Setting up SAML-based SSO with Azure AD on the customer side
The Pay Suite application offers several modes of authentication that enable end-users to access the user interface of the application and perform their work in it.
Form authentication: authentication using a company name, a username and a password. This is also known as the beqom authentication; i.e. it is the default authentication method that is built-in with the application.
SSO (single sign-on): authentication using the customer's own authentication method and enable their end-users to use a single authentication method for most of their work-related tools.
As part of the normal Pay Suite tenant setup process, the information regarding form authentication is provided by beqom.
This article describes the operations that you will need to perform as a beqom customer to configure SAML-based SSO with Microsoft Azure AD for the connection of your end-users to the Pay Suite application.
Preparing the identifier & reply URL for the Enterprise application
The identifier (entity ID) is a unique identifier that is used to identify a specific entity in the SAML authentication and authorization protocal. It is typically a URL or a URI that is assigned to the entity and is used to identify the entity in SAML messages and metadata. The reply URL (Assertion Consumer Service URL), also known as the redirect URI, is a critical component of the OAuth authentication flow. It specifies the URL to which Azure AD will redirect users after they have successfully authenticated. These two pieces of information will be used in the Enterprise application that you need to create to be able to use SAML-based SSO.
To make you that you have this information, you first need to determine the authentication service URL of your environment.
Consider the following example:
https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev
Based on this URL, you can derive the entity ID by adding /saml at the end of the URL, as follows:
https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev/saml
For the Reply URL, add /federation/yourclient/signin at the end of the URL, where <yourclient> is the name of the app you will create in the section Creating an Enterprise non-gallery application.
https://webapp.uat.accelerate.bqm-weu-aks-imp-1.beqom.dev/federation/yourclient/signin
Creating an Enterprise non-gallery application
To be able to establish SAML-based SSO authentication, you must create an Azure Active Directory Enterprise application. To configure this application in the Microsoft Azure identity platform application gallery, proceed as follows:
Log into the Azure portal, and then select Azure Active Directory in the left navigation pane.
Select Enterprise applications in Azure Active Directory.
Select New Application, as illustrated in the following figure:
New application creation in Azure AD
Click Create your own application.
Enter the name of your app in the What's the name of your app? field.
Check the Integrate any other appliation you don't find in the gallery (Non-gallery) option, as illystrated in the following figure:
Non-gallery app creation
Select your application to configure single sign-on and under Manage, navigate to Single sign-on on the left pane.
Click SAML as the single sign-on method, as illustrated in the following figure:
Single sign-on configuration
Click Edit to update the basic SAML configuration details.
Enter the Entity ID and the Reply URL obtained in the Preparing the identifier & reply URL for the Enterprise application section of this document.
Click Save. The Enterprise application is now configured and the resulting configuration should look like this:
SAML configuration in the AD Enterprise app
Lastly, get the link to the FederationMetadata.xml file from the application. The link should look like the following example, with different GUIDs:
https://login.microsoftonline.com/363c9387-f81b-4c87-8f64-93d71a8c1e9b/federationmetadata/2007-06/federationmetadata.xml?appid=b6bba571-c8d1-44ec-9836-a84ee443b933
Transmit the link to beqom. The beom platform team will then use this information to setup the SAML-based SSO access on beqom's side.
Checking the SSO authentication
Once you have received confirmation from the beqom platform team that the SSO is now fully configured, you can now test the SSO authentication.
Upon opening your URL to the application, you should see something like this in the login screen:
Login screen with SSO authentication