To set up SSO with Azure AD you will need a Microsoft Azure Premium account.
Creating an enterprise app for Beekeeper
- Go to your Azure Active Directory Portal for Enterprise Applications.
- Click on + New application
- Click on + Create your own application
- Give the app a name, e.g. "Beekeeper SSO". Keep the option Integrate any other application you don't find in the gallery (Non-gallery). Click on Create.
Managing user assignment for the application
You can either assign specific users and groups to access the application or you can make user / group assignment optional.
Option 1: Assign users and groups
- Click on Users and groups
- Click on Add user/group
- Click on None Selected
- Select the user or group you want to assign to the application and click on Select
- Click on Assign
Option 2: Making user / group assignment optional
- Click on Properties
- For the configuration User assignment required? click on the option No
- Click on Save
Setting up single sign-on
- Click on Single sign-on
- Click on SAML
- In the Basic SAML Configuration box click Edit
- Fill in the values for the Identifier and the Reply URL according to the instructions below and click Save:
- Identifier: https://yoursubdomain.us.beekeeper.io/saml/sso/metadata.xml
- Reply URL: https://yoursubdomain.us.beekeeper.io/saml/sso/
Please ensure that the URLs include both your own Beekeeper subdomain as well as your datacenter reference, eg. us, ch, or de (for the European data center, there is no reference).
You can populate a user’s Beekeeper profile fields during login by defining which information will be sent in the SAML token. For each Beekeeper profile field, you will need the placeholder value, which you can find in the Beekeeper Dashboard under Settings > Profile Fields.
- In the User Attributes & Claims box click on Edit
- Click on the required Unique User Identifier (Name ID) claim
- Click on the Name identifier format * field and select Persistent
- Click on the Source attribute * field and select the attribute that you want to use as the Beekeeper User ID
- Click on Save
- You can edit the additional claims by clicking on them.
Below you can see an example set of token attributes:
*Each attribute needs the corresponding placeholder value of the Profile Field in the Beekeeper Dashboard.
- Enter the profile field placeholder value in the Name * field
- The Namespace field may be defaulted with a value such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims. You should clear this field and leave it blank.
This is necessary because Azure prepends any namespace to the attribute name, so by default it will send an attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email (which Beekeeper will not recognize) instead of email (which the server expects).
- Click on Save
- Optional: Click on Add new claim to add additional claims and edit dem as described in the previous steps.
After you have edited/added all necessary claims, your claim overview should look similar to the following:
SAML Signing Certificate
- In the SAML Signing Certificate box click Download for Federation Metadata XML and save the file to your desktop
- Open the downloaded file and copy the content
- Go to the Beekeeper Dashboard and navigate to Settings > General > Single Sign-On
- Select which authentication option you want enabled for the platform (you can find more information on the differences here)
- Paste the content from the downloaded file into the SAML Metadata box
- Choose whether you want to automatically provision user accounts for new users or not
- Click on Save settings
To test whether the configuration was successful, you can navigate back to the single sign-on configuration window of your SSO enterprise application. In the last box of the configuration overview click on Test.
For any questions, comments, or concerns please reach out to email@example.com.