Skip to Content

Azure AD SAML 2.0

Introduction

Important

Azure Active Directory (Azure AD) is now known as Microsoft Entra ID.

Harmony supports single sign-on (SSO) with Microsoft Azure Active Directory (Azure AD) using SAML 2.0. This page shows how to set up and test Harmony SSO with Azure AD by following these steps:

  1. Set Up a SAML Application in Azure AD
    Configure Harmony as an application in the Microsoft Azure portal. As part of this process, you will also obtain the identity provider metadata and assign users to the application.
  2. Construct the Service Provider Metadata
    Construct the service provider metadata you will need to use as input for configuring SSO in Harmony.
  3. Configure SSO in Harmony
    Configure and test Azure AD as the SSO provider in the Harmony Portal. You will need to use the identity provider metadata and service provider metadata obtained in the previous steps.
  4. Test SSO in Azure AD
    Finally, test from within the Microsoft Azure portal to confirm that SSO is working.

After SSO is configured in both Azure AD and Harmony, members of your Harmony organization will be able to use their Azure AD credentials to log in to Harmony.

For additional information, see Microsoft's Single sign-on SAML protocol documentation.

Prerequisites

To set up Azure AD as an identity provider, Microsoft Azure AD Premium P2 edition is required.

SAML and Callback URLs

During configuration, the SAML and callback URLs referenced throughout this page should be replaced with the URL values appropriate for your region (see Finding My Region).

SAML URLs

  • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml
  • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/saml
  • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/saml

Callback URLs

  • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback
  • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback
  • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

1. Set Up a SAML Application in Azure AD

Follow these steps to set up Harmony as a SAML application in the Microsoft Azure portal. As part of this process, you will also obtain the identity provider metadata and assign users to the application.

  1. Log in to the Microsoft Azure portal.

  2. In the Microsoft Azure portal, go to the Enterprise applications blade and click New application:

    attachment

  3. On the Add an application screen under Add your own app, select Non-gallery application:

    attachment

  4. On the Add your own application screen, enter a name for the new application, such as Jitterbit. Then click Add:

    attachment

  5. On the Overview screen for the new application, under the Manage category on the left, select Single sign-on:

    attachment

  6. On the Single sign-on screen for the new application, under Select a single sign-on method, select SAML:

    attachment

  7. On the SAML-based Sign-on screen, edit the first step, Basic SAML Configuration:

    attachment

  8. On the Basic SAML Configuration screen, enter the following into these configuration fields, then click Save and close. For more information about each parameter, see the Microsoft Azure documentation Configure SAML-based single sign-on.

    attachment

    • Identifier (Entity ID): Enter the SAML URL for the Harmony region (see SAML URLs). The Default checkbox should be selected.
    • Reply URL (Assertion Consumer Service URL): On separate lines, enter the callback and SAML URLs for the Harmony region (see SAML and Callback URLs). The Default checkbox should be selected for the SAML URL.

  9. On the SAML-based Sign-on screen, edit the second step, User Attributes & Claims:

    attachment

  10. By default, Microsoft Azure uses the user.userprincipalname as the identifier, which is onemicrosoft.com. This needs to be updated to user.mail. To open the claim for modifying, click the row with a Claim name of Unique User Identifier (Name ID):

    attachment

  11. On the Manage claim screen, change the Source attribute field from user.userprincipalname to user.mail. Then click Save and close.

    attachment

  12. On the SAML-based Sign-on screen, in the third step, SAML Signing Certificate, download the Federation Metadata XML. (You will need this metadata when configuring SSO in Harmony for the Identity Provider Metadata field.)

    Important

    Multiple certificate definitions (<X509Data> elements) in the metadata are supported with agents version 10.84 / 11.22 and later.

    attachment

  13. Under the Manage category on the left, select Users and groups. Then click Add user and and add each member of the Harmony organization that will log in to Harmony using Azure AD credentials. Repeat for each user.

    attachment

  14. After adding each user, provide an Alternate email that matches the Harmony username.

    Note

    These users also need to be members of the Harmony organization with SSO enabled, as described under Add New Members in Register and Log In Using Harmony SSO.

    attachment

2. Construct the Service Provider Metadata

Use these instructions to construct the input for the Service Provider Metadata field required for configuring SSO in Harmony.

WMC

This section shows how to construct the XML metadata for the Harmony Portal, to be entered for the WMC client.

Note

Although the user interface refers to WMC (the former name for the Management Console), the WMC Harmony client configuration applies to all of the web-based products accessible via the Harmony Portal.

Use the sample provided below, replacing the values for entityID and Location with the SAML URL for the Harmony region (see SAML URLs).

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml">
    <md:SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService index="1" isDefault="true"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Studio

This section shows how to construct the XML metadata for Design Studio, to be entered for the Studio client.

Use the sample provided below, replacing the value for entityID with the SAML URL and the value for Location with the callback URL for the Harmony region (see SAML and Callback URLs).

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml">
    <md:SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService index="1" isDefault="true"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

3. Configure SSO in Harmony

Follow the instructions for Configure SSO in the Management Console. When entering information into the Edit Organization SSO Provider Info screen, use the values obtained above:

attachment

Click Test Configuration for each Harmony client and then click Save. Both clients need to be successfully tested before the Save button becomes enabled.

4. Test SSO in Azure AD

Test from within the Microsoft Azure portal to confirm that SSO is working. If you still have the browser open from creating the SAML application, you can begin at step 4 below.

  1. Log in to the Microsoft Azure portal.

  2. Go to the Enterprise applications blade and click the SAML application you just created.

  3. Under the Manage category on the left, select Single sign-on.

  4. On the SAML-based Sign-on screen, in the fifth step, Test single sign-on with \<Application>, click Test:

    attachment

  5. In the next screen, click Sign in as current user:

    attachment

  6. If the test is successful, the response will indicate that Azure AD has successfully issued a token (SAML response) to the application (service provider):

    attachment