Enable Azure AD SSO

There are four steps to set-up the Azure AD SSO connection:

1. Set-up Azure AD application.
2. Provide metadata to CheckFlow.
3. Add Users or Groups to your application.
4. Verify Azure AD SSO is working with CheckFlow.

 

Contact Us

Please contact us prior to starting Step 1.

We will need to manually generate your Subdomain and Entity ID.

Step 1: Set-up Azure AD application

1. Login to your Azure portal and go to your Azure Active Directory resource. Click on the Enterprise applications menu item on the left. Then click on the New application button.
2. You will be directed to the Browse Azure AD Gallery page. Click on the Create your own application button.
3. The Create your own application blade will open on the right. Enter the name of your app and click the Create button.
4. The application will be created. This may take a minute or two.

 

 

5. Once the application has been created you will be directed to the application page. Click on the Single sign-on menu item on the left.
6. Select the SAML sign-on method. You will be directed to the Set up Single Sign-On with SAML page.

 

 

7. In the Basic SAML Configuration section, click the Edit button. Enter the following information in the blade that appears on the right and then click the Save button:

• Identifier (Entity ID): Provided by CheckFlow
  • Example: urn:auth0:checkflow-prod:yourcompanyname.checkflow.io
  • Azure creates a default entry in this field. Click the trash can icon to delete this as it's not required.
• Reply URL (Assertion Consumer Service URL): Provided by CheckFlow
  • Example: https://yourcompanyname.checkflow.io/Saml/AssertionConsumerService
• Sign on URL: Provided by CheckFlow
  • Example: https://yourcompanyname.checkflow.io/Saml/Login
• Relay State: Leave blank
• Logout URL: Provided by CheckFlow
  • Example: https://yourcompanyname.checkflow.io/Saml/Logoff

 

 

8. In the User Attributes & Claims section, click the Edit button. You will be directed to the User Attributes & Claims page. Some default claims will already exist. You can click on any claim to modify it. The claims need to be modified as follows:

• Unique User Identifier (Name ID)
  • Name identifier format: Email address
  • Source: Attribute
  • Source attribute: user.mail
• email
  • Name: email
  • Namespace: http://schemas.checkflow.io/identity/claims
  • Source: Attribute
  • Source attribute: user.mail
• firstName
  • Name: firstName
  • Namespace: http://schemas.checkflow.io/identity/claims
  • Source: Attribute
  • Source attribute: user.givenname
• lastName
  • Name: lastName
  • Namespace: http://schemas.checkflow.io/identity/claims
  • Source: Attribute
  • Source attribute: user.surname
• role (optional)
  • Name: role
  • Namespace: http://schemas.checkflow.io/identity/claims
  • Source: Attribute
  • Source attribute: This can be: 'administrator', 'member' or 'guest'. Defaults to 'member' if this attribute is not created.
• timeZone (optional)
  • Name: timeZone
  • Namespace: http://schemas.checkflow.io/identity/claims
  • Source: Attribute
  • Source attribute: This can be any IANA Time Zone (TZDB) ID. For example: 'Europe/London', 'America/New_York'. Defaults to 'UTC' if this attribute is not created.

 

Optional Attributes

The role and timeZone attributes are optional. These properties can easily be changed within the 'Team Management' and 'User Settings' pages in CheckFlow at any time.

 

9. When complete your User Attributes & Claims page should look similar to below:

 

 

10. Return back to the SAML-based Sign-on page. Setup of your application is now complete.
11. Proceed to the section below for instructions on how to retrieve your metadata URL.

Step 2: Provide metadata to CheckFlow

The identity provider metadata allows for dynamic configuration. This simplifies the SAML setup process.

1. Go to the SAML-based Sign-on page in your Azure portal. If you are continuing on from the previous section you should already be on this page.
2. Find the App Federation Metadata Url property within the third section - SAML Signing Certificate. Click on the Copy button and provide this to us. We will then add this to your account.

 

Step 3: Add Users or Groups to your application

1. You can now add users or groups to your application. From the application page click on the Users and groups menu item. Then click on the Add user/group button.

 

 

Step 4: Verify Azure AD SSO is working with CheckFlow

All users that have been added to your newly created application should now be able to access CheckFlow using Azure AD SSO.

New user accounts are created the first time a user logs in to CheckFlow.

Simply open a new tab in your browser and access CheckFlow using your custom URL.

For example: https://yourcompanyname.checkflow.io/