utilize the Sign in with Microsoft Office 365 button rather than selecting the Activate account button, as shown below:
If you’ve enabled SSO in your organization, your users’ login page will include a Sign-in with Microsoft Office 365 option as shown below: