Skip to main content
All CollectionsDevelopers
How to configure SAML authentication and provisioning for Azure AD
How to configure SAML authentication and provisioning for Azure AD
Eli Gimelraikh avatar
Written by Eli Gimelraikh
Updated over 6 months ago

Create a new application in Azure AD

  1. Go to Azure Portal

  2. Enter to your Active Directory managing page

  3. Click on "Enterprise Applications"

  4. Click on "New Application"

  5. Click on "Create your own application"

  6. Give it a name and choose the "Integrate any other application you don't find in the gallery (Non-gallery)" option

Set up SSO

ℹ️ In this manual <baseURL> should be replaced with your instance URL (the one you use when accessing the application from a web-browser)

  1. Go to the application overview page and click on "Single sign-on" in the left menu and than click on "SAML"

  2. Set the following values in the "Basic SAML Configuration":

    1. Identifier (Entity ID): NextPlus

    2. Reply URL: <baseURL>/api/UserModels/replayFromAuthProvider

    3. Logout URL: <baseURL>

  3. Next, create a new User Claim for groups using the Group ID as the source attribute click on the "Add a group claim" button

Configure user provisioning

ℹ️ If Next Plus is installed on an on-premise server and Azure cannot access it, please refer to How to configure on-premise provisioning for Azure AD

  1. Navigate to the Provisioning page and click on the "Get started" button

  2. Set "Provisioning Mode" to "Automatic" and set the following values in the "Admin Credentials" section

    1. Tenant URL: <baseURL>/api/scim

    2. Secret Token: Generated when set up in Next Plus

⚠️ Note that the recommended way to assign users to the application is only by assigning them to an assigned group

Known Limitation

  1. Due to the nature of SAML, when running a workflow that has a multi-signature step, SAML users will not be able to sign unless they are running the workflow while they are logged in.

Troubleshooting

Errors:

⛔ AADSTS7500511: XML attribute 'AssertionConsumerServiceURL' in the SAML message must be a URI.

✅ Please make sure that NEXTPLUS_SITE_URL environment variable is set correctly and matches the baseURL of the Azure Application

Did this answer your question?