Azure - SAML Configuration - Onna Hosted - Enterprise

  • Updated on Apr 29, 2025
  • Published on Apr 29, 2025
  • 4 minute(s) read
Prev Next

SAML 2.0 Integration

Onna offers Single Sign On (SSO) integration through SAML 2.0 (Secure Assertion Markup Language) with a variety of compliant identity providers allowing you to leverage your existing user base and authentication mechanism to use the platform. There are only a few steps required to configure your Identity Provider (IdP) using the Onna Admin dashboard.

This guide walks you through setting up Onna as a Service Provider (SP). You will fill-in information about your Identity Provider (IdP), the external 3rd party which your users will sign-in through, and will return credentials back to Onna in the form of a SAML assertion. On the other end, you will also need to configure your IdP to establish communication with the Onna SP. By default, provisioning is enabled for your account. The default role in Onna for users created by provisioning is ‘user’. In the event you wish to turn off provisioning for an account please contact the Onna Support Team.

Once provisioning has been turned off, if a user has not been provisioned in Onna and attempts to use SSO identity to sign in, they will have no permissions until an Onna admin configures an Onna user for this identity.

To get started, open the Admin Preferences → Account → SAML with the proper administrator user:

The following settings are configurable under the SAML section.

  • {youraccount}: Your Onna account name found at the end of your Onna URL.

    • Ex. enterprise.onna.com/acme

    • Value for {youraccount} would be acme.

  • IdP ID / {IdPName}: Choose any name that you prefer to identify this Identity Provider (IdP). We’ll refer to this value as {IdPName} in the rest of the document.

    • This name will be displayed to the users in a selection box should you have more than one IdP. We suggest providing the ID in the following format:

      • youraccountname-identifyprovider

      • Example of how the IdP ID / IdPName should look:

companyname-azure

  • IdP Issuer: The identity provider’s URL

  • SSO URL: The single sign-on URL of the SAML Identity Provider Login page that your users will be redirected to for logging in.

  • Certificate: The public x509 certificate of the SAML Identity Provider.

The next step is to configure your IdP so that it can establish communication with the Onna service provider. Below are the items that need to be configured. There are only a few items you need to fill in with the main ones shown below:

Onna Audience Restriction URL:

Onna SAML Assertion Consumer Service:

  • https://enterprise.onna.com/auth/oauth/saml/?acs

Name id format:

  • The required nameid format is

"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", so an email address is needed to identify the user in the system.

  • The email address must match exactly to the case for the user’s authentication to work. If the user was created in Onna with an all-lowercase email, the id sent from your identity manager must also be lowercase. In Okta, you can use this expression such as String.toLowerCase(user.email).

All attributes listed below are required to complete the SAML configuration with Onna.

  • user_id : email address

  • sn: last name

  • cn: first Name

  • email: email address

Setting up Azure:

Here is a sample workflow using Azure as an Identity Management tool.

  1. To get started, login to the Azure portal (https://portal.azure.com/) and click Azure Active Directory. May also be found on the left side menu.

  1. Under the section Manage, click on Enterprise applications.

  1. Click on New application at the top.

  1. Click on Create your own application.

  1. In the new window enter a name for your app (Ex. Onna SSO) and select Integrate any other application you don't find in the gallery (Non-gallery) and then Create at the bottom.

  1. Once the app has been created click on Single sign-on on the left.

    SAML

  1. In section 1 Basic SAML configuration click the edit button and use the guide below to enter the needed URLs and click Save.

  1. Navigate to Section 2 labeled Attributes & Claims and click edit.

    The default Additional Claims can be deleted. Only the attributes listed below are required to complete the SAML configuration with Onna.

  2. Select Add new claim and enter the following for Name and Source attribute to add each new claim.

    Name

    Source attribute

    cn

    user.givenname

    email

    user.mail

    sn

    user.surname

    user_id

    user.mail

    Example Configurations:

  3. Once complete, you will need to ensure the appropriate groups or users have been granted access to Onna. You can view which users have been granted access so far by clicking on Users and groups on the left-hand side.

  4. Next, use the values found under sections 3 & 4 to complete the SSO setup in your Onna environment.

    • Azure AD Identifier will be used for the IDP Issuer field in Onna.

    • Login URL will be used for the SSO URL field in Onna.

    • Download the Certificate (Base64) file and copy all contents into the Certificate field in Onna.

    Example: Completed configuration in Onna

    Note:

    Do not enable Allow to log in only with SSO until you verify you are able to log in via SSO.

  5. Finally, you will need to ensure the appropriate groups or users have been granted access to Onna. You can view which users have been granted access so far by clicking on ‘Users and groups’ on the left-hand side.

Delete SAML and SSO:

  1. You can delete your own SAML and SSO configuration in Onna from the Admin preferences.

  2. To get started, open the Admin Preferences Account SAML with the proper administrator user.

  3. Click on Identity Provider and from the dropdown select the configuration you would like to remove.

  4. At the bottom of the screen click delete to permanently remove the SAML configuration in Onna.


Related articles