Configuring the Azure connector
Interconnecting the LockSelf application with an identity federation is done through the SAMLv2 protocol. It is therefore possible to interconnect the application with your Azure enterprise account.
Creating the connector
- Click on "New application" and then "Create your own application".
- Set a name for the connector, usually "LockSelf", and click the third checkbox "Integrate any other application you do not find in the gallery (Non-gallery)". Finally, click "Create".
- In the left-hand menu, click "Single sign-on", then "SAML".
Configuring the connector
- Edit the first block "Basic SAML Configuration".
- Fill in the information as shown below:
-
- Identifier (Entity ID): corresponds to the URL of the application's metadata.
- Reply URL (Assertion Consumer Service URL): corresponds to the reply URL that will be called by the connector.
- Sign-on URL (optional): corresponds to the sign-on URL for your users.
-
(where FQDN replaces the domain name of your LockSelf installation).
-
-
- Edit the second block "Attributes & Claims".
At this step, you must return the claims exactly as shown above. Be careful to respect the case.
- (Optional) If you want to push certain user groups to LockSelf, you will need to add a group claim.
If your groups are pushed from a LOCAL directory:
Check the "Groups assigned to the application" checkbox, then "sAMAccountName" as the source attribute.
| Please note that only groups synchronized from a local Active Directory using AAD Connect Sync 1.2.70.0 or later can be pushed to LockSelf. Also, check that your Azure plan offers this feature. |
If your groups are security groups managed directly in Azure AD:
Check the "Groups assigned to the application" checkbox, then "Cloud-only group display names (Preview)" as the source attribute.
Click "Advanced options", then check "Customize the name of the group claim". Finally, type "groups" in the Name field (be careful to respect the case).
Only the groups you add in the next step can be pushed to LockSelf.
Once this is done, you will need to notify your Account Manager so that we can enable this option on the application side.
Allowing users to access the application
This step consists of choosing which users or groups of users can access the connector, and therefore the application.
To do this, click "Users and groups" in the left-hand menu.
Then choose the authorized users / groups.
Retrieving the IdP metadata
Once the connector is configured, you will be able to retrieve the IdP metadata.
The metadata is retrieved through a URL, available in the "SAML Signing Certificate" block on the "App Federation Metadata Url" line.
Copy and paste this URL, and enter it in the LockSelf application.
Checking the connection
Once these steps are completed, you will be able to test the connector:
-
Step 1: To test properly, open a private browsing window and go to the URL of your infrastructure (https://FQDN/?sso). If you use the browser extension, click the gear wheel, then "Clear cache".
-
Step 2: On the SSO tab, enter your email in the displayed field or click the "Log in" button directly.
- If this does not work, on the login page, click the gear wheels at the top right and check that the API URL field correctly ends with /api/ after the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc.
- If this does not work, on the login page, click the gear wheels at the top right and check that the API URL field correctly ends with /api/ after the dedicated domain name. For example: https://votreentreprise.lockself-cloud.com/api/, https://lockself.votreentreprise.com/api/, etc.
-
Step 3: At this step, you will be redirected to your organization's Azure SSO portal where you can authenticate.
- Step 4: Once authenticated, you will be redirected to LockSelf, which will ask you to create the PIN code associated with your account.
Updating the connector
An update of the token signing / encryption certificates must sometimes be performed on the Azure connector.
In this case, you will need to update the new IdP metadata file, in the Settings tab of the Administrator account, on the SSO module. To do this, see this documentation: Configuring the SSO interconnection.
Updated