Configuring Single Sign-On to IdentityIQ from Microsoft Teams

IdentityIQ Microsoft Teams notifications supports a SAML-based Single Sign-On (SSO) configuration. Enabling SSO for Microsoft Teams and IdentityIQ is optional, but it is useful in that it streamlines the login process for Microsoft Teams users, allowing them bypass the IdentityIQ login when they click IdentityIQ links in Microsoft Teams.

This is a two-step process that requires configuring SAML SSO within Azure for IdentityIQ, then using some of the parameters from the Azure steps to enable SAML SSO within IdentityIQ.

Single Sign-On Configuration in Azure Active Directory

Details on how to configure Azure components are provided in this guide as an aid to implementers; however, implementers should also consult Microsoft's documentation on Azure and Microsoft Teams to ensure that they have the most accurate and up-to-date information on these platforms. This guide only discusses actions in Azure that are required as part IdentityIQ's Microsoft Teams Notifications feature, and does not discuss more general Azure concepts or actions that may be part of setting up SSO or Microsoft Teams for your organization.

Follow these steps in Azure for enabling single sign-on from Microsoft Teams to IdentityIQ:

  1. Navigate to your Azure Active Directory home.

  2. Click Add > Enterprise Application.

  3. Click Create your own application

  4. Enter a Name for your application.

  5. Select Integrate any other application you don't find in the gallery.

  6. Click Create. Once the creation process is complete, Azure opens a Properties page for the application.

  7. Define the users and groups that can use SAML SSO with IdentityIQ:

    1. In the left navigation, click Users and groups.

    2. Click Add users and groups.

    3. Choose the users and groups that you want to be able to use SAML SSO.

    4. Click Select.

    5. Click Assign.

  8. In the left navigation, click Single sign-on.

  9. Click the SAML tile

  10. In the Basic SAML Configuration section, click Edit.

    1. Add an Identifier (Entity ID). This can be any name, but typically takes the form of a URL (for example, https://myhost:myport/identityiq). This value is used to link Azure and IdentityIQ; Make a note of it to use later when configuring SSO within IdentityIQ.

    2. Add a Reply URL (Assertion Consumer Service URL) and enter a URL to your IdentityIQ instance, in this format:

      https://myhost:myport/identityiq/login.jsf.

      This URL must be accessible to your Microsoft Teams users on your network.

    3. Enter a Sign on URL to your IdentityIQ instance, in this format:

      https://myhost:myport/identityiq

    4. Do not enter a Logout URL.

    5. Save your changes.

  11. In the User Attributes and Claims section, click Edit. IdentityIQ uses the unique identifier that is specified as the Required Claim's Claim Name to correlate IdentityIQ users to Azure/Microsoft Teams users. By default, Azure uses user.userprincipalname as its unique identifier, but IdentityIQ uses user.objectid by default.

    To use IdentityIQ's default configuration, you must edit this value to change the Source attribute for the claim to user.objectid.

    To edit the claim to use user.objectid as the Source attribute, click Edit.

    1. Click the Claim Name to edit it.

    2. Change the Name Identifier format to Unspecified.

    3. Select user.objectid as the Source attribute.

    4. Save your changes.

  12. In the SAML Signing Certificate section, download and save the Certificate (Base64). You will need this later, when configuring SAML SSO within IdentityIQ.

  13. In the Set up (name) section, make a note of the URLs that are listed. You will need these later, when configuring SAML SSO within IdentityIQ.

Single Sign-On Configuration in IdentityIQ

Follow these steps for enabling single sign-on in IdentityIQ:

  1. Click the gear menu > Global Settings > Login Configuration.

  2. Click the SSO Configuration tab.

  3. Check to select the Enable SAML Based Single Sign-On (SSO) box. This opens a panel for entering SAML Based SSO details.

  4. In the Identity Provider Settings section:

    1. Enter an Entity ID / Issuer. This must match the Azure AD Identifier from the Set up (name) section in Azure. (See step 13 in the previous section.)

    2. Enter a SSO Login URL. This must match the Login URL from the Set up (name) section in Azure. (See step 13 in the previous section.)

    3. Enter your Public X.509 Certificate. This is the certificate you downloaded and saved in the Azure SAML Signing Certificate panel, as described the previous section.

  5. In the Service Provider (IdentityIQ) Settings section:

    1. Enter an Entity ID Issuer. This must match the Identifier (Entity ID) value you set in Azure in the Basic SAML Configuration panel, as described in the previous section.

    2. Enter a SAML URL. This must match the Reply URL (Assertion Consumer Service URL) you set Azure in the Basic SAML Configuration panel, as described in the previous section.

    3. Set the SAML Name ID Format to unspecified, if you are using the default identifiers as described in step 11 in the previous section. If you have opted to use a different set of values for uniquely identifying users, select the appropriate value here.

    4. The SAML Correlation Rule manages the correlation of IdentityIQ identities to Azure/Teams identities. IdentityIQ provides a sample rule, ExampleAzureActiveDirectorySAML. This rule is included in the examplerules.xml file, located in the [install_directory]WEB-INF\config directory. If you are using the recommended default identifiers, you can use the sample rule without modification. If you have opted to use different unique identifiers, you can either edit this rule, or use a different rule that you have developed.

  6. Save your changes.

For more information on configuring your IdentityIQ instance for SSO authentication, see SSO Configuration.