Skip to main content

help center

Pay Suite

Submit a request
Submit a request
  1. beqom PaySuite HelpCenter
  2. Technical admin
  3. Authentication

Setting up SAML-based SSO with Azure AD on the customer side

Nolwenn Marjou
  • Last updated:

Setting up SAML-based SSO with Azure AD on the customer side

The Pay Suite application offers several modes of authentication that enable end-users to access the user interface of the application and perform their work in it.

  • Form authentication: authentication using a company name, a username and a password. This is also known as the beqom authentication; i.e. it is the default authentication method that is built-in with the application.

  • SSO (single sign-on): authentication using the customer's own authentication method and enable their end-users to use a single authentication method for most of their work-related tools.

As part of the normal Pay Suite tenant setup process, the information regarding form authentication is provided by beqom.

This article describes the operations that you will need to perform as a beqom customer to configure SAML-based SSO with Microsoft Azure AD for the connection of your end-users to the Pay Suite application.

Preparing the identifier & reply URL for the Enterprise application

The identifier (entity ID) is a unique identifier that is used to identify a specific entity in the SAML authentication and authorization protocal. It is typically a URL or a URI that is assigned to the entity and is used to identify the entity in SAML messages and metadata. The reply URL (Assertion Consumer Service URL), also known as the redirect URI, is a critical component of the OAuth authentication flow. It specifies the URL to which Azure AD will redirect users after they have successfully authenticated. These two pieces of information will be used in the Enterprise application that you need to create to be able to use SAML-based SSO.

To make you that you have this information, you first need to determine the authentication service URL of your environment.

Consider the following example:

https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev

This is an note/information message.

You should have received this information from beqom. For more information, please contact your beqom representative.

Based on this URL, you can derive the entity ID by adding /saml at the end of the URL, as follows:

https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev/saml

For the Reply URL, add /federation/yourclient/signin at the end of the URL, where <yourclient> is the name of the app you will create in the section Creating an Enterprise non-gallery application.

https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev/federation/yourclient/signin

This is an note/information message.

The Entity ID is the identical for the entire environment (staging + production tenants). The Reply URL, however must be different for each SSO configuration. For example, if you have tenant1, tenant2, with SSO configured on both of them, then each must have a unique Reply URL.

Creating an Enterprise non-gallery application

This is an attention message.

The operations outlined in this section must be performed by a user who has administrative rights on Azure Active Directory.

To be able to establish SAML-based SSO authentication, you must create an Azure Active Directory Enterprise application. To configure this application in the Microsoft Azure identity platform application gallery, proceed as follows:

  1. Log into the Azure portal, and then select Azure Active Directory in the left navigation pane.

  2. Select Enterprise applications in Azure Active Directory.

  3. Select New Application, as illustrated in the following figure:

New application creation in Azure AD

  1. Click Create your own application.

  2. Enter the name of your app in the What's the name of your app? field.

  3. Check the Integrate any other appliation you don't find in the gallery (Non-gallery) option, as illystrated in the following figure:

Non-gallery app creation

  1. Select your application to configure single sign-on and under Manage, navigate to Single sign-on on the left pane.

  2. Click SAML as the single sign-on method, as illustrated in the following figure:

Single sign-on configuration

  1. Click Edit to update the basic SAML configuration details.

  2. Enter the Entity ID and the Reply URL obtained in the Preparing the identifier & reply URL for the Enterprise application section of this document.

  3. Click Save. The Enterprise application is now configured and the resulting configuration should look like this:

SAML configuration in the AD Enterprise app

  1. Lastly, get the link to the FederationMetadata.xml file from the application. The link should look like the following example, with different GUIDs:

https://login.microsoftonline.com/363c9387-f81b-4c87-8f64-93d71a8c1e9b/federationmetadata/2007-06/federationmetadata.xml?appid=b6bba571-c8d1-44ec-9836-a84ee443b933

This is an attention message.

You need the link URL; providing the physical XML file will not work.

  1. Transmit the link to beqom. The beom platform team will then use this information to setup the SAML-based SSO access on beqom's side.

Checking the SSO authentication

Once you have received confirmation from the beqom platform team that the SSO is now fully configured, you can now test the SSO authentication.

Upon opening your URL to the application, you should see something like this in the login screen:

Login screen with SSO authentication

Attachments
Was this article helpful?
0 out of 0 found this helpful
Return to top