For organizations using Microsoft Azure Active Directory (AD) as their identity provider and access management service, it is simple and scalable to create users for the BlueFletch Portal website using single sign-on (SSO) through SAML. The BlueFletch Portal can be configured within an organization's Azure Portal as a SAML enterprise application. The resulting metadata should be provided back to BlueFletch to complete the configuration.

Once SSO is configured for the BlueFletch Portal, users who are allowed to access the BlueFletch Portal can login to a new Portal account with their Azure-managed username, and they will be authenticated by Azure AD.

Configuring SSO with Azure

1. Login to your Azure Portal at https://portal.azure.com.

2. Navigate to Azure Active Directory page.

3. Select Enterprise applications from the panel of Manage options on the left.

4. Press New Application and Create your own application.

5. Setup the enterprise application with:

   • Identifier (Entity ID): "saml.[organization's login domain for Azure]" (e.g. saml.bluefletch)

   • Reply URL (Assertion Consumer Service URL): "https://bluefletch-ems.firebaseapp.com/__/auth/handler"

   • Sign on URL: "https://ems.bluefletch.com"

6. In Attributes & Claims, set the following values to enable email logins to auto-generate BlueFletch Portal user accounts: Required claim:

   • Unique User Identifier (Name ID)

     • Type: "SAML"

     • Value: "user.userprincipalname"

   Additional claims:

   • EmailAddress

     • Type: "SAML"

     • Value: "user.mail"

   • FirstName

     • Type: "SAML"

     • Value: "user.givenname"

   • LastName

     • Type: "SAML"

     • Value: "user.surname"

     Note: For each Additional claim, the claim name is case sensitive and the namespace field should be blank/empty.
7. Retrieve from Azure AD to use in Portal Setup, or provide back to BlueFletch:

   • Federation Metadata XML

   or all of the following:

   • Certificate in Base64

   • Login URL

   • Azure AD Identifier