Setup Azure AD Plugin

LoginRadius provides a Marketplace plugin to integrate Azure Active Directory (AD) with your LoginRadius Admin Console application. Integrating LoginRadius with Azure AD provides you with the following benefits:

• You can control in Azure AD who has access to LoginRadius.

• You can enable your users to be automatically signed-in to LoginRadius (Single Sign-On) with their Azure AD accounts.

• You can manage your accounts in one central location - the Azure portal.

This document describes the step by step instructions to set up Azure AD as an identity provider for your LoginRadius Admin Console application.

NOTE: Find the Azure AD Plugin on Market place Here

To configure Azure AD integration with LoginRadius, you need the following items:

• An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.

• LoginRadius Enterprise Account.

Steps

1. Log in to your Azure Portal.

2. Click on the Azure Active Directory tab in the Left panel.

3. From the sub menu appearing at the left, select Enterprise Applications.

4. Add an application by clicking the New application button at the top.

5. In the Browse Azure AD Gallery, search for “LoginRadius”, as per below screenshot. Once it appears there, click on the LoginRadius logo. This will open a new window at the right. Provide the required name for the app and click on Create button to add LoginRadius Application

6. This will bring the LoginRadius app in the configured app list as below

In this section, you will configure and test Azure AD single sign-on with LoginRadius based on a test user called Britta Simon. For single sign-on to work, a relationship between an Azure AD user and the related user in LoginRadius, needs to be established.

To configure and test Azure AD single sign-on with LoginRadius, you need to complete the following building blocks:

1. Configure Azure AD Single Sign-On - to enable your users to use this feature.

2. Configure LoginRadius Single Sign-On - to configure the Single Sign-On settings on the application side.

3. Create an Azure AD test user - to test Azure AD single sign-on.

4. Assign the user in Azure AD LoginRadius application - to enable the user to use Azure AD single sign-on.

5. Add a Team member in LoginRadius - to have a counterpart of Britta Simon in LoginRadius that is linked to the Azure AD representation of the user.

6. Test single sign-on - to verify whether the configuration works.

In this section, you enable Azure AD single sign-on in the Azure portal.

To configure Azure AD single sign-on with LoginRadius, perform the following steps:

1. In the Azure portal, on the Application list page, click on the LoginRadius application and then select Single sign-on.

2. On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.

3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration pop up.

4. On the Basic SAML Configuration pop up, enter the following values and click the save button at the top.

• https://lr.hub.loginradius.com/ in the Identifier (Entity ID) textbox.

• https://lr.hub.loginradius.com/saml/serviceprovider/AdfsACS.aspx in the Reply URL (Assertion Consumer Service URL) textbox.

• https://adminconsole.loginradius.com/login in the Sign on URL textbox.

5. On the Set up Single Sign-On with SAML page,download the Certificate (Base64) mentioned under the SAML Signing Certificate section, and save it on your computer.

6. Similarly, copy the Login URL and Logout URL from the Set up LoginRadius section.

Steps

1. Log in to your LoginRadius Admin Console account.

2. Navigate to your team management section in LoginRadius Admin Console from here.

3. Click on Azure AD under the Single Sign-On tab.

4. Here, you can see two options.

   • Configure App

   • Configure from Metadata

Step-1: When you choose to configure through the app section method, you need to fill in the details in the form shown on the screen.

Note:

• To renew the Service Provider Certificate, click the designated "Renew Certificate" button. Once the renewal is completed, the updated expiry date and time will be promptly shown.
• If you select the Switch off Email/Password Login instead of Enable only SSO option, then login with Email/Password will not work, and only SSO Login will work to access LoginRadius Admin Console.

a. In ID PROVIDER LOCATION enter the Login URL which you get from the LoginRadius application under Azure AD account.

b. In ID PROVIDER LOGOUT URL enter the Logout URL which you get from the LoginRadius application under Azure AD account.

c. In ID PROVIDER CERTIFICATE enter the Azure AD certificate (downloaded as Certificate (Base64) ) which you have downloaded earlier from Azure AD account.

NOTE: Please make sure to enter the certificate value with header and footer
E.g.

-----BEGIN CERTIFICATE-----  
<certifciate value>  
-----END CERTIFICATE-----

d. Kindly follow Generate LoginRadius' Certificate and Key document to get the details for the values under SERVICE PROVIDER CERTIFICATE and SERVICE PROVIDER CERTIFICATE KEY.

NOTE: Please make sure to enter the certificate value with header and footer
E.g.

-----BEGIN CERTIFICATE-----  
<certifciate value>  
-----END CERTIFICATE-----

e. In the DATA MAPPING section, select the fields (SP fields) and enter the corresponding Azure AD fields(IdP fields).

Following are some listed field names for Azure AD.

Fields	Profile Key
Email	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
FirstName	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
LastName	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Once all the fields are filled, click on update button at the bottom of the configuration.

NOTE: The Email field mapping is required. FirstName and LastName field mapping are optional.

If you are looking to configure this by uploading a Metadata file you have to click on the Configure from Metadata file, you are required to upload the XML file, which consists of metadata for SSO setup, and after successful upload, click Add button.

The objective of this section is to create a test user in the Azure portal called Britta Simon.

1. In the Azure portal home page, in the left panel, select Azure Active Directory, and then select Users.

2. This will bring the list of available users, you can also create a new one using the + New user button at the top of the screen.

3. In the User properties (while adding a new user), perform the following steps.

a. In the Name field enter BrittaSimon.
b. In the User name field type brittasimon, the domain will come from the dropdown itself. The provided username+domain will be the email address of the user.
c. Select Show password checkbox, and then note down the value that's displayed in the Password box.
d. Click Create to save the user.

In this section, you will enable Britta Simon to use Azure single sign-on by granting access to LoginRadius application.

1. In the Azure portal, select Enterprise Applications, select All applications. This will bring the list of all applications configured, select LoginRadius from here. This will open the Dashboard for the application.

2. In the menu on the left, select Users and groups.

3. Click the Add user/group button, this will open a new window to add User and assign the access.

4. In the Users and groups dialog select the user from the Users list, then click the Select button at the bottom of the screen.

5. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.

6. In the Add Assignment dialog click the Assign button.

1. Log in to your LoginRadius Admin Console account.

2. Navigate to your team management section in LoginRadius Admin Console.

3. Click ADD TEAM MEMBER in the side menu to open the form.

4. In the ADD TEAM MEMBER form, you create a user called Britta Simon in your LoginRadius Site by providing the user's details and assigning the desired permissions.

NOTE: Make sure to use the same email id here that you used in Azure AD.

To know more about the permissions based on roles, please refer to the Role Access Permissions documents. Users must be created and activated before you use single sign-on.

In this section, you will test your Azure AD single sign-on configuration using the Access Panel.

1. Open https://accounts.loginradius.com/auth.aspx in your browser and click Fed SSO log in.

2. Enter your LoginRadius app name and click Login.

3. It should open a pop-up for asking you to sign into your Azure Ad account.

4. After the authentication, your pop-up will close and you will be logged into the LoginRadius Admin Console.

Below are some general errors and steps to fix them are listed.

1. AADSTS50105: The signed in user '[email protected]' is not assigned to a role for the application.
Generally this error occurs if the user is not added into the LoginRadius app at Azure AD, please make sure to assign the user / group in Azure AD. Refer the step "Assign the user in Azure AD LoginRadius application"

2. After authentication in the LR admin console it is asking to complete the profile instead of logging me.

Generally this error occurs due to the incorrect mapping of EmailID or Email ID not found in the Azure AD User profile, In order to fix this please cross check

• If the Email mapping is correct in LoginRadius configurations

• EmailAddress field is filled for the user you are testing with

• The user is added as a team member in LoginRadius AdminConsole

NOTE: After fixing this problem you will need to test with a new user, as the existing user's profile is already created in LR with wrong mapping.

3. I have updated the configurations in LoginRadius but the changes are not reflecting.

This could be due to the configuration caching, please try out after some time or contact LoginRadius Support.