Use Azure AD for SSO authentication Learn how to use Azure Active Directory (Azure AD) for Single Sign-On (SSO) authentication with SAML 2.0 so members of your organization can sign in to Kobiton using their Microsoft credentials. Get Kobiton parameters First, you’ll need to save a copy of your Kobiton SSO attributes so you can easily add them to your IdP later. Select your profile name or picture, then choose Settings. Choose SSO Settings. From Basic configuration, copy the following values and save them to a note: Entity ID (or Audience URL) Reply (or SSO, or ACS) URL From User attributes (or parameters), copy the following values and save them to a note: email firstName lastName phoneNumber memberOf Later you’ll finish configuring your Kobiton SSO settings so keep this browser window open. Create IdP application In Azure DP, open your default directory, select Enterprise Application, then New Application. From Add your own app, choose Non-gallery application, then enter a name for your application in the search bar and select Add. Select Assign users and groups and add test user for your application. You’ll set up single sign on in the next section. Map parameters Now that your IdP application is initially created, you’ll need to create Azure AD parameters mapped to Kobiton and download your Base64 certificate. Select Set up single sign on to get started. In step 1, Basic SAML Configuration, use your Kobiton SSO parameters from earlier to fill out the following fields: Identifier (Entity ID) Reply URL (Assertion Consumer Service URL) Relay State In step 2, User Attributes & Claims, create the following parameters: Parameter 1 Name: email Namespace: Leave blank Name format: Basic Value: user.email Parameter 2 Name: firstName Namespace: Leave blank Name format: Basic Value: user.givenname Parameter 3 Name: lastName Namespace: Leave blank Name format: Basic Value: user.surname Parameter 4 Name: phone Namespace: Leave blank Name format: Basic Value: user.telephonenumber Parameter 5 Name: Unique User Identifier Namespace: Leave blank Name format: Basic Value: user.userprincipalname Download certificate and get IdP parameters In step 3, SAML Signing Certificate, download Certificate (Base64). In step 4, Set up Kobiton Azure Local, copy the following values and save them to a note: Login URL Azure AD Identifier Logout URL Add IdP parameters and certificate to Kobiton Now, you’ll need to add your IdP parameters and certificate to your Kobiton organization. In your SSO Settings, scroll down to Set up at Kobiton side. Add your IdP parameters and certificate to the following: Identity provider issuer Identity issuer URL Identity provider sign in URL Identity provider sign out URL Identity provider certificate The Identity provider certificate must be a .pem file. If the certificate downloaded from the IdP has a different file extension (such as .cert), rename it to .pem before uploading. Verify and save configuration Important: Make sure you have created an account with the same email as the currently logged in Kobiton account and assign the new SAML application to that user on the IdP side before continuing. Select Verify to test your SSO configuration. The system will open a new browser tab to the SSO login page. In this new tab, logs in using the account that has the same email as the current Kobiton account. If logged in successfully, go back to the previous browser tab with the SSO Settings opened. Wait for a while for the SSO Settings page to automatically reload (do not force reload the page) and a success message displays like the below: After receiving the success response, select Save to complete your SSO configuration. After verifying and saving the configuration, you can turn on Enforce users to login to Kobiton only through SSO to force the users to log in only via SSO (optional). When SSO login enforcement is turned on: You can add existing users to be exempted from the SSO login enforcement by adding the username into the Choose users who are allowed to login without SSO field. You also gain access to Specify Organization Access Restrictions with the ability to enable Pass role/team assignments to users in the SAML validations. Choose the method that’s best for your organization.