Security Assertion Markup Language Integration

If your organisation uses Microsoft Entra ID or another similar system, your home directory can be federated with IRIS Identity using Security Assertion Markup Language (SAML).

Before Federating your Directory with IRIS Identity

Before federating your directory with IRIS Identity, contact your IRIS account representative to discuss options. Directory integrations are assessed case-by-case and subject to conditions. If agreement to federate your directory is given, they will provide you with a technical contact to share the details required for the process.

Prerequisites

To be able to federate your directory: 

  • All employees must be using a common email domain or domains, such as acme.com, that are owned by your company

    If your organisation uses generic email domains, such as Gmail, federating does not work. To discuss available options, contact your IRIS account representative.

  • The tasks in this integration guide must be performed by a technical user with administrative permissions in Microsoft Entra ID to create and modify applications

Security Assertion Markup Language Integration Guide

To federate your directory with IRIS Identity, complete the steps in the integration process.

Some of the processes are completed in third-party software, and therefore, label names or locations of sections may not be exact or could be out of date. If you need further help, please refer to the latest documentation available from the software provider.

Create an IRIS Application in your Microsoft Entra ID Directory

  1. Open Microsoft Entra ID in the Azure cloud portal.
  2. From the left menu, select Enterprise Applications.
  3. Select New Application.
  4. In the Entra gallery, select Create Your own Application.
  5. Enter the name of the application, for example, IRIS Identity SAML.
  6. To save, select Create.

Configure Basic Security Assertion Markup Language

When configuring SAML, unless otherwise stated in the instructions, leave the settings as the default.

  1. In your Enterprise Application, from the left menu select Single Sign-On.
  2. Select SAML.

  3. In Step 1: Basic SAML Configuration, select the Edit pencil icon, then in Identifier (Entity ID) and Reply URL enter random values, for example, SomethingUnique and https://tobecomplete.

    IRIS Software Group generate unique values required for the Identifier (Entity ID) and Reply URL and provide them to you at a later step in the integration process.

    Shows the Identifier (Entity ID) and Reply URL fields with random values populated

    In Step 2: Attributes & Claims check the email address, first name, and last name are set as default values. If changes have been made your tenant, the values might have changed.

    To check and compare the values: 

    1. Select edit.

    2. From the Additional Claims section, record any values that are different from the values detailed in the following table:

      Claim Name Type Value
      https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress SAML user.mail
      https://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname SAML user.givenname
      https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name SAML user.userprincipalname
      https://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname SAML user.surname

Share Integration Details with IRIS Software Group

When you get to Step 3: SAML Certificates, you must share the required integration details with IRIS Software Group:

  1. In Step 3: SAML Certificates, the link to download the certificate is available. Download the Base64 version.

    The expiry date on the Entra ID SAML certificates page typically last for 3 years. To prevent interruption of service, you are responsible for tracking the certificate expiry and providing an updated certificate to IRIS Software Group in a timely manner.

  2. In Step 4: Set up <app name> SAML, copy the values in Login URL, Microsoft Entra Identifier, and Logout URL.
  3. In the table, copy the Application (client) ID.
  4. Send the following details to your technical contact at IRIS Software Group
    • The IRIS Software Group applications and products your organisation uses
    • All the email domains used by your organisation
    • The Login URL, Microsoft Entra Identifier, and Logout URL values
    • Any of the Additional Claims values that are different to the default values

    • The SAML certificate

      You must share your SAML certificate using a secure method. We recommend a secured OneDrive folder, or at the very least a password protected zip archive.

Update the Security Assertion Markup Language Configuration

Your technical contact at IRIS Software Group will arrange configuration the integration with IRIS Identity and generate your connection values. When you receive the connection values: 

  1. In your Enterprise Application, from the left menu select Single Sign-On.
  2. Select SAML.
  3. In Step 1: Basic SAML Configuration, select the Edit pencil icon, then delete the values you entered in Identifier (Entity ID) and Reply URL.

  4. In Identifier (Entity ID) and Reply URL, enter the values provided by your technical contact.

    If more than one Reply URL has been supplied, to add the additional values, select Add reply URL. Your technical contact will confirm which reply URL you must select as Default.

    Shows the additional reply urls and selecting a default reply url

Assign Users

You must assign the appropriate users, groups, or both, to the enterprise application depending on how you want to manage the integration with IRIS Software Group applications and products.

When users leave your organisation, to prevent them continuing to access IRIS Software Group applications and products your organisation uses, you must make sure they are deactivated or removed from your Entra ID tenant in a timely manner.

To complete the required testing used to confirm set up has been successful, you must assign at least one user to the application.

To assign users: 

  1. In your Enterprise Application, from the left menu select Users & Groups.
  2. Select Add User/Group.
  3. Find the account of the user or group you want, then select their name.
  4. To save, select Assign.

Test Logging Into an IRIS Software Group Application

When integration has been set up by your technical contact at IRIS Software Group, and you have configured SAML and assigned users, you must test logging into an IRIS Software Group application.

To prevent errors being displayed during testing, the account used must also already have an account set up for the IRIS application you want to use for testing.

  1. For the IRIS application you want to use for the test, go to the login page.
  2. Enter the email address of the test account, then select Next.
  3. You are redirected to your tenant's Microsoft Entra ID login screen, enter the required details to log in.
  4. When logging in for the first time, if prompted to consent to IRIS Identity having access to your profile data, give the consent.
  5. You are redirected to the IRIS application.

If no error messages other than the user does not have an account (which the wording may vary by application), or unusual behaviours happen during testing, the federation has been successful.

During testing, if any other error messages, other than the user does not have an account (which the wording may vary by application), are displayed or any other unusual behaviours happen during testing, share the details with your technical contact at IRIS Software Group.