In this article, we’ll guide you on how to integrate EZOfficeInventory with Azure Active Directory (AD). When you integrate EZOfficeInventory with Azure AD, you can:
- Control in Azure AD who has access to EZOfficeInventory.
- Enable your users to be automatically signed-in to EZOfficeInventory with their Azure AD accounts.
- Manage your accounts in one central location i.e. the Azure portal.
To learn more about Single Sign-on with Azure AD, click here.
1. Prerequisites
To get started, you will require the following items:
- An Azure AD subscription. If you don’t have a subscription, you can get a free account.
- EZOfficeInventory single sign-on (SSO) enabled subscription.
2. Scenario Description
In this support blog, you configure and test Azure AD SSO in a test environment.
- EZOfficeInventory supports Service Provider initiated SSO
- EZOfficeInventory supports Just In Time user provisioning
Note: The identifier of this application is a fixed string value so only one instance can be configured in one tenant.
3. Adding EZOfficeInventory from Gallery
In order to configure the integration of EZOfficeInventory into Azure AD, you need to add EZOfficeInventory from the Azure Gallery to your list of managed SaaS apps.
- Sign in to the Azure portal by using either your work or school account, or a personal Microsoft account.
2. On the left navigation pane, go to the ‘Azure Active Directory’ service.
3. Next navigate to ‘Enterprise Applications’.
4. Here you have to select ‘All Applications’.
5. To add a new application, click on ‘New application’.
6. In the Browse Azure AD Gallery section, write ‘EZOfficeInventory’ in the search box.
7. Choose EZOfficeInventory from the results panel and then add the app by clicking on ‘Create’.
Wait a few seconds for the app to be added to your tenant.
4. Configure and Test Azure Single Sign-On for EZOfficeInventory
Configure and test Azure AD SSO with EZOfficeInventory using a test user, let’s call him, Rose Holt. For SSO to work correctly, you need to establish a link relationship between an Azure AD user and the related user in EZOfficeInventory.
To configure and test Azure AD SSO with EZOfficeInventory, complete the following building blocks:
- Configure Azure AD SSO to allow your users to use this feature.
– Create an Azure AD test user — to test Azure AD single sign-on with Rose Holt.
– Assign the Azure AD test user — to allow Rose Holt to use Azure AD single sign-on. - Configure EZOfficeInventory SSO to configure the single sign-on settings on the EZOfficeInventory application side.
– Create an EZOfficeInventory test user to have a counterpart of Rose Holt in EZOfficeInventory that is linked to the Azure AD representation of a user. - Test SSO to verify whether the configuration is working.
5. Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
- In the Azure portal, on the EZOfficeInventory application integration page, go to the Manage section and select ‘Single sign-on’.
2. From the Select a single sign-on method page, select ‘SAML’.
3. On the Set up single sign-on with SAML page, click the ‘Edit’ button for Basic SAML Configuration to edit the settings.
4. In the Basic SAML Configuration section, users have two options:
4.1. Service Provider Initiated configuration:
Type the following in these data fields:
- Identifier (Entity ID): ezofficeinventory.com
- Reply URL (Assertion Consumer Service URL): https://<SUBDOMAIN>.ezofficeinventory.com/users/auth/saml/callback
- Sign-on URL: https://<SUBDOMAIN>.ezofficeinventory.com/users/sign_in
Note: Replace the “subdomain” text with the subdomain in your company’s EZOfficeInventory account URL. You can also contact the EZOfficeInventory team at support@ezofficeinventory.com for this value. Refer to the patterns displayed in the Basic SAML Configuration section in the Azure portal for additional fields. Save the consumer service URL for section 6.2.
4.2 IDP Initiated Configuration:
In order to sign in directly upon initiating from the Idp (Azure AD). We need to change the sign-on URL in Azure AD to “https://<SUBDOMAIN>.ezofficeinventory.com/users/auth/saml”.
5. EZOfficeInventory application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The screenshot below shows the list of default attributes. Click ‘Edit’.
Copy the claim name URLs for user.givenname, user.surname, and user.mail and paste them onto the Attributes fields required in Step 5 of Section 6.3.
6. In addition to the above, the EZOfficeInventory application expects a few more attributes to be passed back in the SAML response (shown below). These attributes are also pre-populated but you can review them according to your requirements.
7. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, click on the ‘Add Certificate’ button, go to Certificate (Base64), select ‘Download’ to download the certificate, and save it on your computer for Step 2 of Section 6.3.
8. On the ‘Set up EZOfficeInventory’ section, copy the Login URL for Step 1 of Section 6.3.
5.1 Create an Azure AD test user
In this section, you’ll create a test user called Rose Holt in the Azure portal.
- From the left pane in the Azure portal, go to Azure Active Directory, select Users, and then select All users.
2. Select ‘New user’ at the top left of the screen.
3. In the User properties, follow these steps:
- In the Name field, enter ‘Rose Holt’.
- In the User name field, enter the username@companydomain.extension. For example, ‘roseholt@ezo.io.
- Check the Show password box, and then write down the value that’s displayed in the Password box.
- Hit ‘Create’.
5.2 Assign the Azure AD test user
In this section, you’ll enable Rose Holt to use Azure single sign-on by granting access to EZOfficeInventory.
- In the Azure portal, go to Enterprise Applications, and then select All applications.
- In the list of applications, select EZOfficeInventory.
- In the app’s overview page, go to the Manage section, and select ‘Users and groups’.
4. Select ‘Add User’, then click on Users and Groups in the Add Assignment dialog.
5. In the Users and Groups dialog, choose Rose Holt from the Users list, then click the ‘Select’ button at the bottom of the screen.
6. If you want to display any role value in the SAML assertion, in the Select Role dialog, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen.
7. In the Add Assignment dialog box, click the ‘Assign’ button.
6. Configure EZOfficeInventory SSO
Once you have set up the EZOfficeInventory app on your preferred SAML identity provider i.e. Azure AD in this example, configure the settings in EZOfficeInventory from Settings → Add Ons → SAML Integration.
6.1 Whitelisting the IPs on SAML
Some identity providers require IPs to be whitelisted. Ensure that the following two IPs are whitelisted in your SAML settings:
1. 54.221.243.145
2. 50.16.201.234
6.2 Add EZOfficeInventory consumer service URL to your SAML settings in Azure AD
You can obtain the EZOfficeInventory consumer service URL from Settings → Add Ons → SAML Integration:
https://<Your Company Subdomain>.ezofficeinventory.com/users/auth/saml/callback
Copy and paste the EZOfficeInventory consumer service URL in the Reply URL field from section 4.1.
6.3 Fill in the configuration settings
You need to configure the following information in your EZOfficeInventory’s account (see image below to identify the fields):
1. Unique Identity Provider URL: Find and copy your Login URL from Step 8 of Section 5 (see the image below). You will be required to paste this link in the ‘Identity Provider URL’ field while configuring EZOfficeInventory for SAML Integration.
2. Identity Provider Certificate: This certificate is unique for every Account Owner and is provided by the identity provider. Copy the text from Certificate (Base64) that you downloaded and saved from Step 7 of Section 5.1. (see image below).
EZOfficeInventory will use the certificate to validate the response from your identity provider letting the user to login in using SAML.
Note: Be careful to follow the below format for the certificate when pasting it in the certificate field so EZOfficeInventory validates your identity provider’s certificate without any error. It’s as follows:
— –BEGIN CERTIFICATE — –
your certificate details here
— –END CERTIFICATE — –
3. Login Button Text: By default, it’s labeled as ‘Access through SAML SSO’. You can rename it to any other preferred text e.g. Access using Rose Holt Corp Login.
4. Clock Drift: A delay of a few seconds is possible when different time zones are involved to ensure that the response generated by a server remains valid.
5. Attributes required for SAML configuration: Last Name and Email attributes need to be present for EZOfficeInventory. These attributes/parameters have to be sent over to EZOfficeInventory from your identity provider. In Azure AD, you can copy these parameters from Step 5 and 6 of Section 5.1. Map these parameters in EZOfficeInventory. If your Last Name attribute in SAML is last_name, then fill in ‘last_name’ against the Last Name field. The same format has to be followed for the Email.
6. EZOfficeInventory Role by default: This option enables you to add users as either Administrators or Staff Users.
Scroll to the top of the Add Ons page in EZOfficeInventory settings, and click ‘Update’. You now have a SAML-enabled EZOfficeInventory account.
This is how your SAML configuration settings should look like at the end:
6.4 Create EZOfficeInventory test user
In this section, a user named Rose Holt is created in EZOfficeInventory. EZOfficeIventory supports just-in-time user provisioning, which is enabled by default. There will be no action item for you in this section. If a user doesn’t already exist in EZOfficeInventory, a new one is created after authentication.
7.Test SSO
In this section, you will be able to test your Azure AD single sign-on configuration using the Access Panel.
When you click the EZOfficeInventory tile in the Access Panel, you should be automatically signed in to the EZOfficeInventory for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Note: User provisioning via multiple sources is not supported at the moment.
Read more: How to Implement User Provisioning via SCIM with Azure AD in EZOfficeInventory
8. Troubleshooting
Trying to set up SSO with two EZOfficeInventory tenants. How to set it up and how would this work?
Users sometimes have two EZOfficeInventory subdomains that they want to integrate with SSO Azure AD. This is not possible as the Entity ID on Azure is unique on a single Azure tenant so they cant have ezofficeinventory.com as Entity ID twice. Here the solution is to add multiple reply URLS on the same app in Azure AD.
So both EZOfficeInventory tenants (subdomains) will work with the same Azure app. In the Azure app you can add all the users you want to sign in to both of the EZOfficeInventory tenants (subdomains). For access control you can check this checkbox ‘Only authenticate members that are already added to your EZOfficeInventory account’. This setting enables you to add users to both EZOfficeInventory tenants manually or via SCIM provisioning from different azure ad SCIM apps.