Help Center

The Settings section of this page determines how SAML will act once connected to your site. For example, if you wish to enable Debugging or to allow users to change their passwords within Ad Orbit or not.

SAML Login Enabled – Allow users to login using SAML authentication.

Allow user lookup by email – Allows a user to be found by email address, if no match is found by id, when logging in through SAML.

Allow account management for synced user accounts – This setting determines whether users can login through the normal Ad Orbit email and password fields in addition to using SSO. It also determines whether or not users can change their emails and passwords from within Ad Orbit.

Allow manual user account creation – Determines whether or not new users can be created manually from within Ad Orbit, or if they can only be created through SSO.

Use session expiration in the SAML response – Use this setting to choose whether the Ad Orbit User Session Expiration is used, or if the SAML response timestamp will be used to log users out.

Extend a user’s session when they are active when logged in via SAML – Extend a user’s session by the session expiration if the user is active. If set to no, the session will expire based on the initial login time.

SAML Debug Mode – When turned on, you will see the data being sent to Ad Orbit and include the mapping fields. If turned off and there is an issue with the login, you will receive a general error message.

This field will be automatically populated based on your Ad Orbit instance. It will be used later on within Microsoft Azure to make the connection.

The SAML Configuration fields are what connects SAML to your Ad Orbit site. For this section, we will walk through how to create the SAML application within Microsoft Azure, and show where to find the corresponding fields within Azure that will need to be entered here in Ad Orbit.

Go to portal.azure.com, and click on ‘view’ under ‘Manage Azure Active Directory’.

Click on ‘Enterprise Applications’ in the left menu.

Click on ‘+ New Application’ at the top of the page, then select ‘+ Create your own application’.

In the Create your own application popup, enter the name of your app, and select the ‘Integrate any other application you don’t find in the gallery’ option. Then click Create.

Once created, you’ll see your application on the Enterprise Applications page. Click on the name of your application to view its settings. Once you are viewing your app, click ‘Single sign-on' on the left menu. This will open a page where you can set up SAML based SSO.

Click the edit icon in the Basic SAML Configuration box.

In the configurations, there are two required fields. The first is for ‘Identifier (Entity ID)’. This can be whatever you want, but it must be the same in Azure and Ad Orbit.

The second required field is ‘Reply URL (Assertion Customer Service URL)’. Copy and paste the link from your Ad Orbit SAML Setup page under ‘Assertion Customer Service’ into this field in Azure.

Save your changes before exiting out of the SAML Configurations in Azure.

The next step is to find your IDP Entity Id and SSO Urls within Azure to be entered into Ad Orbit. In Azure, you should still be on the SAML setup page. Scroll down until you see the box labeled ‘Set up (your app name here)’.

Copy the Login URL, and paste it into the SSO Url field in Ad Orbit.

Copy the Azure AD Identifier and paste it into the IDP Entity Id field in Ad Orbit.

The next step is to download a certificate from Azure, and upload that certificate to Ad Orbit. In Azure, on the SAML setup page, find the SAML Signing Certificate box. Click on download for ‘Certificate (Base64)’.

Navigate back to Ad Orbit, and upload that file to the IDP Certificate field. This certificate makes the connection secure.

You should now have all of your Ids and Urls entered in Ad Orbit. The next step is to enter a Connection Name, which will display on the Ad Orbit login page (this can be entered before or after the above steps). You can also choose to enter an image that will display with the name if you wish.

Make sure to save the information you’ve entered in your SAML Configurations in Ad Orbit. Once the account is connected, you’ll see an additional setup section labeled SAML Response Attribute Mappings. We will now go through where to find those within Azure to add them to your Ad Orbit setup. When logging in through SSO, these fields send Ad Orbit data about the user. It identifies if the user already exists, and if not, it uses the information to create a new user.

In Azure, on the SAML setup page, find the ‘Attributes > Claims’ box, and click the edit icon. This will open a new page.

On the Attributes & Claims page, you will need to copy and paste the ‘Claim names’ from Azure into the corresponding fields in Ad Orbit.

The one field that will not show up on this page is the Id. If using Microsoft Azure, the Id field should always be: http://schemas.microsoft.com/identity/claims/objectidentifier

Click save once you have entered the attribute mappings.

With SAML enabled, you’ll see two additional fields on User Roles – Default, and SAML Name.

If a role is provided for a new user, the system will attempt to find a user role based on SAML Name. If the system cannot match a SAML Name, it will use the role marked as the default. The system is set up this way so that new users get assigned permissions automatically, based on user role.