Set up SSO with Microsoft Entra

You can set up SSO with Microsoft Entra to allow users to sign in to the digital workplace using Entra SSO credentials.

When set up, users without an active workplace session will be redirected to the configured Entra SSO app's sign-in page to authenticate. However, users can still access the Igloo Authentication Login page by navigating to the URL of the digital workplace with /login appended to it. For example:

https://solutionsinc.igloo.igloodigitalworkplace.com/login

Considerations

  • Identity Provider-Initiated SSO: Igloo Flex's SSO only supports Service Provider-Initiated SSO, i.e., requests coming directly from the Igloo Flex digital workplace. Identity Provider-Initiated SSO is not supported. 
 

Who can do this?

  • Workplace administrators

Configure Microsoft Entra and copy its metadata XML

The following instructions outline setting up a SAML 2.0 app for your digital workplace. Refer to Microsoft's Enable single sign-on for an enterprise application documentation to learn more about their settings.

  1. Go to the Microsoft Entra Admin Center and sign in with your administrator credentials.
  2. In the left sidebar, select Entra ID to expand it, then select Enterprise apps.
  3. Select New application.
  4. Select + Create your own application.
  5. When prompted, enter a name for your application and select Integrate any other application you don't find in the gallery (Non-gallery).
  6. Select Create.
  7. In the side panel under Manage, select Users and groups.
  8. Select Add user/group.
  9. Select the users or groups that should use this app and then select Assign.
  10. In the side panel under Manage, select Single sign-on.
  11. Select SAML.
  12. In the Basic SAML Configuration box, select Edit.
  13. Configure the following:
    • Identifier (Entity ID): Enter the URL of your digital workplace. For example: https://solutionsinc.igloo.igloodigitalworkplace.com

    • Reply URL (Assertion Consumer Service URL): The ACS URL is the URL endpoint of your digital workplace that parses SAML assertions. This value is required when configuring an identity provider (IdP). The URL must be updated with the WorkplaceId and TenantId from your digital workplace to function properly.  
      https://apis.flex-live.net/flex/api/SamlAssertion?WorkplaceId=<GUID for the Workplace>&TenantId=<GUID for the Tenant>

      To find your digital workplace's WorkplaceId and TenantId:

      1. Go to the home page of your digital workplace.
      2. Use your browser to view the page source (Ctrl+U / Command+Option+U).  
      3. While viewing the page source, search the page (Ctrl+F / Command+F) for WorkplaceId and copy its value down. 
      4. While still viewing the page source, search the page (Ctrl+F / Command+F) for TenantId and copy its value down. 
      5. Insert the values you recorded into the above ACS URL to create your digital workplace's ACS URL. The resulting URL should look similar to this: https://apis.flex-live.net/flex/api/SamlAssertion?WorkplaceId=0bf875d4-92f9-4b97-a81&TenantId=b23316cb-710e-4e65-a7e5-b626341525e0
    • Sign on URL (Optional): Leave blank.
    • Relay State (Optional): Leave blank.
    • Logout Url (Optional): Leave blank.
  15. Select Save and close the editor.
  16. Entra defaults to using user.userprincipalname as the Unique User Identifier (Name ID). The Unique User Identifier must contain values that match Usernames in your digital workplace for users to authenticate. If the default value user.userprincipalname does not contain matching Username information, you must edit the claim and select the attribute that does. To do this:
    1. In the Attributes & Claims, select Edit.
    2. Under Required claim, select Unique User Identifier (Name ID).
    3. Select the Source attribute that will match Usernames in your digital workplace.
    4. (Optional) Select Unspecified as the Name identifier format. This would be needed if your attribute is no longer only email addresses.
    5. Select Save.
    6. Navigate back to the Single Sign-On page of the application.
  17. Under SAML Certificates, copy the App Federation Metadata Url. You need this when you turn on SAML SSO in your digital workplace.

Turn SAML SSO on in your digital workplace

  1. On the Top Bar, select Admin Settings.
  2. Under Settings in the left side panel, select Login Settings.
  3. Select Enable SAML SSO to toggle it on.
  4. Paste the Metadata URL you copied from your IdP into the SAML configuration field.
  5. (Optional) Turn Forced Authentication on if you require users to re-authenticate every time they visit the digital workplace, even if they have a valid SSO session active. 
  6. Select Update settings

Troubleshooting

Error upon login: Object reference not set to an instance of an object.

The user is not a member of the digital workplace, or no user in the digital workplace has a username that matches the value being passed by the IdP.

Internal server error

The ACS URL that you entered into the IdP is incorrect.

Your administrator has configured the application to block users unless they are specifically granted ('assigned') access to the application.

The user is not assigned to the application in Entra.

Related to