New article
Recently updated
Assurance SSO | Microsoft Entra ID (formerly Azure AD)
Who is this article for?Administrators who want guidance on setting up SSO in Assurance through Microsoft Entra ID.
Administration Access is required.
Assurance supports Single Sign-On (SSO) through Microsoft Entra ID (formerly known as Microsoft Azure AD). The setup process takes around 15 minutes and involves creating a new enterprise application in Microsoft Entra ID, enabling SAML single sign-on and then configuring SSO in Assurance.
1. How to create a new enterprise application in Microsoft Entra ID?
Enabling SAML single sign-on for an enterprise application in Microsoft Entra ID
To enable SAML single sign-on for an enterprise application in Entra ID, refer to Enable SAML single sign-on for an enterprise application - Microsoft Entra ID. You will be redirected to the Microsoft Learn site.
1. Sign in to the Microsoft Entra admin centre as an Application Administrator.
2. Navigate to Identity -> Applications -> Enterprise applications.
3. Select + New application -> Create your own application -> Integrate any other application you don't find in the gallery (Non-gallery).
4. Enter 'Ideagen Policy Logic Assurance' as the name of the application.
5. On the Single sign-on screen, select SAML as the single sign-on method and configure the following settings.
| Option | Setting |
| Identifier (Entity ID) |
Enter the following identifier, replacing '{subdomain}' with your organisation's Assurance subdomain: https://{subdomain}.csassurance.com
|
| Reply URL (Assertion Consumer Service URL) |
Enter the following reply URL, replacing '{subdomain}' with your organisation's Assurance subdomain: https://{subdomain}.csassurance.com/d/users/auth/saml/callback
|
6. On the Single sign-on screen, copy the following values. You will need this when configuring SSO in Assurance later in the setup process.
- App Federation Metadata Url
- Login URL
7. Assign users and group to the application. We suggest setting up a dynamic group with all users.
2. How to configure SSO in Assurance?
1. Select the Administration cog icon from the navigation bar and then select the Organisation button under the 'General' section.
2. On the Organisation screen, select the Edit button under the 'Details' tab.
3. Under the 'Sign On & Security' section, select the Single Sign On through SAML option.
4. In the fields that appear, update the following values.
| Field | Value |
| Name | Enter a user-facing display name. It will appear in a button that reads 'Sign in using {Name}' on the Login screen. |
| Issuer |
Enter the following issuer, replacing '{subdomain}' with your organisation's Assurance subdomain: https://{subdomain}.csassurance.com
|
| IDP SSO Target URL | Enter the 'Login URL' value from Entra ID. |
| Federation XML URL | Enter the 'App Federation Metadata Url' value from Entra ID. |
| IDP Certificate SHA1 Fingerprint | (Leave this blank) |
| ID Claim/Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Restrict login to use Single Sign On only |
When selected, the email and password fields will be hidden on the login screen. |
5. Select the Update button to save your changes.
6. Sign out of Assurance by selecting your avatar icon from the navigation bar and then selecting the Logout option from your account dropdown menu. You will be directed to the Login screen.
7. Select the button to Sign in using {Name} and verify that SSO is working as expected.
3. Setup assistance
If you require additional assistance with setting up SSO, our Professional Services team is here to help.
Our consultants can assist you with the setup process, ensuring a seamless and efficient integration tailored to your specific needs.
To engage our Professional Services team, please get in touch today, and we will be happy to assist you further.
4. Limitations
3.1. No Assurance user found for email
Symptom
User receives a 'No Assurance user found for email' message when logging in using SSO.
Resolution
Ensure an Assurance account with the corresponding email has been created for the user before trying again.