Set up AzureAD SAML2.0 authentication to log in to your ovice account.
If you have already set up SAML authentication for multiple spaces in a hierarchical structure (building), please refer to the following:
SAML authentication settings for a hierarchical structure (building)
Advance Preparation
1. Make sure you have the necessary permissions to set it up
- Azure AD "Application Administrator" role
- ovice admin privileges
2. Click the three dots in the space header and select the "Space" tab.
*If you are not the organization owner, there is no need to select a tab.
3. Go to "Space Settings" → "Space Access Settings" → "Member Whitelist Rules" and click "Email Account Authentication"
4. Select the "SSO" tab
5. Click the + button next to "SAML Authentication Setup"
6. Enter any name in the IdP name field.
This name will appear on the space URL login screen.
7. Enter "." (or an appropriate string) for each of the Entity ID, IdP Login URL, IdP Logout URL, and IdP x509 cert.
*The correct input values will be set later.
8. Select the redirect destination
Select the screen each user will be redirected to when they log in.
space | Redirect into space |
lobby | Redirect to the lobby screen (space list) |
9. Click "Save"
10. Click on the SAML settings you saved
Do not close the ovice settings screen in this state.
Azure AD configuration
1. Access https://portal.azure.com/#home
2. Click "Microsoft Entra ID"
3. Click on "Enterprise Applications"
4. Click "New Application"
5. Click "Create your own application"
6. Enter a name for your app in response to "What is the name of your app?" and click "Create."
There is no need to change any other options on this screen.
7. Click "Single Sign-On" → "SAML" in the side menu.
8. Click "Edit" for Basic SAML Configuration
9. Click "Add Identifier" and "Add Response URL" to display the input area for each.
10. Copy and paste the items displayed on the Azure AD screen that you prepared in advance.
ovice setting screen (copy source) | AzureAD settings screen (paste destination) |
---|---|
Identifier | Identifier (Entity ID) |
Reply URL | Response URL (Assertion Consumer Service URL) |
Login URL | Sign-on URL (optional) |
*In the above image, the ovie screen is on the left and the AzureAD screen is on the right.
11. Click "Save" and close the Basic SAML Configuration with the X button
12. Click "Users and Groups" on the side menu → "Add User or Group"
13. Click on "Not Selected" for the user
14. Select a user and click "Select"
15. Click "Assign"
16. Click "Single Sign-On" on the side menu → "Download" for SAML Certificate
17. Check the item "Set up XX (any name)"
Do not close the Azure AD settings screen in this state.
ovice Settings
1. Click "Edit" for the SAML created on the ovice side in advance preparation.
2. Copy and paste each item on the screen that opens in step 17 of the AzureAD settings to the ovice side.
AzureAD settings screen (copy source) | ovice setting screen (paste destination) |
---|---|
Login URL | IdP Login URL |
Microsoft Entra Identifier | Entity ID |
Logout URL | IdP Logout URL |
*In the above image, the AzureAD screen is on the left and the ovice screen is on the right.
3. Open the data downloaded in step 16 of the Azure AD settings in a text editor on your computer.
*For Mac, right-click the certificate file and select "Open with other application" to open it with the "TextEdit" app.
4. Copy and paste the entire IdP x509 certificate
*Please include "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
5. Click "Save"
[Optional] How to add SAML authentication to permission settings
By combining the publishing and Space Access Settings, you can allow only users who have authenticated with SAML to access the space.
6. Scroll down the screen and check the SAML authentication settings you created under "Activate SSO authentication".
7. Click "Save"
Log in using Azure AD
Please refer to the following and try logging in.
Log in with the space's own SSO (SAML authentication, etc.)
If you fail to log in using Azure AD
Please check the following:
- When logging in with SAML authentication, I get a 500 error
- When logging in with SAML authentication, a "SAML authentication error" message appears.
- Please make sure that each item in the app you created (assertion information, etc.) is set correctly.
- Make sure the user is assigned correctly in the Users and Groups settings.
Set up common SAML authentication for spaces in a hierarchical structure (building)
To use the SAML authentication you set in other spaces in the building, use the quotation setting. See below for the setting method.
Inheritance Settings
Once the setup is complete, the same SAML authentication login button will be displayed on the login screen of the cited space.