Setting SSO with Microsoft Azure Active Directory

Modified on Tue, 18 Apr 2023 at 04:08 PM

Log in to your Microsoft Azure portal and go to the Azure Active Directory management page.

There select the Enterprise applications option.

On the Enterprise applications page click the “New application” button.

In the New application page click the “Create your own application” button on the top left corner.

On the Create your own application side panel, give a name to your application, and make sure that the

“Integrate any other application you don’t find in the gallery (Non-gallery)” option is selected

and click the “Create” button.

You will be redirected to your new application’s Overview page, there click the “2. Set up single sign on”

button of the “Getting Started” section.


On the Single Sign-on page, select the “SAML” option from the “Select a single sign-on method” section.

On the Saml-based Sign-on configuration page, click the small “edit” button on the “Basic SAML Configuration” card of the “Set up Single Sign-On with SAML” section to open the “Basic Saml configuration” side panel and on another tab of your browser go to the tgndata console.

On the tab where you have the tgndata console, log in if you haven’t already, click the little human icon on the top right corner and select the “User Managment” item of the menu that popped up.

You will be redirected to the User Management page, there click the SSO edit button (the one with the small edit icon) to open the SSO edit dialog.

On the “SSO settings” modal select the “Service Provider”, there copy the

“Service Provider ID”, “Assertion Consumer Service” and optionally “Single Log Out endpoint” values cause you will need them for the next step.

Return to the “Azure” tab where the Basic SAML Configuration is open. Add from the copied values from the previous step the “Service Provider ID” as the “Identifier”, the “Assertion Consumer Service” as the “Reply URL” and optionally the “Single Log Out endpoint” as the “Logout Url”.
Then click the “Save” button that exists on the top left corner of the side panel. This will save and close the side panel.

Scroll down on the Saml-based Sign-on configuration page and click the small “edit” button on the “Attributes & Claims” card to open the Attributes & Claims configuration page.

There you click on the “Unique User Identifier” row of the “Required claim” section of the “Attributes & Claims” page to open the Manage Claim page.

On the Manage Claim page, you need to make sure that have the user.mail selected as the “Source attribute” and then click the “Save” button.

Optionally (and advanced), if you want to limit access to the tgndata platform based on a specific claim’s source attributes value (e.g. user.assignedroles) then make sure you have that claim created in the “Attributes & Claims” page and copy for later usage the “Name” of that claim (e.g. roles).

Head back to the Saml-based Sign-on configuration page, scroll down, and click the “Download” button next to the “Certificate (Base64)” of the “SAML Certificates”, this will trigger the download of a certificate file which we need in a later step.

Then scroll down on the SAML-based Sign-on Configuration page and copy the “Login URL”, “Azure AD identifier” and optionally “Logout URL” values.
Those values are needed for later steps.

Go to the tgndata console tab, click on the “SSO settings” modal select the “Identity Provider” tab.
There paste the “Azure AD identifier” from Azure to the “Identity Provider ID” field, and the “Login URL” from Azure to the “Single Sign On endpoint” field, optionally you can click the “Single Log Out” check box and paste the “Logout URL” from Azure to the “Single Log Out endpoint” field.

 Then open the certificate you downloaded earlier from Azure with your favorite text editor (Notepad, Wordpad, Notepad++, etc) and copy its content, paste that content to the “Certificate” field of the “SSO settings” modal. 


Optionally (and advanced), if you want to limit access to the tgndata platform based on a specific claim’s value (e.g. user.assignedroles) then check the “Restrict for groups” checkbox, put on the “Attribute Name”

field the “Name” value of the claim you copied earlier from Azure portal (e.g. roles) and on the “Allowed values” field put the possible source values that the claim should be allowed to have.

Click the “SSO” switch to be enabled and then click the “Save” button on the bottom part of the modal.

Congratulations, you have successfully enabled SSO with your Microsoft Azure Active Directory.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article