AAD Single Sign-On Example¶

Azure Active Directory (AAD) is a cloud-based identity and access management service introduced by Microsoft that helps businesses manage internal and external resources.

Steps¶

1. Create an Application¶

1) Log in to the Azure Active Directory Admin Center, click Enterprise Applications > All Applications > New Application.

2) On the New Application page, click Create your own application, enter the application name on the opened page, select Non-gallery application, and click Create to create a new application.

2. Configure SAML for the Application¶

Note: This step maps the AAD application attributes to Guance attributes, establishing a trust relationship between AAD and Guance.

1) In the newly created application, click Single Sign-On, and select SAML.

2) In the first part of Set up SAML single sign-on, under Basic SAML Configuration, click Edit.

Enter the following assertion address and entity ID examples.

Identifier (Entity ID): https://auth.guance.com/saml/metadata.xml
Reply URL (Assertion URL), temporary: https://auth.guance.com/saml/assertion

Note: This configuration is only used to obtain the metadata document for the next step. After enabling SSO single sign-on in Guance, replace with the correct Entity ID and Assertion URL.

3) In the second step Attributes and Claims, add a claim associated with the identity provider's user email, click Edit.

On the attributes and claims editing page, click Add a new claim.

On the claim management page, input the Name and Source Attribute, then save:

Name: Must be entered as Email, this content is mandatory. If not filled in, it will prompt that login is not possible during single sign-on;
Source Attribute: Select "user.mail" according to the actual email provided by the identity provider.

Note: Guance defines a field that must be filled in as Email to associate the identity provider's user email (i.e., the identity provider maps the logged-in user's email to Email).

3. Obtain AAD Metadata Document¶

Note: This step retrieves the metadata document for creating an identity provider in Guance.

1) In the third step SAML Signing Certificate, click to download the Federation Metadata XML.

4. Enable Single Sign-On in Guance¶

1) In the Guance workspace Management > Member Management > SSO Management, create a new SSO.

2) Upload the metadata document downloaded in Step 3, configure the domain (email suffix domain), select the role, and you can obtain the Entity ID and Assertion URL of the identity provider, supporting direct copying of the login URL for login.

Note: The domain is used for email domain mapping between Guance and the identity provider to achieve single sign-on. That is, the suffix domain of the user's email must match the domain added in Guance.

5. Replace SAML Assertion Address in AAD¶

1) Return to AAD and update the Entity ID and Assertion URL from Step 2.

Note: When configuring single sign-on in Guance, the assertion URL configured in the identity provider's SAML must be consistent with that in Guance to enable single sign-on.

6. Configure AAD Users¶

Note: This step configures authorized user email accounts for the identity provider created in Guance. Configured AAD user email accounts can perform single sign-on to the Guance platform.

1) In the newly created application, click Users and Groups, then click Add User/Group.

2) Click No items selected, search and select users in the pop-up page, then click Select.

3) After selecting the users, return to Add Assignment and click Add Assignment.

4) After adding the users, you can view the list of SSO authorized login users in Users and Groups.

Note: If there are no users, you can create new users under the Users menu.

7. Use AAD Account to Single Sign-On to Guance¶

1) After SSO configuration is complete, log in through the Guance official website or the Guance console. On the login page, select Single Sign-On.