Using Microsoft Azure Active Directory as the SSO Provider for AchieveIt
This article will guide you through the requirements for allowing your users to login to AchieveIt through your organization’s Azure Active Directory (Azure AD) instance.
TL;DR – A Quick Summary
- Add a new application, enter AchieveIt as the name for the application, select Web app/API as the Application Type, and for enter https://my.achieveit.com as the Sign-on URL.
- Modify permissions so AchieveIt can read the directory.
- Create a new Key, save the Client Secret.
- Add the AchieveIt callback URL in the Reply URLs settings panel.
- Send either your Federation Metadata XML file or the URL to your ADFS server to AchieveIt, and let us know all other steps have been completed. AchieveIt will configure the connection using the information you provide.
- Once we’ve completed the configuration, your team must test it to ensure you can login to AchieveIt with SSO credentials.
For all the details, see below.
How to Access the Azure Management Portal
You can access the Azure management portal from your Microsoft service, or visit https://manage.windowsazure.com and sign in to Azure using the global administrator account used to create the Office 365 organization.
If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance:
- Sign in to Office 365.
- Navigate to the Office 365 Admin Center.
- Open the Admin centers menu drawer located in the left menu.
- Click on Azure AD.
This will bring you to the admin center of the Azure AD instance backing your Office 365 account.
Adding AchieveIt to Azure AD
1. Create a new application
Login to Microsoft Azure and choose Azure Active Directory from the sidebar.
Then under MANAGE, select App registrations.
Then click on the + ADD button to add a new application.
Enter AchieveIt as the name for the application, select Web app/API as the Application Type, and for enter https://my.achieveit.com as the Sign-on URL.
Configure the permissions
Once the application has been created, you will have to configure the permissions. Click on the name of the application to open the Settings section.
Click Required permissions.
Then click on Windows Azure Active Directory to change the access levels.
The next step is to modify permissions so AchieveIt can read the directory. Under DELEGATED PERMISSIONS check next to Sign in and read user profile and Read directory data.
Click the SAVE button at the top to save these changes.
Create the key
Next you will need to create a key which will be used as the Client Secret in the AchieveIt SSO connection. Click on Keys from the Settings menu.
Enter a name for the key and choose the desired duration.
If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day in order to ensure users don't experience a service interruption.
Click on Save and the key will be displayed. Make sure to copy the value of this key before leaving this screen, otherwise you may need to create a new key. This value is used as the Client Secret in the next step.
Configure Reply URLs
Next you need to ensure that your AchieveIt callback URL is listed in allowed reply URLs for the created application. Navigate to Azure Active Directory -> Apps registrations and select your app. Then click Settings -> Reply URLs and add:
Without this step the App consent page will return a "Bad request" error. The fine print in the footer of this error page can be used to identify the exact tenant name and missing callback URL.
Generate the Federation XML File
Generate your Federation Metadata XML file. You can access this file via the following URL:
Alternately, you can send us the URL to your ADFS server, and we will extract the XML file for you.
AchieveIt will configure the connection using the information you provide. After we contact you to let you know the configuration is complete, the final step is for your team to test the configuration and ensure you can login to AchieveIt with SSO credentials.