Document toolboxDocument toolbox

O365/Azure AD as an identity provider

After enabling Devo as a service provider, you can set up O365/Azure AD as an identity provider for SAML SSO. To do it, follow these steps:

  1. Go to Azure Active Directory and select Enterprise applications under the Manage menu.

  2. Click New application at the top of the screen.

  3. Choose Non-gallery application.

  4. Enter a name for the application and click Add.

  5. In the application, select Manage → Users and groups or click 1. Assign users and groups to configure the users/groups allowed to access the application.

  6. Then, choose Manage → Single sign-on or click 2. Set up single sign on.

  7. Choose SAML as the single sign-on method.

  8. Then, click Edit on Basic SAML Configuration.

  9. Using the Entity ID and ACS URL from the Devo SAML2 configuration page (Preferences → Domain preferences → Authentication → SAML2), set the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) in the Azure Basic SAML Configuration page.



  10. Save the changes.

  11. (Optional) If you will be using IDP Role Mapping to map Devo Roles to Azure Groups, click Edit on User Attributes & Claims.

    • Click Add a group claim.

    • Choose which groups to provide in the claim.

    • Select Source attribute (default is Group ID).

    • Under Advanced options, check Customize the name of the group claim.

    • Enter groups in the Name field and save changes.

  12. Download the Certificate (Base64) under SAML Signing Certificate.

  13. Configure Devo Identity Provider Settings (Preferences → Domain preferences → Authentication → SAML2)

    • In the EntityID field in Devo, enter the Azure AD Identifier from Set up –

    • In the Single Sign-On URL field in Devo, enter the Login URL from Set up – 

    • In the Add certificate field in Devo, paste the contents of the certificate downloaded in the previous step.

  14. (Optional) Check the User provisioning and Role mapping options in the Devo SAML2 area.

  15. Click Update in Devo to save the SAML2 changes.

  16. (Optional) In Azure SAML setup, click Test in Test single sign-on to ensure the configuration is correct.

  17. In the application, click Manage → Properties and copy the User access URL. This is the URL that users need in order to login to Devo with SSO from Azure.

  18. (Optional) Configure IDP Role Mapping. If the Source attribute was set to Group ID, you must use the Object ID from Azure AD as the External group/role. Go to Role mapping to learn more.