This article explains how to configure SAML-based Single Sign-On (SSO) for PLAYipp Manager using Microsoft Azure Active Directory (Azure AD). Follow these steps to integrate PLAYipp with Azure AD to enable secure and seamless user authentication.
To get access to SAML configuration contact PLAYipp support.
Prerequisites:
- Admin access to Microsoft Azure AD: You need admin rights to create and configure applications in Azure AD.
- Admin access to PLAYipp Manager: To configure SAML settings in PLAYipp.
Step 1: Add PLAYipp Manager as an Application in Azure AD
- Log in to the Azure portal: https://portal.azure.com.
- Navigate to Azure Active Directory > Enterprise Applications > New Application.
- Select Create your own application, name it "PLAYipp Manager," and choose Integrate any other application you don’t find in the gallery (Non-gallery application).
Step 2: Configure SAML-based Single Sign-On in Azure AD
- In the PLAYipp Manager application, go to Single sign-on and choose SAML as the SSO method.
- Edit the Basic SAML Configuration:
- Identifier (Entity ID): Set this to https://saml.playipp.com/api/saml/[PLAYippAccountID]/metadata.
- Reply URL (Assertion Consumer Service URL): Use https://saml.playipp.com/api/saml/[PLAYippAccountID]/assert.
- Login URL: Enter https://login.microsoftonline.com/[your-tenant-ID]/saml2.
- Save the changes.
Step 3: Upload the SAML Certificate
- Under the SAML Signing Certificate section in Azure AD, download the certificate in Base64 format.
- In PLAYipp, go to the SAML Tab (found under Administration Tab > Organization Settings):
Paste the certificate:
-----BEGIN CERTIFICATE-----
[Base64 certificate content]
-----END CERTIFICATE-----
NOTE! Make sure the certificate is correctly formatted.
Step 4: Add the Assertion URL in PLAYipp Manager
In the Assertion URL field under the SAML Tab in PLAYipp Manager, enter the Login URL from step 2. This will typically be: https://login.microsoftonline.com/[your-tenant-ID]/saml2
Step 5: Configure User Attributes & Claims in Azure AD
- In the Attributes & Claims section, ensure that the Name Identifier is set to user.mail or an attribute that aligns with PLAYipp’s requirements.
- Add any additional claims that PLAYipp might require, such as first name or last name.
Step 6: Assign Users to the Application
- In the Azure portal, go to Users and Groups for the PLAYipp Manager application.
- Add the users or groups who will access PLAYipp via SSO.
You can read how you configure groups here: How to Use Security Groups and Group Claims for user Management in PLAYipp and Microsoft Azure AD
Step 7: Test the SSO Configuration
- Use the Login URL (https://saml.playipp.com/api/saml/[PLAYippAccountID]/login) to test SSO functionality.
- Verify that users are redirected to the Azure AD login page, and can successfully log in.
- Review Azure AD Sign-in logs for any issues if the authentication does not work as expected.
Troubleshooting
- "Too many redirects" Error: Ensure that the Identifier (Entity ID) and Reply URL (ACS) are configured correctly in both Azure AD and PLAYipp Manager.
- No Redirection to Microsoft Login Page: Double-check the Login URL configuration, and make sure the SAML settings in PLAYipp are enabled.
- Certificate Issues: Make sure the certificate includes both -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
Conclusion:
Following these steps should set up SAML-based SSO for PLAYipp Manager successfully, allowing users to log in using their Microsoft Azure AD credentials for a secure authentication experience.
For further help, contact PLAYipp Support.