How to configure support of Active Directory SSO via SAML 2.0 protocol

Owned by Tatiana Bieliakova
Last updated: Oct 03, 2024
4 min read

In this guide, you can find information how to configure support of Active Directory SSO via SAML 2.0 protocol.

Created: September 2024

Permalink: https://wildix.atlassian.net/wiki/x/AQByM

Introduction

Starting from WMS 6.07.20240906.1, it is possible to configure support of Active Directory SSO via SAML 2.0 protocol.

Setup instructions

I. Configuration on Microsoft Entra side

1. Login to Microsoft Entra

2. Go to Applications -> Enterprise Applications (1) -> click New application (2):

3. Click on Create your own application:

4. Enter the application name (1) and choose the option Integrate any other application you don’t find in the gallery (Non-gallery) (2):

5. Click Create

6. In the application you have created, go to Single sign-on settings:

7. Click SAML:


8. In front of Basic SAML Configuration, click Edit:

9. Fill out the following fields:

  • Identifier (Entity ID): a custom Unique Identifier, for example use your’s app title; this ID should later be also added to WMS
  • Reply URL fields: specify the URL where redirect will be allowed
    Example:
    https://<<PBX DOMAIN>>/api/microsoft/callback/?callback=callbackMicrosoftSingleSignOn

    Where <<PBX DOMAIN>> is the domain of the PBX where the feature will be used

10. In Attributes & Claims section, you need to make sure that user email is used for Unique User Identifier:

For this, click Edit:

Click on Unique User Identifier: 

In Name identifier format field, make sure the option Email address is selected: 

 Click Save to apply the changes:


11. Check pre-configured settings in other sections, which should be similar to settings described on the below screenshoot:

12. In the SAML Certificates section, download SAML Certificate (Base 64), which will later be uploaded in WMS:

Note: You will also need the following data to be added to WMS settings: 

  • Login URL 
  • Microsoft Entra Identifier


13. Navigate to Users and Groups tab (1) and click Add user/group (2):

14. Select users who will be allowed to use this application for SSO login and click Select:

Important: Users emails should correspond to the emails used on the PBX for these users. 

II. Configuration on WMS side

  1. Go to WMS -> PBX -> Security page
  2. Navigate to the section Active Directory Single SignOn via SAML 2.0 and tick off the checkbox in front of Enable field: 


  3. Upload the certificate which was downloaded in step 12 of Microsoft Entra configuration above
  4. In the Enter Identifier (Entity ID) field, enter the ID you've added in step 9 of Microsoft Entra configuration
  5. In the Login URL and Microsoft Entra Identifier fields, enter the data mentioned in step 12 of Microsoft Entra configuration


  6. Click Save to apply the changes

Once set up, the Microsoft 365 SSO button works as SSO via SAML 2.0.