In this article:
1. Introduction to SAML
2. Setting Up SAML Single Sign-Оn with Microsoft Entra ID
3. Automatic Provisioning Settings
4. Businessmap SSO Setup
Single Sign-On (SSO) is supported in two modes: with and without provisioning.
SSO without Provisioning
The Businessmap app is now available in the Azure Application Gallery. You can use it directly as it will be easier to set up, but note that it works only for SSO without Provisioning. Follow this tutorial to read how to integrate the Businessmap app with Microsoft Entra ID.
SSO with Provisioning
Important: If you need your SSO integration to support provisioning, you will need to create a custom app. Follow the steps outlined below to set this up correctly.
________________________________________________________________________
1. Introduction to SAML
Security Assertion Markup Language (SAML) is a technology that can help you leave all problems connected to remembering passwords in the past and log in to all of your digital tools with a single sign-on. In order to do so, you need to configure the SAML 2.0 Identity Provider.
In the "Configuring SAML Single Sign-On in Businessmap" article, the general steps needed to set up SAML integration between Businessmap and your Identity Provider are described. The next paragraphs will walk you through the process of enabling SSO with Microsoft Entra ID (Identity) as your IdP.
Note that this guide uses the new Azure portal accessible from https://portal.azure.com.
2. Setting Up SAML Single Sign-Оn with Microsoft Entra ID
1. From the Azure home page, go to Microsoft Entra ID (Identity). You will find it under Azure services or from the dropdown navigation menu on the left sidebar.
2. Select “Enterprise applications.”
3. Click on “New application” in the upper left corner.
4. Click on “Create your own application” in the upper left corner of the page.
5. Enter the name of your application in the new window that opens. When ready, click on “Create.”
6. A new window for the application will open. Select “Single Sign-On” from the menu on the left.
7. Select SAML from the available SSO methods.
8. Fill out the necessary fields in the window that opens. When ready, press “Test.”
- (1) The Identifier (or Entity ID in SAML terms) for your account should be https://{subdomain}.kanbanize.com/. Replace {subdomain} with your company’s custom Businessmap subdomain, e.g. https://yourcompany.kanbanize.com/, and make sure to include the / at the end.
- (2) The Reply URL (Assertion Consumer Service or ACS in SAML language) should be https://<subdomain>.kanbanize.com/saml/acs.
-
(3) For “Unique User Identifier,” select “user.mail” from the dropdown.
Note: The URI value identifier for the user email could look something like this as well: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
9. When done, download the SAML Certificate (in base64 format).
3. Automatic Provisioning Settings
If you would like to utilize automatic provisioning of users from Azure to Businessmap, follow these additional steps.
1. From the application you created above, navigate to the Provisioning tab from the left sidebar.
Important: To have the provisioning enabled, you need to create/register a 'Non-gallery' application! The listed Businessmap application in the Azure Gallery does not yet support provisioning services!
2. Choose the settings as shown below:
- Provisioning Mode: Automatic
- Tenant URL: https://{subdomain}.kanbanize.com/scim
- Secret token: Use the SCIM Bearer Token that can be retrieved in your Businessmap SSO settings under the Automatic User Provisioning section (that setting needs to be enabled beforehand).
3. To automatically provision users in Businessmap, click on “Start provisioning.”
Note: Keep in mind that there is a fixed provisioning interval set by the system of up to 40 minutes.
4. After that time, the users in Azure should be mapped according to the users in your Businessmap instance, as long as their emails are identical in both applications.
5. If a user gets added, updated, or deleted/deactivated in Azure, this should automatically modify the corresponding user in Businessmap within 40 minutes by default.
You are done configuring Azure!
4. Businessmap SSO Setup
Now let’s configure Businessmap!
In Businessmap, open the Administration panel and go to Integrations → Applications.
There, you will find a box for configuring Single Sign-On. You should have already enabled it for your account.
Use the information from the “Single sign-on” window (see #4 from the image below) in Azure as follows:
- Microsoft Entra Identifier goes to IdP Entity ID
- Login URL goes to IdP Login Endpoint
- Logout URL goes to IdP Logout Endpoint
Copy (without the start and end markers) and paste your certificate in the last field.
Optional:
- If, for some reason, you need to send in NameID something different from the user's email, we need another attribute to get it from. Enter the name in the “Attribute name for Email” box, e.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" (you can get the value from the section SAML Token Attributes).
- You don’t have to fill in the other two fields either — “Attribute name for First Name” and “Attribute name for Last Name.” However, if you do, when users log in for the first time, they will be registered with their real names. So, you can enter "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" for “Attribute name for First Name” and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" for “Attribute name for Last Name.”
Below the fields, you will find a dropdown from which you can select among a variety of options that cover different log-in use cases:
- Disable Businessmap login, only SSO login is applied for all users
- Allow Businessmap login for users with Account Owner privileges
- Allow Businessmap login for users with Manage Integrations privileges
- Allow Businessmap and SSO login for all users
Notes:
- There is a checkbox on the left — "Automatically create a Businessmap user for the unregistered emails upon login" that secures controlled access. If the setting is checked, it automatically creates a Businessmap user for the unregistered emails upon login. When the setting is unchecked, you need to first send a Businessmap email invitation to the user to be able to log in to the system using the SSO flow.
- There is another checkbox — “Sign outgoing messages.” Turning it on will result in Businessmap signing authentication and log-out requests, logout responses, and the metadata. You will find the public certificate in the metadata, which is located at: https://<subdomain>.kanbanize.com/saml/metadata
Once everything is configured and saved, navigate to the “Users and groups” tab in Azure to assign the desired users who would need access to the Businessmap application. After that, they should be able to log in via SSO.
You are now ready to give the Businessmap – Azure SSO a test drive!
Be sure to try the integration, and don’t hesitate to contact our support if you have any trouble.
________________________________________________________________________