The document provides steps to set up SSO on your own if your company uses Microsoft Entra ID as an identity provider under SAML 2.0.
Prerequisites
Admin rights to both Pramata Platform and Microsoft Entra ID Portal.
Login to both Pramata Platform and Microsoft Entra ID Portal with your credentials in two separate browser tabs to setup SSO.
Step 1: Add Pramata as an Enterprise Application in Microsoft Entra ID
Open Microsoft Entra ID, in the left pane, under Entra ID Services, click Enterprise apps.
-
From the top panel, click the + New application button and follow the steps below:
Click the + Create your own application button.
-
In the Create your own application pop-up page, do the following:
In What’s the name of your app? box, type Pramata.
In What are you looking to do with your application?, select “Integrate any other application you don’t find in the gallery (Non-gallery)”.
Click Create.
Step 2: Enter Service Provider (SP) Details in Microsoft Entra ID
Open Microsoft Entra ID and go to Enterprise Applications > New Application > Search for Pramata
Select Pramata and in the left menu, select Single sign on.
On the Select a single sign-on method screen, select SAML.
- On the Set up single sign-on with SAML page, click the Edit icon in the Basic SAML Configuration section and copy the details from Pramata, refer next step.
-
From Pramata to Entra ID
Open Pramata and go to Admin Console → Integrations Hub → Choose Microsoft Entra ID (formerly Azure Active Directory) as your organization's Identity Provider and click Connect.
-
In the Setup Pramata as SAML Service Provider in your IDP tab (Pramata), do the following actions:
Copy the Assertion Consumer Service (ACS) URL (Pramata) and paste it in Reply URL (Assertion Consumer Service URL) (Microsoft Entra ID).
Copy the Entity Id (Pramata) and paste it in Identifier (Entity ID) (Microsoft Entra ID).
Click Save (Microsoft Entra ID).
- Click the Edit icon in the Attributes & Claim section.
To remove the default additional claims that exist, click the ellipsis to the right of each of them and select Delete.
-
Click + Add new claim and type the following Name, Namespace, & Source Attribute.
Name Namespace Source attribute UserName http://schemas.xmlsoap.org/ws/2005/05/identity/claims <Map the user name> EmailAddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims <Map the email address> FirstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims <Map the first name> LastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims <Map the last name> Click Save (Microsoft Entra ID).
In the SAML Certificates section, click 'Download' against Federation Metadata XML. This downloaded file is uploaded to the Pramata Platform. Learn more in Step 3.
Step 3: Upload IDP Metadata File
From Microsoft Entra ID to Pramata
Open Pramata, click Next.
-
In the Add Identity Provider Details tab, for a quick configuration, select the Upload IDP Metadata File button and upload the “Federation Metadata XML” file from your system. The following fields are auto populated:
SAML 2.0 Endpoint (HTTP)
Enter IDP Provider Certificate
- Alternatively, to manually enter the values, copy the following details from the Metadata XML file and paste it in the fields below:
- SAML 2.0 Endpoint (HTTP)
Enter IDP Provider Certificate
Click Next.
Step 4: Attribute Mapping for Microsoft Entra ID
From Microsoft Entra ID to Pramata
Open Pramata and navigate to the User Attribute Mapping tab.
In the Attribute Mapping for Microsoft Entra ID screen, type the user attribute/claim from Microsoft Entra ID. For steps on how to copy the user attributes / claim. Refer the next step.
-
To copy the Claim Name from Microsoft Entra ID to Pramata:
Open Microsoft Entra ID, click the Edit icon in the Attributes & Claim section.
Copy the value from the Additional claims > Claim name column (Microsoft Entra ID) and paste it against the User Attributes (Pramata). Repeat the step for all the other user attributes.
Note that, the user attributes / claim are case sensitive and must be entered exactly as specified in Microsoft Entra ID.
Click Connect.
Step 5: Optional Settings
Open Pramata, in the Optional Settings screen, you can choose from these options:
To allow new users to be automatically provisioned with a user account while logging in through SSO, enable Allow SSO auto-provisioning (recommended) and select a Default Role and Default Profile for the new users.
Note: All new users must have access to Pramata application in Microsoft Entra ID.To finish setting up SSO and verify your settings, click Complete.
Step 6: Verify / Test your SSO Setting
To test your setup, in the Integrations Hub screen, click the View Guide for Testing Configuration icon. The steps will help you create a test user to verify your SSO Setting.
Optionally, to view or edit any configurations, click Manage Settings.
Renew SSO Certificate in Microsoft Entra ID
Renewing the Single Sign-On (SSO) certificate in Microsoft Entra ID for the Pramata application is crucial to maintain a secure and seamless authentication process. Failure to renew the certificate on time may result in disruptions or complete loss of SSO functionality, causing inconvenience for users. This guide will walk you through the entire process, ensuring a smooth transition to the new certificate.
- Step 1: Renew your SAML Certificate
- Step 2: Download the new Federation Metadata
- Step 3: Upload the new IDP Metadata File in Pramata
- Step 4: Test your SSO Setup
Step 1: Renew your SAML Certificate
Renew your SAML Certificate in Microsoft Entra ID and ensure that the new certificate is active for the Pramata Application.
Step 2: Download the new Federation Metadata
- Open Microsoft Entra ID and navigate to the SAML Certificates section for the Pramata application.
- Click Download against Federation Metadata XML.
- Save the downloaded file securely for the next step.
Tip: The 'Federation Metadata XML' file contains information about the Identity Provider (IdP) configuration, including the new SAML certificate.
Step 3: Upload the new IDP Metadata File in to Pramata
Open Pramata and go to Admin Console → Integrations Hub.
Click ‘Manage Settings’ against Microsoft Entra ID.
In the Setup Pramata as SAML Service Provider in your IDP tab (Pramata), click Next.
-
In the Add Identity Provider Details tab, select the Upload IDP Metadata File button and upload the new “Federation Metadata XML” file downloaded from Microsoft Entra ID. The following fields will be auto populated:
SAML 2.0 Endpoint (HTTP)
Enter IDP Provider Certificate
Click Next.
In the User Attribute Mapping tab, click Update without modifying any attribute mappings. Confirm the action by clicking Yes in the confirmation dialog box.
In the last tab, click Complete to finish the process.
Step 4: Test your SSO Setup
Note:
- Ensure that you remain logged into your current session. If any issues arise during testing, you may not be able to log in to address them.
- It's recommended to test the SSO setup in a separate browser window and within a non-production environment before rolling it out to production.
In the Single Sign-On (SSO) Setup completed screen, click View Guide for Test Configuration button.
Follow the steps provided in the guide to create a test user and verify your SSO settings.
Important Note: SSO login will be temporarily unavailable for users until the process of renewing the SSO certificate in Microsoft Entra ID for Pramata is completed.