Login into Azure Account with the required roles and permissions and follow the instructions below to set up SSO in Azure with RBAC:
  1. Navigate to Enterprise Applications and click
Enterprise Application
  1. Select “New Application”
New Application
  1. Select “Create your application.”
Own Application
  1. Give the application a name and select the “Non-gallery” option
Non-Gallery Application
  1. Navigate to “Set up single sign-on.”
Single Sign-On
  1. Select SAML
  2. Go to Plerion > Admin > Single Sign-on and copy the SSO URL presented there
Plerion SSO URL
  1. Back in Azure, In Single sign-on > Basic SAML Configuration, use the URL as both Entity ID and Reply URL (Assertion Consumer Service URL)
Saml Config
  1. Save the configuration
  2. Navigate to Azure > App Registrations, search for the newly created application and open it
App Registration
  1. Under “App roles”, create two new roles: “Org.Admin” and “Tenant1.Read”
App Roles
App Roles List
  1. Go back to Azure > Enterprise Applications, search for the application, open it, and navigate to “Users and Groups”
  2. Use “+ Add user/group” to add two new users. Under select a role, choose “Tenant1.Read” for one of them and “Org.Admin” for the other.
User groups
  1. Navigate to “Single sign-on”, download “Certificate (Base64)”
Base 64 certificate
  1. Take note of “Login URL” and “Azure AD Identifier”
Login URL & Identifier
  1. Go back to Plerion > Admin > SSO > edit > Trust tab.
  2. Paste “Login URL” into the “Single Sign-On URL” field
  3. Paste “Azure AD Identifier” into the “Identity Provider Entity ID” field
  4. Paste the contents of the downloaded “Certificate (Base64)” file into x.509 Certificate field
  5. Click “Configure” to save the configuration
  6. Navigate to “Attribute Mapping”
  7. Select “Email”, and choose “Use SAML Name ID”
Email & SAML ID
  1. On Display Name, if you want to allow users to choose their display name then leave this as unchecked. However, if you want to map the Azure display name, then click on it and configure the attribute statement.
Email & SAML ID
Note: Users can choose their display name by logging into their account and navigating to their profile.
Attribute Mapping
  1. Select “Roles” and set the following values:
  • SAML Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
  • Attribute Value: Org.Admin and Tenant1.Read
  • Select appropriate Plerion roles for each Attribute Value Mapping.
Attributes
  1. In a new browser session, open: My Apps and sign in using one of the users added to the application.