SSO - Microsoft Entra ID

Overview

To configure Microsoft Azure Entra ID as Identity Provider (Id) for Xygeni as Service Provider (SP), you should first contact Xygeni to request data needed to properly configure the SAML integration between Entra ID and Xygeni.

You must provide the following information to Xygeni:

• IDP Sign on URL: URL of the Identity Provider (or IDP, Entra IDin this case) against which the Xygeni user is going to authenticate

• Entity ID or Issuer: Globally unique name for an Identity Provider or a Service Provider, is a URI used to identify the issuer of a SAML request, response, or assertion

• URL Metadata: URL Metadata is the discovery information that the IDP exposes, to securely interoperate

• Signing Certificate : Allows the Service Provider (or SP, Xygeni in this case) to verify the authenticity of the SAML response

Once submitted above info to Xygeni, you will receive some information back needed to properly configure the integration. This information will contain:

• SP Single Sign on URL: SP's URL that processes the SAML response, verifies and validates it.

How to obtain the information to be sent to Xygeni

Create an Entra ID Application

Login to Azure Entra ID, go to Enterprise Applications and click on New application

A new page will open. Click on Create your own application.

Then, you can name your application and select “Integrate any other application you don’t find in the gallery (Non-gallery)”. Click on Create button.

Choose whatever name you prefer to identify your app (in our example we will use "xy1" ). Entra ID will redirect you to the workflow to create your SAML integration.

Click on option 2. Set up single sign on . A new page wiil open.

Select SAML and the main configuration page will open.

Gathering of info to send to Xygeni

In Section 4 (Set up xy1) you will find the following information (you must provide to Xygeni):

• Login URL : a.k.a. IDP Sign on URL, URL of the Identity Provider (or IDP, Entra ID in this case) against which the Xygeni user is going to authenticate

• Microsoft Entra identifier : a.k.a. Entity ID or Issuer, globally unique name for an Identity Provider or a Service Provider, is a URI used to identify the issuer of a SAML request, response, or assertion

In Section 3 (SAML Certificates) :

• App Federation Metadata URL : a.k.a. URL Metadata, the discovery information that the IDP exposes, to securely interoperate

• Certificate (Base64) : a.k.a. Signing Certificate, it allows the Service Provider (or SP, Xygeni in this case) to verify the authenticity of the SAML response

Copy the above information, download the Signing Certificate and send it to Xygeni.

CAUTION: In order to save the created app, you must enter required info in Section 1. You can enter some dummy values that will be modified later upon receiving proper values from Xygeni. Just to save it, you can provide some dummy values such as:

• Identifier (Entity ID) (something similar to “20-xy1-azure”)

• Reply URL (Assertion Consumer Service URL) (something similar to https://api.xygeni.io/sso/details/20-xy1-azure)

Info provided by Xygeni

Once submitted above info to Xygeni, you will receive some information back needed to properly configure the integration. This information will contain:

• Identifier (Entity ID) (something similar to “20-xy1-azure”)

• Reply URL (Assertion Consumer Service URL) : SP's URL that processes the SAML response, verifies and validates it (something similar to https://api.xygeni.io/sso/details/20-xy1-azure)

Copy those values to Section 1 (Basic SAML Configuration)

Once it’s done, click on Edit in Section 2 (Attributes & Claims)

By default, the app will send user.userprincipalname as Unique User Identifier (Name ID).

IMPORTANT: Xygeni expects that value to be a valid (and existing) Xygeni user id (email). So, be sure that user.principalname contains a valid Xygeni user id (an email). If, for example, the valid Xygeni user id (email) would be in other user metadata, such as user.othermail, click on the three dots to change it

And select the proper field in the Source attribute field.

Assign people/groups to Entra ID application

Do not forget to assign people to your just created integration app. To do it, select the Users and Groups tab and include people/groups as needed.

Testing the Entra ID - Xygeni integration

Once you have sent to Xygeni the above information, and updated with the values that Xygeni sent back to you, you are able to test the application integration.

Login from Xygeni

To do it you can go to Xygeni login page ( https://in.xygeni.io/auth/login ) and after specifying your login name you will be presented to a page where you can enter your password or click on the Azure AD button.

If you click on Azure AD button, you will be redirected to Azure AD login page. Once authenticated in Azure AD, your browser will be redirected to the Xygeni dashboard.

Login from Entra ID

Alternatively, you can also login to Xygeni from Entra ID. To do it, just select your App and click on the Test button in Section 5. You will be redirected to the Xygeni dashboard without any further authentication.