Provides the steps required to setup SSO and Provisioning with Azure

 

Requirements

  • You must already be a user and have administrative access to Sobol
  • You must have access to AzureAD with sufficient permissions to create non-gallery applications
  • You must take note of your enterprise organization’s ID (ORG_ID)
  • You must map the Unique Identifier with your user’s email address

Please refer to the Troubleshooting Tips for additional information on the above.

If for any reason you need help, please contact support@sobol.io.

 

Steps

In order to set up SAML Single Sign-On (SSO) and SCIM User Provisioning, you must create a custom (non-gallery) application in Azure and follow the provided steps to configure it correctly:

 

Create Non-Gallery Application

  • In Azure Active Directory, navigate to “Enterprise applications” on the left hand menu
  • Click on “New application” in the view’s toolbar
  • Click on “Create your own application” or “Non-gallery application” if using the legacy view
  • Enter the name “Sobol” and select “Integrate any other application you don't find in the gallery” if applicable
  • Click “Create” or “Add” if applicable

 

Adding a logo

 

Single Sign On Setup

 

Configure Azure

  • Under “Single sign-on” on the left hand menu of your application, click on the “SAML” option
  • Under “Basic SAML Configuration”, enter the following:
    • Identifier - https://sobol.io/d/saml/v2/metadata
    • Reply URL - https://sobol.io/d/saml/v2/callback?orgId=[ORG_ID]
    • Click “Save
  • Under “User Attributes & Claims”, map the following as:
    • Unique User Identifier - user.mail or whichever property that houses the user’s email

 

Configure Sobol

  • Please login to Sobol at https://sobol.io/d/login
  • As an administrator, please navigate to “Settings” -> “Applications
  • Click “Add Application
  • A modal will open with the app marketplace.
  • Please install the "SAML" app.
  • Once installed and the app drawer opens, enter the following information from Azure:
    • "Login URl" -> "Endpoint"
    • "Azure AD Identifier" -> "Entity"
    • "Certificate (Base64)" => "Certificate"
  • Click "Test Connection" and verify the following:
    • You get logged out of Sobol
    • You get redirected to Azure
    • You get redirected and logged back into Sobol

Testing the connection

  • Please logout of Sobol at https://sobol.io/d/logout
  • In Azure, under “Users and groups” on the left hand menu of your application, assign yourself to the application
  • Under “Single sign-on” on the left hand menu of your application, click on “Test this application
  • Click “Sign in as current user” and ensure that you have logged into Sobol successfully

 

User Provisioning Setup

 

Configure Sobol

  • Please login to Sobol at https://sobol.io/d/login
  • As an administrator, please navigate to “Settings” -> “Applications
  • Click “Add Application
  • A modal will open with the app marketplace
  • Please install the "SCIM" app
  • Once installed and the app drawer opens, copy the API Key for use in Azure

 

Configuring Azure

  • Under “Provisioning” on the left hand menu of your application, click on “Get Started
  • Under “Provisioning Mode”, select “Automatic
  • Under “Admin Credentials”, enter the following:
    • Tenant URL - https://sobol.io/d/scim/v2/org/[ORG_ID]
    • Secret Token - paste your Application Key
    • Click on “Test Connection” and verify that you have a success popup
  • Under “Mappings” -> “Provision Azure Active Directory Groups”:
    • Set “Enabled” to “No
    • Click “Save
  • Under “Mappings” -> “Provision Azure Active Directory Users”:
    • Ensure that “emails[type eq "work"].value” is mapped to your user’s email address as the Unique Identifier required in Sobol
    • Click “Save
  • Click “Save” under “Provisioning
  • Under “Status”, toggle the “Provisioning Status” to “On
  • Click “Save

 

Testing the connection

  • Under “Users and groups” on the left hand menu of your application, assign a user
  • Please login to Sobol at https://sobol.io/d/login
  • Navigate to “People Directory” and ensure that user was successfully provisioned

 

Troubleshooting Tips

  • Sobol Account: You MUST have a Sobol account and have administrative access in order to set up SSO. If for any reason you do not have the following, please contact support@sobol.io.
  • Sobol Org: You MUST have a Sobol Enterprise Organization. Contact support@sobol.io if you do not have this.
  • Org ID: Configuring SAML or SCIM requires the use of your tenant’s ORG_ID. To obtain one, take note at the URL when using your instance of Sobol: https://sobol.io/d/[ORG_ID]/structure?view=circles.
  • Terms:
    • Identity Provider (IdP) - this can be Okta, AzureAD, or OneLogin
    • Service Provider (SP) - this is Sobol

 

SAML Troubleshooting

  • SAML Endpoint: All SAML endpoints for your organization are housed under the following URL scheme: https://sobol.io/d/saml/v2/callback?orgId=[ORG_ID]
  • Unique Identifier: all users mapped across Sobol and Azure use their email to uniquely identify them. Please ensure that your nameID is mapped to the user’s email

 

SCIM Troubleshooting

  • SCIM Endpoint: All SCIM endpoints for your organization are housed under the following URL scheme: https://sobol.io/d/scim/v2/org/[ORG_ID]
  • Authentication Formats: Sobol supports Header Authentication (Bearer Token) using keys available in both HS256 and RS256 JWT formats. Some services such as AzureAD require smaller, more lean keys in which case please use HS256
  • Supported Mappings: as of now, Sobol ONLY supports the provisioning of the following attributes:
    • First Name - firstName
    • Last Name - lastName
    • Email - email
  • Unique Identifier: all users mapped across Sobol and Azure use their email to uniquely identify them. Please make sure that the SCIM email property is mapped correctly to your user’s email
  • Email Type - we currently do not support the `emailType` attribute and default this value to “work” as part of our SCIM responses

 

Support

At Sobol, we are here to help you. If for whatever reason you are not successful with these instructions, please reach out to support@sobol.io.