CMS: How to set up Azure and SAML SSO (Support for MFA)
This article will guide you on setting up your company's Azure and SAML SSO on the CMS.
As an admin, sign in to the CMS and click on SSO in Company Info. Then click on Add SSO Provider.
SAML Configuration
1. Enter the the SSO provider in the name field and choose SAML as the type.
2. Enter the IDP Metadata URL - Provided by Azure.
- You can get this information from your Azure portal. Search for your SAML application under Enterprise applications and click on Single Sign on on the Manage menu.
- Scroll down and copy the App Federation Metadata Url from the SAML Certificates (This is your IDP Metadata URL)
- Paste this link in the IDP Metadata URL field, highlighted in the screenshot above.
3. Click on Advanced Settings and turn on Skip Subject.
4. Then click on Add Domain to add the domain you want to target >Save.
5. You will notice the SAML configuration listed on the SSO page. Click on the pencil icon beside it to edit.
6. Copy the generated Callback Url and paste that in the Azure portal.
- This should be pasted in the Reply URL (Assertion Consumer Service URL) field>Save.
- Note: The CMS url should be listed as identifier e.g. https:\\cms.scopear.com.
Azure Configuration
1. Enter the the SSO provider in the name field and choose Azure as the type.
2. Enter the following:
- Base URL: The full URL for the SSO provider.
- Tenant: To support MFA, there are two azure authentication endpoints - V1 and V2. The V2 support requires populating and entering the tenant ID (This is not required for V1). This information can be retrieved from the Azure portal, under All Services>App registrations.
- Client ID: The Client API generated by the SSO provider for authentication.
- Client Secret: The Client secret generated by the SSO provider for authentication.
- Domains: Your company's domain e.g. scopear.com
Note: If you do not have a tenant ID but wish to use MFA, you must enable multi-tenant account type on the Azure portal. This will allow your configuration to work without the tenant ID.
V2 Support
Additionally, as the Scope Admin, you need to edit the company and turn on Azure V2 (Per company) to allow this settings.