Once you're on the Authentication section of your Directory, use the following steps to set up single sign-on using Azure and SAML.

Step 1: Go to your Azure Portal then under Azure Active Directory -> Enterprise Applications

Step 2: Click New Application, then click Create Your Own Application on the top-left

Step 3: Designate the application as a non-gallery application and give it a name

The name should be a recognizable one to associate to Sift. Just naming the application "Sift" should do fine in most cases. After you've entered these details, click the "Create" button. It can take up to a minute for the application to be created.

Step 4: Configure Single Sign-on

  • Click Single sign-on in the left navigation

  • Click SAML

Step 5: Provide Sift's service provider (SP) information to Azure

  • Under the Basic SAML Configuration section, click the edit pencil in the top right

  • Under Identifier (Entity ID), provide the Entity ID given to you in the Sift admin dashboard

  • Under Reply URL, provide the Postback URL given to you in the Sift admin dashboard

  • Click the Save button

Step 6: Update attribute mappings

  • Under User Attributes and Claims, click the edit pencil in the top right

  • Click on the Unique User Identifier (Name ID) claim

  • Change the Source attribute to whichever attribute matches your email addresses in Sift. If you are using the userprinciplename attribute for Sift's email address, you may use that. However, if you are using mail (as is our default), you should change the attribute to user.mail.

  • Click the Save button

  • (Optional) You may add a new Additional Claim that matches your primary key in your Sift directory. This will ensure that incoming users are matched via that key during the SSO process. If not provided, we will always use email as a fallback. The only practical impact that this will usually have is if an email address of a user changes and Sift hasn't run a new sync yet. In that case, a user would not be properly matched if they sign in during that window.

Example for the optional step above:

If you are using Azure AD Id as your primary key (the default for our Azure sources), you can add a new additional claim with:

Name: objectId (This can be anything you would like)

Source attribute: user.objectId

Step 7: Update Attribute Mappings on the Sift Admin Dashboard

Back on the Sift admin dashboard, update your attribute mappings to match the attributes you defined in Azure. You may use our "Azure" preset as a starting point, which gives the Azure defaults for each of the related attributes. If you changed the "Name" property for any of the attributes in Azure, you'll need to update them here.

Step 8: Download your IdP metadata from Azure

  • Under the fourth box in the Azure setup, click "View step-by-step instructions"

  • Under the window that pops up, scroll down and click on "SAML XML Metadata", this will download an XML file to your computer that contains information Sift needs for the integration

Step 9: Add the downloaded metadata to the Sift admin dashboard

  • Open the file you downloaded in the previous step in any text editor

  • Copy/paste the shown XML into the input area in the Sift admin dashboard under IDP Metadata

  • Click the Save button in the Sift admin dashboard

Step 10: Add Azure AD Users to the integration

  • On the Azure Portal, click Users and groups

  • Click Add User and assign one or more groups or users to the application to designate who can use the SSO integration. If no groups or users are defined here, nobody will be able to log in.

Step 11: Test the SSO flow

  • Go back to the Single Sign-on page in Azure

  • Click the Test button on the fifth box in the SAML setup

  • Select "Sign in as current user"

  • You should be logged into Sift as yourself, assuming you were a part of the groups and/or users assigned in the previous step

Did this answer your question?