Azure SSO and Provisioning

System for Cross-domain Identity Management (SCIM) is a protocol for user management across multiple applications. It allows you to easily provision (add), deprovision (delete) and update (map) user data across multiple applications at once.

You can set up SCIM provisioning in Azure AD to automatically add the AD application users and groups to your organization in the NeuraLegion App. The added users will be able to access the NeuraLegion App using Active Directory Federation Services (AD FS) SSO.

NeuraLegion supports the following provisioning attribute mappings:

  • userPrincipleName
  • Switch([IsSoftDeleted], , "False", "True", "True", "False")
  • givenName
  • surname
  • mail
  • displayName

Prerequisites

Azure Setup

To enable NeuraLegion SSO with AD FS, you should first authenticate Azure in the NeuraLegion App.

  1. Create an application for NeuraLegion in Azure. For that, go to Enterprise Applications and click + New application.
  1. Click + Create your own application.
  1. In the Create your own application window, enter a name for a new application and click Create.
  2. Once the application is created, go back to the Home page and select Azure Active Directory.
  1. In the left pane, select App registrations, open the All applications tab and select the created application from the list.

📘

Note

It may take some time until the predefined application is published in the Azure AD gallery.

  1. Add the redirect URL. For that, select the relevant setting and add a Web platform.

        In the Redirect URIs field, enter https://app.neuralegion.com/adfs/callback and click Configure.

  1. Go back to the created application and get the following credentials to use them further in the NeuraLegion App:
  • On the application page, copy the Client ID.
  • In the Certificates & secrets tab, create a new secret key and copy its Value.
  • In the Endpoints tab, copy the OpenID Connect metadata document URL.
  1. Go back to App registrations, select the created application, and then assign users to this application in the Users section.
    The assigned users will be able to log in to the NeuraLegion App using AD FS SSO.

NeuraLegion Setup

Now go to the NeuraLegion App and do the following:

  1. In the left pane, select the Organization option.
  2. From the Required SSO provider drop-down list, select AD FS, and then click Connect.
  1. Fill in the AD FS Authentication fields with the credentials copied in Azure AD, and then click Continue.
  1. On the Microsoft Permissions Requested page, click Accept.
    Now the AD FS SSO is enabled for all the users of the authenticated application with no limitations.
  2. (Optional) You can enforce AD FS SSO registration by selecting the Require your organization members to use SSO to access NeuraLegion checkbox. When this option is selected, only the registered users (current members of a NeuraLegion organization) with existing SSO accounts can access the NeuraLegion App.

🚧

Important

Strict enforcement of SSO for all organization members will require resetting the connection in case of an SSO break. If that happens, please contact the NeuraLegion technical support for assistance.

Go to Step-by-Step Guide to configure automatic provisioning of Azure AD users and groups to your NeuraLegion organization.

Step-by-Step Guide

Enable Provisioning

  1. In the ORGANIZATION SETTING section, select the Sync the groups & users from SSO provider to NeuraLegion checkbox.
  1. In Azure AD, go to the provisioning section of your application and click Get Started.
  1. Select one of the following provisioning modes:
  • Manual option allows you to add a new user or group to your Nexploit organization manually with immediate synchronization.
  • Automatic mode enables adding every new user or group to your Nexploit organization automatically. The automatic provisioning interval is 40 minutes.
  1. In the Admin Credentials section, do the following:
  • In the Tenant URL field, enter https://app.neuralegion.com/api/v1/scim.
  • In the Secret Token field, enter the API key created in the NeuraLegion App.
  1. Click Test Connection to verify the credentials that are authorized for provisioning.
  2. (Optional) In the Settings section, make sure to set the scope to Sync only assigned users and groups. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to the NeuraLegion App unintendedly.
  1. Above the Provisioning mode, click Save to save the configuration.
  2. In the Manage provisioning section, select Edit attribute mappings.
  1. In the Mappings section, select Provision Azure Directory Users.
    Note: You can keep the group provisioning mappings to default, no changes are required.

10 Set the attribute mappings to the following:

  • userPrincipleName
  • Switch([IsSoftDeleted], , "False", "True", "True", "False")
  • givenName
  • surname
  • mail
  • displayName
  1. To start provisioning, click Start provisioning.

Assign Azure AD Users and Groups to Your NeuraLegion Organization

  1. In the left pane, select Users and groups.
  2. Click + Add user/group.
  1. In the Users and groups field, click None Selected. Select specific users or a group of users to sync them to your NeuraLegion organization, and then click Assign.
  • The assigned users will be automatically added to the MEMBERS section of your NeuraLegion organization.
  • The assigned groups will be automatically added to the GROUPS section of your NeuraLegion organization.

📘

Note

If you deprovision a user from the NeuraLegion integration application in Azure AD, the relative member turns inactive in your NeuraLegion organization and is no longer able to log in to the NeuraLegion App using AD FS SSO.

Log in to the NeuraLegion App Using AD FS SSO

  1. On the login page, click Single Sign On (SSO).
  1. Enter the name of the NeuraLegion organization for which the AD FS SSO was enabled, and then click Continue.

  2. Select Sign in with AD FS.
    You are redirected to the Microsoft login page.

  3. Enter your Azure AD user's credentials.


Did this page help you?