Setting up Single Sign-On (SSO) will require you to access some technical information from the admin settings of your Identity Provider, you will likely need the assistance of the team that manages that system to get that information.
Entra ID is the new name for Azure Active Directory
Alongside Entra ID, we support the following Identity Providers:
1. How to find the identity provider information
There are two ways to provide this information, you can provide us with your IdP metadata file, or follow the steps below:
1. Navigate to your applications manager in the Azure Admin Portal, then select 'New application':
2. To add ISMS.online as an app, you will then need to select 'Non-gallery application', this will prompt you to name the new application, you can then click 'Add'
3. After creating your App, the first step is to add users and groups to it, simply click the first step in the 'Getting Started' menu of your App Overview page:
4. Next, click to set up Single Sign-On, on the next page select the box that says SAML:
5. After that, you'll then need to configure access to the ISMS.online live environment, by applying the following settings in Entra ID:
If you have already set a custom Subdomain for your please use the same as the <organisation> place holder below.
- The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):
https://<ORGANISATION>.isms.online/sso/saml2
- The Entity ID of the live instance of ISMS.online:
https://<ORGANISATION>.isms.online/sso/saml2/sp
For Customers in the APAC Region please use the following settings:
- The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):
https://<ORGANISATION>.r2.isms.online/sso/saml2
- The Entity ID of the live instance of ISMS.online:
https://<ORGANISATION>.r2.isms.online/sso/saml2/sp
For Customers in the North American Region please use the following settings:
- The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):
https://<ORGANISATION>.r3.isms.online/sso/saml2
- The Entity ID of the live instance of ISMS.online:
https://<ORGANISATION>.r3.isms.online/sso/saml2/sp
For customers in the European Union (EU) region please use the following settings:
- The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):
https://<ORGANISATION>.r4.isms.online/sso/saml2
- The Entity ID of the live instance of ISMS.online:
https://<ORGANISATION>.r4.isms.online/sso/saml2/sp
6. This is where you need to apply the new settings, by clicking 'edit'
You can fill in the <ORGANISATION>part with your desired subdomain (e.g. Facebook would likely want their subdomain to be facebook.isms.online)
7. Next step would be to provide us with the following information: (Note: we need the entire URLs, not just the parts that are not blurred.)
In Entra ID:
SSO Target Url = Login URL
Entity ID = Azure AD identifier
7.a If your certificate has expired you must create a 'New Certificate' and then activate it by clicking the three dots and then selecting 'Make Certificate Active'
What we need from you:
- What subdomain did you set (if not already set on the platform) in the placeholders for section 5.
- If you have set a custom subdomain on the platform already, you should use the same details.
- The Login URL
- The Azure AD identifier
- The security Certificate in base 64 format
Please note, any requests should come initially from a Organisation Admin
Once you have that, you can either email it to support@isms.online, or reach out to us via the live chat.
2. Mapping Attributes
For your SSO login to work, attributes in Entra ID need to be mapped correctly, inside the SSO settings for your ISMS.online app (apps> ISMS.online > Single Sign-On > SAML)
1. Scroll down to Step 2, click 'edit'
2. Your attributes should be mapped in the following way:
3. Next, you need to set the name identifier format to 'persistent'. In the same page, click into the 'Unique User Identifier (Name ID)':
- Also, set Source Attribute to 'user.objectid'
3. Accessing ISMS.online via SSO
Organisations using SSO will access ISMS.online via a sub-domain. This is a change to how you access ISMS.online at the moment.
Rather than going to platform.isms.online, once SSO is activated you will be able to access the system at:
https://<ORGANISATION>.isms.online
This ensures that we can always redirect your users to the correct identity provider when they sign in or access the system for the first time.
4. New User Templates
SSO with ISMS.online comes with an exciting new feature, New User Templates!
This feature will allow you to provision a non-existing SSO user with work areas and access upon their initial login. This is great for admins that want to automate the process of assigning users work when they are created.
See here to find out how to utilise New User Templates.
To note:
- Either the assertion, response or the assertion and response must be signed
- SHA-1 & SHA-256 algorithms are supported for the signature and digest. We recommend the use of SHA-256 as best practice
- SSO can be initiated from the service provider or the identity provider
- Encrypted assertions are not supported
If you have any further questions following the completion of your setup, please don’t hesitate to contact the ISMS.online support team at support@isms.online