Description:

In this guide we will show you how to integrate Microsoft Entra ID ( Azure AD )  single sign-on (SSO) with OneSpan Sign

 

Prerequisites

To get started, you need the following items:

• An Microsoft Azure subscription.
• OneSpan Sign Account, Sandbox or production.

Step 1:

 

Configure Microsoft Entra ID ( Azure AD ) as a SAML identity provider for OneSpan Sign:

 

1. Sign in to the Azure portal as a cloud application admin, or an application admin for your Microsoft Entra ID tenant.
2. Select Enterprise applications. 
3. Click “New application” then choose “Create your own application”
4. Input a name, example 'OneSpan', make sure "Integrate any other application you don't find in the gallery (Non-gallery)" is selected as option, then click Create.

 

 

Step 2:

 

Complete the configuration and test Single Sign – On for OneSpan sign.

Now that you have created the application, you will need to complete the configuration. You are now on the newly created application overview.

1. Under 'Set up Single sign on' , Click "Get started"
2. Click on SAML under 'Select a single sign-on method'
3. Click on the Edit button in section "Basic SAML Configuration" 
4.  Fill in the two mandatory fields for 'Identifier (Entity ID)' and 'Required Reply URL (Assertion Consumer Service URL)'

 

 

Basic SAML Configuration:

 

In this section you will need configure the basic SAML configurations settings that will vary based on your OneSpan Sign instance, and whether you will configure SSO to be IDP or SP initiated.

In this guide we will configure SAML for OneSpan Sign account in our US2 Sandbox instance; https://sandbox.esignlive.com and for IDP and SP initiated SSO.

For more information with regards to the SAML settings and how they relate to the SSO model; SP or IDP, please check the "SAML configuration settings" table at the end of this guide.

 

 

• OPTION A: configure SAML for an SP initiated SSO for a OneSpan sign account in US2 Sandbox instance:

 

•  identifier (Entity ID):

Please go to our documentation; and download SAML metadata based on your instance, as mentioned above, we will configure SAML for US2 Sandbox account in this guide, so we will click on:

sandbox.esignlive.com and download the metadata file, open the file using notepad and copy the entity ID and paste it in the: identifier (Entity ID) field.

Note: The table below shows the entity ID for different OneSpan Sign environment 

	SANDBOX			PRODUCTION
US2 Sandbox	urn:saml:sso:sandbox:esignlive:com		US2 Production	urn:saml:sso:apps:esignlive:com
US1 sandbox	urn:saml:sso:sandbox:e-signlive:com		US1 Production	urn:saml:sso:apps:e-signlive:com
CA Sandbox	urn:saml:sso:sandbox:e-signlive:ca		CA Production	urn:saml:sso:apps:e-signlive:ca
			EU Production	urn:saml:sso:apps:esignlive:eu
			AU Production	urn:saml:sso:apps:esignlive:com:au

 

• Reply URL:

The reply URL  is our SSO service URL:

 https://<OneSpan Instance>/sso/saml/SSO/alias/e-signlive:

 

For our example, the instance is US2 Sandbox; thus the URL will be: 

https://sandbox.esignlive.com/sso/saml/SSO/alias/e-signlive

 

 

• Sign on URL:

This field should be filled only for SP initiated SSO, It should be left blank for IDP initiated SSO.

https://<server:port>/sso/saml/login/alias/e-signlive?idp=[entityId of an IdP]

In the above URL, we will need to replace:

 

• <server:port> with your instance, in our example it is US2 SBX; https://sandbox.esignlive.com
• [entityId of an IdP] you can get this value by downloading the Federation metadata XML file, under SAML signing certificate section, then open with Notepad and search for entityID, and you will also need to email this file to OneSpan support team to complete the configuration in our end. In this guide we are addressing an account in US2 SBX instance and the entityID for our example is:

              https://sts.windows.net/0d09406e-5389-481d-913b-ab712ed9c0a2/

 

 

 

• Replacing both values in the above link, we can get the SP initiated SSO link:

https://sandbox.esignlive.com/sso/saml/login/alias/e-signlive?idp=https://sts.windows.net/0d09406e-5389-481d-913b-ab712ed9c0a2/

 

 

Your basic SAML configuration would eventually look like:

 

Step 3:

 

Configure user attributes & Claims

 

 

1. From your application settings under Manage, single sign – on click on the pen ( Edit ) to add users attributes.
2. Delete any existing claim and add Three claims:

• user.givenname
• user.mail
• user.surname

 

 

The three basic claims added, see below

 

 

Step 4:

 

Add users and groups to the application.

Under the application, go to "Assign users and groups"  ->  Add user/groups  ->  then click  'None Selected' under Users, choose the users to add to the application and click 'Assign'

 

 

 

Step 5:

 

Test the SP initiated SSO

Simply click on test, then click "Test sign in" to sign in as current user.

 

 

 

By completing the foregoing steps, your configuration is complete for SP initiated SSO and your users can now start using the application by simply click on the SSO link, as OneSpan supports auto provisioning for new users. 

 

 

• OPTION B: configure SAML for an IDP initiated  SSO for a OneSpan sign account in US2 Sandbox instance:

To configure SSO for IDP initiated SSO, all the above steps remain the same, expect for step 2, under SAML configuration, clear the value under Sign on URL, click save,  and then test again the same way we tested the SP instantiated SSO. 

 

 

 

You IDP initiated link will be: 

https://account.activedirectory.windowsazure.com/r#/applications

 

And from the above link, users can choose the application. 

 

 

 

 

SAML configuration settings description Table: 

 

Basic SAML Configuration setting	SP-Initiated	idP-Initiated	Description
Identifier (Entity ID)	Required for some apps	Required for some apps	Uniquely identifies the application. Azure AD sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by the application. You can find this value as the Issuer element in the AuthnRequest (SAML request) sent by the application.
Reply URL	Optional	Required	Specifies where the application expects to receive the SAML token. The reply URL is also referred to as the Assertion Consumer Service (ACS) URL. You can use the additional reply URL fields to specify multiple reply URLs. For example, you might need additional reply URLs for multiple subdomains. Or, for testing purposes you can specify multiple reply URLs (local host and public URLs) at one time.
Sign-on URL	Required	Don't specify	When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on the user. Azure AD uses the URL to start the application from Office 365 or the Azure AD Access Panel. When blank, Azure AD performs IdP-initiated sign-on when a user launches the application from Office 365, the Azure AD Access Panel, or the Azure AD SSO URL.
Relay State	Optional	Optional	Specifies to the application where to redirect the user after authentication is completed. Typically the value is a valid URL for the application. However, some applications use this field differently. For more information, ask the application vendor.
Logout URL	Optional	Optional	Used to send the SAML Logout responses back to the application.

 

END of Guide.