[SaaS] Setting up SSO with Azure AD

You can setup Single Sign-On (SSO) for Redwood with all IdPs that both support SAML as well as offer a public metadata URL.

Here the step to do this with Azure Active Directory: 

1. Inside Azure Active Directory, go to Enterprise Applications and click to add a New Application and then click on Create your own application.
   
   
   
   
2. Set the app name you want, check the “Integrate any other application you don't find in the gallery” option and click on Create.
   
   
   
   
3. On the Applications Overview page, click on the Set up single sign on card then choose SAML as the single sign-on method.
   
   
   
   
   
   
4. On the Basic SAML Configuration section, fill in the configuration generated on Remote’s SSO Settings page and click on Save.
   • Identifier (Entity ID) -
     • RunMyJobs (RMJ): runmyjobs.cloud
     • RunMyFinance (RMF): portal.runmyfinance.cloud
   • Reply URL (Assertion Consumer Service URL) -
     
     • RunMyJobs (RMJ): https://portal.runmyjobs.cloud/saml/module.php/saml/sp/saml2-acs.php/<SSOConfName>
     • RunMyFinance (RMF): https://portal.runmyfinance.cloud/saml/module.php/saml/sp/saml2-acs.php/<SSOConfName>
   • Sign on URL (Target URL) -
     
     • RunMyJobs (RMJ): https://portal.runmyjobs.cloud/sso/<SSOConfName>
     • RunMyFinance (RMF): https://portal.runmyfinance.cloud/sso/<SSOConfName>
     
     
     
     Note: <SSOConfName> is define during first step of Configuring SSO in Redwood SaaS portal as seen in screenshot below.
     Example: https://portal.runmyfinance.cloud/saml/module.php/saml/sp/saml2-acs.php/redwood-support-SSOTest
     
     
     
     
5. On the Attributes & Claims section, click on Edit 
   1. Click on Add a group claim
      When prompted, you can decide whether the group claim is always sent, or only for specific groups or assigned users.
      More information can be found in Azure documentation:
      https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims
      
      Note: for the groups Azure send the Object ID (GUID), this will later need to match SSO Access Group with Redwood
      
      
      
      
   2. Then select Add a new claim (if needed), so that at least following Claim are available:
      • email, example: user.mail or user.primaryauthoritativeemail
      • name which will be displayed, example: user.displayname or user.userprincipalname
      • groups, example: user.groups or user.groups [ApplicationGroups]
        
        
        
        
6. On the SAML Signing Certificate and Setup sections, copy the App federation Metadata URL
   This will be Metadata URL requested in Step 1 when configuring SSO with Redwood SaaS portal.
   
   
   
   
7. Go to Users and groups on the left side menu to assign the users or groups that should have access to Redwood.
   
   
8. You can follow the documentation to activate SSO with Redwood:
   https://docs.runmyjobs.cloud/?latest=SSOGuide