Single Sign-On via Azure AD
This article is relevant to Creatio version 8.0.3 and later. If you need to set up integration with Creatio version 8.0.2 and earlier for testing purposes or to look for errors, follow the instructions for Creatio version 7.18.
You can integrate Creatio with Azure Active Directory (Azure AD) to manage single sign-on for all Creatio users that work in the corporate network.
The example uses the https://site01.creatio.com/Demo_161215/
Creatio URL. Replace these URLs with the corresponding URLs of your sites when you perform the actual setup.
In general, the following steps are required to set up Single Sign-On in Creatio:
- Download the file that contains the integration metadata. Read more >>>
- Perform the setup in Azure AD. Read more >>>
- Perform the setup in Creatio. Read more >>>
Download the metadata
- Click the button to open the System Designer.
- Click Single Sign On configuration.
- Click . This opens a drop-down menu.
- Select "Azure AD." This opens the setup page.
- Click Get metadata.
- Save the file to your local machine. Then upload it to the Azure portal to speed up the configuration.
Perform the setup in Azure AD
To configure the settings below, register Creatio in the administrator account of the enterprise identity service of Azure Active Directory (Azure AD). Learn more in the Microsoft documentation.
-
Add a new SSO application (Trusted Relaying Party) to Azure AD:
- Open the Enterprise applications section → All Applications.
- Click New application.
- Select "Creatio" in the Add from the gallery section and add the application. Learn more in the Microsoft documentation: Add Creatio from the gallery.
-
Open the Single sign-on section and specify the following parameters:
- Select "SAML" in the Single Sign-on Mode parameter.
- Enter the full website name, for example,
https://site01.creatio.com/Demo_161215/
, in the Identifier parameter. - Enter the full website name and
/ServiceModel/AuthService.svc/SsoLogin
address, for example,https://site01.creatio.com/Demo_161215/ServiceModel/AuthService.svc/SsoLogin
, in the Reply URL parameter.
-
Save the following data to perform the setup in Creatio (Fig. 1):
- Azure AD Identifier
- Login URL
- Logout URL
By default, Azure AD passes the following fields to Creatio: Given name, Surname, Email address, Name. The email address serves as the username.
Perform the setup in Creatio
Follow these steps to set up single sign-on in Creatio:
-
Click the button to open the System Designer.
-
Click Single Sign On configuration.
-
Click . This opens a drop-down menu.
-
Select "Azure AD." This opens the setup page.
-
Fill out the following parameters:
- Enter the unique identifier you got while setting up Azure AD in the Azure identifier parameter.
- Enter the URL of the identity provider’s single sign-on in the SingleSignOnServiceUrl parameter. For Azure AD, this is usually
https://login.microsoftonline.com/<azure account="" id="">/saml2
. Find out the settings of the added connector in the Azure account. - Enter the URL of the identity provider’s single sign-off in the SingleLogoutServiceUrl parameter. For Azure AD, this is usually
https://logout.microsoftonline.com/\<azure account="" id="">/saml2
. Find out the settings of the added connector in the Azure account.
-
Fill out the provider's name to display on the Creatio login page in the Display name field.
-
Turn on Just-In-Time Provisioning (optional). This mechanism automatically creates the corresponding Creatio user account with proper data from the identity provider, such as user group, employee name, contact information, etc. To do this, select the Create and update users data when log in (Just-In-Time Provisioning) checkbox and map the fields.
-
Define your provider.
For Creatio version 8.0.9 and later
Slect the Default provider checkbox.
For Creatio version 8.0.7 - 8.0.8
Specify the provider in the "Default SSO provider" system setting ("DefaultSsoProvider" code) and save the changes. Instructions: Manage system settings.
For Creatio version 8.0.3 – 8.0.6
Select your provider in the SSO identity provider field and save the changes.
-
Test whether the provider is working correctly (optional).
For Creatio version 8.0.7 and later
Open the provider page and click Test Sign In.
For Creatio version 8.0.3 – 8.0.6
Click Test (Fig. 3).
See also
Just-In-Time User Provisioning
Azure AD portal (open the Azure AD portal)
Instructions on publishing your application in the gallery (Microsoft documentation)