This function is being provided as a proof-of-concept experiment. If you would like to use it, please contact us using the form below.
Inquiry Form
Functional Overview
We will set up AzureAD SAML2.0 authentication to log in to the ovice account. Once authenticated, the user will have member privileges to access all spaces belonging to the organization.
Advance Preparation
1. Make sure you have the necessary permissions to set it up
- Assigning the Azure AD "Application Administrator" role
- ovice's organization owner or group that has been assigned the permission group
2. Click the three dots in the space header and select the "Organization" tab.
The Organization tab is only accessible to organization owners.
3. Click on "Organization Settings" → "Integration"
4. Click on the "Azure AD SAML" app
5. Enter "." (or any other dummy strings) for the Microsoft Entra ID Identifier, Login URL, Logout URL, and Certificate (Base64). The correct input values will be set later.
9. Click "Save"
10. Click on the "Azure AD SAML" app and reopen it
Do not close the setting screen in this state.
Azure AD configuration
1. Access https://portal.azure.com/#home
2. Click "Microsoft Entra ID"
3. Click "+ Add"
4. Click "Enterprise application"
5. Click "Create your own application"
6. Enter a name and click "Create."
There is no need to change any other options on this screen.
7. Click "Set up single sign-on" → "SAML"
8. Click "Edit" for Basic SAML Configuration
9. Click "Add Identifier" and "Add Response URL" to display the input area for each.
10. Copy and paste the items displayed on the AzureAD screen you prepared in advance to the AzureAD side.
ovice setting screen (copy source) | AzureAD settings screen (paste destination) |
---|---|
Identifier | Identifier (Entity ID) |
Reply URL | Reply URL (Assertion Consumer Service URL) |
IDP Login URL | Sign on URL (Optional) |
*In the above image, the ovice screen is on the left and the AzureAD screen is on the right.
11. Click "Save" and close the Basic SAML Configuration with the X button
12. Click "Edit" for Attributes and Claims
13. Amendments to Existing Claims
Click on the following two items in "Additional Requests", update the changes and click "Save".
The value of the claim to be changed | changes |
---|---|
user.mail | Change the name to "mail" |
user.userprincipalname |
Change the source attribute to "user.displayname" *No double quotes around it. |
14. Addition of new claims
Click "Add new claim", register the following two items, and then click "Save".
name | Namespace | Source Attribute |
department | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | user.department |
jobtitle | http://schemas.xmlsoap.org/ws/2005/05/identity/claims | user.jobtitle |
*There are no double quotes around the source attribute.
15. Close attributes and claims with the X button
16. Click "Users and Groups" on the side menu → "Add User/Group"
17. Click on "None Selected" for the user
18. Select any user and click "Select"
19. Click "Assign"
20. Click "Single Sign-On" on the side menu → "Download" for Certificate (Base64)
21. Check the item "Set up XX (any name)"
Do not close the Azure AD settings screen in this state.
ovice Settings
1. Copy and paste the items in step 21 of the AzureAD settings to the ovice settings screen
AzureAD settings screen (copy source) | ovice setting screen (paste destination) |
---|---|
Login URL |
IDP Login URL |
Microsoft Entra ID Identifier | Entity ID |
Logout URL |
IDP Logout URL |
*In the above image, the AzureAD screen is on the left and the ovice screen is on the right.
3. Open the certificate downloaded in step 20 of the Azure AD settings in a text editor app on your computer.
*For Mac, right-click the certificate file and select "Open with other application" to open it with the "TextEdit" app.
4. Copy all and paste into IDP 509 Cert
*Please include "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
5. Click "Save"
Log in using AzureAD (organization)
Please refer to the following to log in.
Logging in using Azure AD (organization)
If you fail to log in using Azure AD (organization)
Please check the following:
- When logging in with SAML authentication, I get a 500 error
- Please make sure that each item in the app you created (assertion information, etc.) is set correctly.
- Make sure the user is assigned correctly in the Users and Groups settings.
Tips
- Space access settings or Blacklists for each space in an organization take precedence.
- When authenticating with Azure AD (organization), if a new ovice account is created, the display name, department, and job title of the Microsoft account will be automatically reflected in the account information.
- If you have already accessed the ovice space and changed your account information, the Microsoft account information will not be reflected in ovice during Azure AD authentication.
-
If the Azure AD settings screen does not appear, try forcing a refresh of the screen.
How to force a refresh