Once you're on the Authentication section of your Directory, use the following steps to set up single sign-on using Azure and SAML.
Step 1: Go to your Azure Portal then under Azure Active Directory -> Enterprise Applications
Step 2: Click New Application, then click Create Your Own Application on the top-left
Step 3: Designate the application as a non-gallery application and give it a name
The name should be a recognizable one to associate to Sift. Just naming the application "Sift" should do fine in most cases. After you've entered these details, click the "Create" button. It can take up to a minute for the application to be created.
Step 4: Configure Single Sign-on
Click Single sign-on in the left navigation
Click SAML
Step 5: Provide Sift's service provider (SP) information to Azure
Under the Basic SAML Configuration section, click the edit pencil in the top right
Under Identifier (Entity ID), provide the Entity ID given to you in the Sift admin dashboard
Under Reply URL, provide the Postback URL given to you in the Sift admin dashboard
Click the Save button
Step 6: Update attribute mappings
Under User Attributes and Claims, click the edit pencil in the top right
Click on the Unique User Identifier (Name ID) claim
Change the Source attribute to whichever attribute matches your email addresses in Sift. If you are using the
userprinciplenameattribute for Sift's email address, you may use that. However, if you are usingmail(as is our default), you should change the attribute touser.mail.Click the Save button
(Optional) You may add a new Additional Claim that matches your unique identifiers in your Sift directory. This will ensure that incoming users are matched via that key during the SSO process. If not provided, we will always use email as a fallback. The only practical impact that this will usually have is if an email address of a user changes and Sift hasn't run a new sync yet. In that case, a user would not be properly matched if they sign in during that window.
Example for the optional step above:
If you are using Azure AD Id as your unique identifiers (the default for our Azure sources), you can add a new additional claim with:
Name: objectId (This can be anything you would like)
Source attribute: user.objectId
Step 7: Update Attribute Mappings on the Sift Admin Dashboard
Back on the Sift admin dashboard, update your attribute mappings to match the attributes you defined in Azure. You may use our "Azure" preset as a starting point, which gives the Azure defaults for each of the related attributes. If you changed the "Name" property for any of the attributes in Azure, you'll need to update them here.
Step 8: Download your IdP metadata from Azure
Under the fourth box in the Azure setup, click "View step-by-step instructions"
Under the window that pops up, scroll down and click on "SAML XML Metadata", this will download an XML file to your computer that contains information Sift needs for the integration
Step 9: Add the downloaded metadata to the Sift admin dashboard
Open the file you downloaded in the previous step in any text editor
Copy/paste the shown XML into the input area in the Sift admin dashboard under IDP Metadata
Click the Save button in the Sift admin dashboard
Step 10: Add Azure AD Users to the integration
On the Azure Portal, click Users and groups
Click Add User and assign one or more groups or users to the application to designate who can use the SSO integration. If no groups or users are defined here, nobody will be able to log in.
Step 11: Test the SSO flow
Go back to the Single Sign-on page in Azure
Click the Test button on the fifth box in the SAML setup
Select "Sign in as current user"
You should be logged into Sift as yourself, assuming you were a part of the groups and/or users assigned in the previous step
