Azure AD Integration
- Elliot Dooleysmith
- Anantha Kumar
This feature was added in v1.4, check out the full release notes for this version here.
https://resourcexpress.atlassian.net/wiki/spaces/RSG/pages/123371521
This guide covers how to configure a custom SAML app in Azure AD for Single Sign-On use with ResourceXpress.
An Azure AD Premium subscription is required for this feature.
Create a SAML App in Azure AD
Navigate to the Azure portal (https://portal.azure.com/) using an Administrator account.
Select Azure Active Directory from the left navigation panel, then Enterprise applications.
Next click New application, then choose Non-gallery application, fill in an appropriate name, for example, RX SaaS SSO, then click Add.
After adding this new application, navigate to Single sign-on, then choose SAML.
Configure the Entity ID & ACS URL
Click the Edit icon for section 1.
You will be prompted for an Identifier (Entity ID) and a Reply URL (Assertion Consumer Service URL).
The Entity ID will be the root address of your ResourceXpress server, this will be the URL used to access the ResourceXpress admin console via a browser.
Your RX URL is usually https://<company>.rx-cloud.com.
In this example the URL of the ResourceXpress server is https://app.rx.com.
The ACS URL is the same as above with /SsoConsumer added to the end.
Once added click Save found at the top of this pop-up.
Configure User Attributes
Name & Email Address (required)
Next, click the Edit icon for section 2.
From here we will add the required values for ResourceXpress to retrieve user’s names and email addresses.
From this screen, click Add new claim.
Three new claims will need to be added, see the below table for the Name and Source attribute values required.
Name | Source attribute |
|---|---|
user.mail | |
firstname | user.givenname |
lastname | user.surname |
After clicking Save for each new claim you will see the User Attributes & Claims list updated with the new values and should look similar to the screenshot below.
RFID, Access Code & Other values (optional)
In addition to synchronising users' details, it is also possible to retrieve other attributes from the Azure Active Directory, which can populate Access Code, RFID, and other values in the ResourceXpress local user's database.
To configure this you will need to add more claims, see the table below for optional claims.
Claim Name | Information |
|---|---|
rfid | The RFID value as read by the ResourceXpress system, used for screen authentication. |
accesscode | The users Access Code/PIN, used for screen authentication. |
defaultlocation | The ID number for the Location that the user will have default access to. |
viewonlylocation | A comma separated list of Location ID numbers that the user has access to. |
bookablelocation | A comma separated list of Location ID numbers that the user has access to. |
dateformat | The date format for the user.
|
roles | A comma separated list of Role ID numbers. The default role ID values are as below
|
Once the required values have been added click the X found in the top right of this section to return to the SSO configuration.
Download the Federation Metadata XML
The next step is to download the Federation Metadata XML file found in section 3.
This file will be uploaded to ResourceXpress later, see Upload.
User Access
Before any users can access ResourceXpress they will need to be added into the allowed user's list for this SAML application.
To add users/groups select Users and groups from the left menu.
From here click Add user, you will then be able to add individual users or groups.
After you have added all your required users and groups click Assign.
Configuring SAML App in ResourceXpress
The final step is to upload the XML file we downloaded earlier to ResourceXpress.
Upload
Navigate to the SSO Settings tab, this can be found on the System Settings page, under the Administration Settings menu.
Click Choose file alongside IDP Metadata.
Find the XML file that was downloaded in the previous step, and Download the Federation Metadata XML.
Then click Upload.
You will see the correct details be auto-populated into the URL and Authenticating Authority fields.
Auto-create Users
When using SSO, by default all users will be granted the role of User.
This will allow them to view the Booking Manager page only. To allow users access to more features in ResourceXpress they will need to exist as a user in the ResourceXpress local database.
Ticking the option Auto create user records from SSO will automatically add new users into the ResourceXpress user database when they sign in for the first time This will then allow these users to be granted more access to the system, as well as assign them an RFID and Access code.
Welcome Email
When a user's account is auto-created in ResourceXpress, a Welcome email can be sent to them to confirm their account. Included in this email will be a randomly generated password that can be used for the upcoming mobile app.
To enable the Welcome Email, tick the Send Welcome Email box.
Sync user details
This option allows for user details such as Access Code and RFID to be synchronized with ResourceXpress user database, this will keep these details up-to-date each time a user signs in using SSO.
Disabling this option will allow for Admin users to modify these details manually in ResourceXpress.
Enabling SSO
Once all the above steps have been completed, click the Save button.
Any user added to the allowed user's list for the SAML application in Azure Active Directory will be able to sign-in to your ResourceXpress site.
Related content
- style