This article explains the steps needed to implement SSO and/or User Provisioning through Azure AD. First we explain how to set up Azure AD in one single location, then we explain how to set it up if you use Proxyclick in many locations.

Requirements:

  • Plan Large and Enterprise
  • Admin access to Proxyclick (for every location)

 

Setting up Azure AD in 1 single location

Step 1: Add an application

Log into the Azure Portal. Go to Azure Active Directory > Enterprise Applications.

Click on New application.

Select Non-gallery application.

Enter a name and click on Add.

 

Step 2: Configure single sign-on (SSO)

Open the Proxyclick app in Azure Active Directory > Enterprise Applications and go to the Single sign-on section.

Select SAML-based Sign-on for Single Sign-on Mode.

Copy the SAML SSO Redirect URL to the Identifier field and the SAML Consumer URL to the Reply URL field. You’ll find those values in your Proxyclick account at Account and Settings > Integrations > SAML (see below).

Select user.email for User Identifier and click on Save.


Download the file Certificate (Base64) and open the Metadata XML to extract the EntityID and SingleSignOnService Location.

Log into Proxyclick. Go to Account and Settings > Integrations > SAML. Click on Activate SAML (if not enabled).

Copy the EntityID to the Issuer field, the SingleSignOnService Location to the SAML 2.0 Endpoint URL field and the content of the Certificate (Base64) to the Certificate field.

Click on Save Changes.

 

Step 3: Configure user provisioning

Open the Proxyclick app in Azure Active Directory > Enterprise Applications and go to the Provisioning section.


Select Automatic for Provisioning Mode.

Copy the SCIM Base URL to the Tenant URL field and replace /v1 by /v2 at the end of the URL. Copy the SCIM Bearer Token to the Secret Token field. You’ll find those values in your Proxyclick account at Account and Settings > Integrations > User Provisioning (see below).


Click on Save.

Once the settings saved, go to the Mappings part.


Click on Synchronize Azure Active Directory Groups to customappsso.


Disable group synchronization by selecting No and click on Save.

Close the window to return to the provisioning configuration page.


Click on Synchronize Azure Active Directory Users to customappsso.

Adapt the attribute mappings:

Azure Active Directory Attribute customappsso Attribute Matching precedence Notes
mail userName 1
Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”) active
givenName name.givenName
surname name.familyName
displayName name.formatted
mail emails[type eq “work”].value
mobile phoneNumbers[type eq “mobile”].value Make sure this field contains a real mobile number and is in E.164 format. Users with an value for this field that do not satisfy those requirements won’t be provisioned.

Click on Save.

Close the window to return to the provisioning configuration page and go to the Settings part.


Set Provisioning status to On.

Click on Save.

 

Setting up Azure AD in many locations

2 options are available in that situation:

1) Users will see as many Proxyclick icons as locations they have access to. This option allows users to log in the right Proxyclick location directly from Azure AD.

2) Users will see only 1 Proxyclick icon. With this option the applications page of your users will not be overload by many Proxyclick icons. Users will be logged in their home location in Proxyclick (they can change the location using the location selector on the left in the top bar in Proxyclick).

Option 1

You’ll need to follow the every step described above for every location (1 Proxyclick location = 1 Azure AD application)

Option 2

For User Provisioning, you’ll need to follow step 1 and 3 described above for every location. In the Properties section of the applications, put Visible to user to No to hide them.

For Single Sign-On, you’ll need to create one additional application in Azure AD and activate SSO (steps 1 and 2 above). This application should not correspond to any physical office but only exists to manage SSO at global level. Do NOT provision users in this application. For this application please leave Visible to users to Yes.

Send the following 3 elements to support@proxyclick.com: Entity ID, the SingleSignOnService Location and the Certificate (Base64)

We will then create a so-called “landing location”: a Proxyclick location with the SSO parameters you just sent but without users. Once set up, your users only see one Proxyclick icon leading to the landing location. They will then be immediately routed to their home location. From a user perspective, they will immediately land into their real home location (they do not notice they first log in the landing location)

Please let us know if you have any questions. We’re there to help!

FacebookGoogle+EmailTwitterLinkedIn