Skip to main content

How to configure SAML authentication and provisioning for Azure AD

Eli Gimelraikh avatar
Written by Eli Gimelraikh
Updated over a month ago

Create a new application in Azure AD

  1. Go to Azure Portal

  2. Enter to your Active Directory managing page

  3. Click on "Enterprise Applications"

  4. Click on "New Application"

  5. Click on "Create your own application"

  6. Give it a name and choose the "Integrate any other application you don't find in the gallery (Non-gallery)" option

Set up SSO

ℹ️ In this manual <baseURL> should be replaced with your instance URL (the one you use when accessing the application from a web-browser)

  1. Go to the application overview page and click on "Single sign-on" in the left menu and than click on "SAML"

  2. Set the following values in the "Basic SAML Configuration":

    1. Identifier (Entity ID): NextPlus

    2. Reply URL: <baseURL>/api/UserModels/replayFromAuthProvider

    3. Logout URL: <baseURL>

  3. Next, create a new User Claim for groups using the Group ID as the source attribute click on the "Add a group claim" button

Roles and Azure AD Group Mapping

In Next Plus, roles determine what users can do within the application. When configuring your Azure AD integration, you can map these roles to corresponding Azure AD groups:

  1. Sysadmin

    • Description: Has unrestricted access to every aspect of Next Plus.

    • Typical Users: IT or IS teams who need full permissions for configuration, data integration, and advanced system oversight.

  2. Admin

    • Description: Responsible for managing Next Plus settings, user accounts, and high-level administration tasks.

    • Typical Users: IT or IS teams with a focus on setting up and maintaining user permissions, backups, and core system policies.

  3. Editor

    • Description: Maintains and creates instructional content, forms, workflows, and dashboards.

    • Typical Users: Engineering, R&D teams, technical writers, and anyone overseeing the creation or revision of SOPs, forms, and data reports.

  4. Operator

    • Description: Performs daily tasks using Next Plus, such as completing work orders, filling forms, and following SOPs on the shop floor.

    • Typical Users: Front-line workers, team leaders, production managers, quality control staff, or subcontractors who need to report progress.

  5. Viewer

    • Description: Limited to viewing or reading SOPs, reports, and audits; cannot edit or submit new data.

    • Typical Users: Audit personnel, managers, or executives who need read-only access to dashboards and instructions.

For more information about roles and permissions please refer to the User Permission Levels Guide.

Configure user provisioning

ℹ️ If Next Plus is installed on an on-premise server and Azure cannot access it, please refer to How to configure on-premise provisioning for Azure AD

  1. Navigate to the Provisioning page and click on the "Get started" button

  2. Set "Provisioning Mode" to "Automatic" and set the following values in the "Admin Credentials" section

    1. Tenant URL: <baseURL>/api/scim

    2. Secret Token: Generated when set up in Next Plus

⚠️ Note that the recommended way to assign users to the application is only by assigning them to an assigned group

Known Limitation

  1. Due to the nature of SAML, when running a workflow that has a multi-signature step, SAML users will not be able to sign unless they are running the workflow while they are logged in.

Troubleshooting

Errors:

⛔ AADSTS7500511: XML attribute 'AssertionConsumerServiceURL' in the SAML message must be a URI.

✅ Please make sure that NEXTPLUS_SITE_URL environment variable is set correctly and matches the baseURL of the Azure Application

Did this answer your question?