Identity Provider (IdP) is a trusted entity that allows you to enable single sign-on to access other sites or services, such as Azion. Your users can continue using their corporate user identities without having to remember a specific password or enter credentials each time they access Real-Time Manager (RTM).
Azure AD is an example of an Identity Provider.
Even if you’re using an IdP, it’s necessary to register all users of the account on RTM as they are synced in both RTM and IdP. An inexistent user on RTM won’t be able to log in to it.
When using an IdP, you have two protocol possibilities: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
To set up an Azure AD custom SAML app as your account IdP for RTM, follow the next steps.
Configuring the SAML app on Azure AD portalSection titled Configuring the SAML app on Azure AD portal
You need to be an administrator of the Azure AD account to perform the following tasks.
- Access Azure’s portal.
- On the homepage, under Azure Services, select Enterprise applications.
- Click + New Application.
- On the next page, search for Azure AD SAML Toolkit and select it. Once you select it, a window will open with the Azure AD SAML Toolkit details on the right side of the screen.
- Click Create on the bottom of the window. The app will be installed.
- On the left side menu, select Single sign-on.
- Under Select a single sign-on method, click SAML.
- On the left side menu, select Properties.
- In the option Assignment required?, select No.
- Return to the Single sign-on section, selecting it from the left side menu.
- On the box SAML Certificates, click Edit.
- On the Signing Option, select Sign SAML response and assertion from the dropdown menu.
- Click the context menu represented by three dots, and download the Certificate in the Base64 format.
- Click Save.
- On the box Set up Azure AD SAML Toolkit, copy the Login URL and Azure AD Identifier. You’ll need this information on RTM.
Configuring the Identity Provider on RTMSection titled Configuring the Identity Provider on RTM
You must be the Account Owner on RTM to perform these settings.
- Log in to Real-Time Manager.
- On the upper-right corner of the page, select the avatar menu. This is the Account menu.
- Select SSO Management.
- Click the Add Identity Provider button and select SAML.
- On the Identity Provider page, choose a name that identifies your identity provider.
- Fill in the following fields with the data copied from the Azure AD portal:
- Identity provider’s Entity ID URI.
- Sign-in URL.
- Certificate. It must include the —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- parts.
- Click Save. You’ll be redirected to the list of identity providers, where you can view all the providers created in your account.
Completing the registration of the APP on Azure ADSection titled Completing the registration of the APP on Azure AD
- On the SSO Management page of RTM:
- Find the box of your recently created identity provider.
- Click the context menu, represented by three dots > Edit.
Important: don’t click Activate and turn on identity Origin before you complete the configuration on the Azure AD portal.
- On the Identity Provider page, you’ll need to copy the following information to finish the configuration on the Azure AD portal:
- Assertion Consumer Service URL.
- Service Provider’s Entity ID URI.
- Sign-in URL.
- On the Azure AD portal, return to the Single sign-on section, selecting it from the left side menu. On the Basic SAML Configuration box, click Edit and provide the following information:
- In the Identifier field, paste the Service Provider’s Entity ID URI you’ve copied from RTM.
- In the Reply URL field, paste the Assertion Consumer Service URL you’ve copied from RTM.
- In the Sign on URL field, paste the Sign-in URL you’ve copied from RTM.
- Click Save.
- On the Attributes & Claims box, click Edit.
- In the Unique User Identifier, set the string user.email.
- Click Save.
Adding users on the Azure AD custom SAML appSection titled Adding users on the Azure AD custom SAML app
After setting the service provider details:
- Go to Users and groups on the left side menu.
- Click + Add user/group to add the users you wish to grant permission to access RTM using the IdP you’ve just created.
Turning on the Identity Provider on RTMSection titled Turning on the Identity Provider on RTM
- Back on RTM, access the SSO Management page.
- On the box of the Identity Provider you’ve added, click Activate and turn on identity Origin and then click Confirm.
Now all the users of the account will be able to access RTM using Azure AD as the Identity Provider.
This doesn’t apply to Account Owner users.
Important: when the IdP app is activated, the Multi-Factor Authentication (MFA) stops being verified by RTM and starts to be authenticated by the IdP. If the account returns to RTM’s SSO, it’ll use the last active status of the MFA.