SSO with Azure

Owned by Jamie Wright
Last updated: May 20, 2022 by Jordan Ling (Unlicensed)
Replace ‘client’ and 'internal' with your agreed subdomain in any URLs on this page.


IndiCater should be set up as an enterprise application in Azure AD.

You will need two enterprise applications set up. One for live and one for testing the integration. Both applications should be configured to use SAML.

Basic SAML configuration

The Identifier and Reply Url are used to help with co-ordination of the SSO process. For IndiCaters purpose, they should normally be the same.

The reply URL dictates where a successful authentication attempt will be redirected to.

Identifier

  1. Live
    1. https://{client}.indicater.com
  2. Test
    1. https://{test-client}.indicater.info

Reply Url

  1. Live
    1. https://{client}.indicater.com
  2. Test
    1. https://{test-client}.indicater.info


Both the identifier and the Reply Url should be set to default.

User Attributes & Claims

Claims are used by IndiCater to match the successful authentication to a user in IndiCaters system. They are also used with the just in time user account creation or hospitality to populate new user accounts with a users details.

IndiCater primarily uses the name claim, so please ensure this is populated with the email that the user will using SSO with. 

Claims can be left blank, or omitted completely to use their default value.

There are three types of user in IndiCater. External (Hospitality), HeadOffice, and Outlet. The matrix below shows which claims are required for each type of user. External users will be created by default if no additional claims are added to the default ones provided by Azure and a Hospitality outlet is present.

If claims are missing, or a hospitality outlet is not present when using the default Azure claims, then a 401 page will be shown to users trying to access the system.

Each time the user logs in, their claims are rechecked. If there is a discrepancy, it is changed to match the claims. Therefore outlets and roles can not be assigned within the system itself as they will be overridden on the next login by the values in the claims.

If the usertype claim is changed, then previous user account  is archived and a new account created for them with the new user type. 

Claim

Value

Required for Hospitality

Required
for
HeadOffice

Required
for
Outlet		DefaultNotes

nameidentifier

Users Email Address

 ✅



name

Users Email Address

 ✅



emailaddress

Users Email Address

 ✅



givenname

Users First Name

 ✅



surname

Users Last Name

 ✅



company

The company id the user should have access to

1Can be omitted if you only have one company set up in IndiCater

usertype

HeadOffice or Outlet

External
outletsA comma seperated list of outlet ids the user should have access to.
Can be omitted for headoffice users. The first outlet in the list will be the default outlet for the user and the one they are logged into on sign in.
rolesA comma seperated list of role ids the user should be assigned.Default RoleCan be omitted to assign user to the default role for their user type

Creating a new claim

When creating a new claim, the namespace should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims

The source attribute should be the source of the claims value in Azure AD

 

Example Claim Setups

External

ClaimValue
nameidentifiertest.user@indicater.com
nametest.user@indicater.com
emailaddresstest.user@indicater.com
givennameTest
surnameUser

Headoffice

ClaimValue
nameidentifiertest.user@indicater.com

name

test.user@indicater.com
emailaddresstest.user@indicater.com
givennameTest
surnameUser
usertypeHeadOffice

Outlet

ClaimValue
nameidentitytest.user@indicater.com
nametest.user@indicater.com
emailaddresstest.user@indicater.com
givennameTest
surnameUser
usertypeOutlet
Outlets5,7,9

User assignment

If you are not assigning users specifically to the enterprise application, please make sure that ‘user assignment required’ field is set to ‘no’ otherwise users won’t be able to use the application. This field can be found by navigating to the enterprise application in Azure and should be under the settings blade.

App Federation MetaData URLs

Once the two Enterprise applications have been set up, if you return the Federation Metadata URL for each, the SSO integration can be set up in IndiCater.

Example Configuration Test


Example Configuration Live