Enabling SAML single sign-on for Azure Active Directory

Sounding Board supports enterprise single sign-on access to Sounding Board accounts via Secure Assertion Markup Language (SAML). With SSO, users can sign in once using their company sign-in form.

This article contains the following topics: 

• How SAML SSO works for Sounding Board
• Enabling SSO 

The IT team in a company is usually responsible for setting up and managing the company's SAML authentication system. Their role is to implement SSO for Sounding Board on the system. 

Enabling SAML SSO Azure Active Directory

1. To log in with SAML, you must create an Enterprise application in the Azure active directory. 
2. Once in your Azure Active Directory, navigate to ‘Enterprise applications'
3. Select ‘New Application’ 
4. Select ‘Create your own application’
5. Enter ‘Sounding Board’ for the name of your application, and select ‘Integrate any other application you don’t find in the gallery (non-gallery).’ Then, hit create at the bottom of the menu.  
6. You should be directed to a new page to configure your SAML application and select ‘Assign Users & Groups.’
7. Assign the users or groups you prefer. This will vary based on your company, so we will not provide specific instructions.
8. Once you are done assigning the users and groups, click on ‘get started’ under ‘Setup Single Sign On.’
9. Select SAML
10. You should be brought to a SAML configuration page. Select “Edit” under the “Basic SAML Configuration” section.
11. Once you click edit, you should see a menu like this, where we can edit the identifier and the Reply URL:
12. Add a unique identifier for the Entity ID; we require: “coaching.soundingboardinc.com,” and the reply URL must be “https://sbx-api. soundingboardinc.com/api/auth/saml/callback”. 
    1. *Please note that if you are setting up SSO in our demo/lower environment, please use the following Reply URL: https://sbx-api-demo.soundingboardinc.com/api/auth/saml/callback. The URL for the lower environment is https://sbx-demo.soundingboardinc.com/. Our lower environment demo site can't invite users, so users must log in via SSO.
13. Click save to close the menu and return to the SAML config screen. 
14. Next, we need to modify the Attributes and claims:
15. We need to modify the ‘Unique User Identifier,’ so click the “…” 
16. Modify the ‘Name Identifier Format’ to ‘unspecified.’ Then change the source attribute to ‘user.mail’ and click save. Please note that whatever property is set for the source attribute should be the user’s email address.
17. Your Sounding Board Implementation Partner will need three pieces of information from this page: *see below for screenshot reference
    1. The Identifier (Entity ID)
    2. The Base64 encoded certificate, which Azure provides a link for. 
    3. The Login URL
18. Additionally, please let your Sounding Board Implementation Partner know what user email addresses will test the SSO integration. Depending on your company's process, you may need to invite these users to Azure for access.

Additional information

1. Sign-on URL - our app doesn't require this URL
2. Relay State -  our app doesn't require this URL
3. Logout URL -  our app doesn't require this URL
4. Metadata URL or Exported XM: The main attribute we need to be passed back to us is the user’s email, the unique identifier in the system.
5. Our lower environment demo site can't invite users, so users must log in via SSO. The company must let us know the email addresses of the users that plan on testing SSO. Once we turn on SSO, the URL for the lower environment is https://sbx-demo.soundingboardinc.com/. 
6. The SAML certificate is good for five years.

User SSO Login Screenshot 

Note: The user trying to initiate Company Single Sign On must be a user within the Sounding Board Application; this is based on the email address.