Create a new application in Azure AD
Go to Azure Portal
Enter to your Active Directory managing page
Click on "Enterprise Applications"
Click on "New Application"
Click on "Create your own application"
Give it a name and choose the "Integrate any other application you don't find in the gallery (Non-gallery)" option
Set up SSO
ℹ️ In this manual <baseURL> should be replaced with your instance URL (the one you use when accessing the application from a web-browser)
Go to the application overview page and click on "Single sign-on" in the left menu and than click on "SAML"
Set the following values in the "Basic SAML Configuration":
Identifier (Entity ID): NextPlus
Reply URL: <baseURL>/api/UserModels/replayFromAuthProvider
Logout URL: <baseURL>
Next, create a new User Claim for groups using the Group ID as the source attribute click on the "Add a group claim" button
Configure user provisioning
ℹ️ If Next Plus is installed on an on-premise server and Azure cannot access it, please refer to How to configure on-premise provisioning for Azure AD
Navigate to the Provisioning page and click on the "Get started" button
Set "Provisioning Mode" to "Automatic" and set the following values in the "Admin Credentials" section
Tenant URL: <baseURL>/api/scim
Secret Token: Generated when set up in Next Plus
⚠️ Note that the recommended way to assign users to the application is only by assigning them to an assigned group
Known Limitation
Due to the nature of SAML, when running a workflow that has a multi-signature step, SAML users will not be able to sign unless they are running the workflow while they are logged in.
Troubleshooting
Errors:
⛔ AADSTS7500511: XML attribute 'AssertionConsumerServiceURL' in the SAML message must be a URI.
✅ Please make sure that NEXTPLUS_SITE_URL environment variable is set correctly and matches the baseURL of the Azure Application