Setting up SAML authentication on Microsoft Entra ID

You can set up SAML authentication between Microsoft Entra ID and Haiilo so that your users can log in using their company credentials. To enable the login, you need to complete steps both in Microsoft Entra ID and in Haiilo's Administration.

While Haiilo itself doesn't offer two-factor authentication, you can use a SAML service to do so. You need to ensure that the service uses a certificate from a trustworthy certification body and TLS 1.2.

1. Set up an application on Entra ID

You need admin rights in your Microsoft Entra ID account to set up a SAML application.

Create an application

  1. Log in to the Microsoft Azure Platform.
  2. Go to Enterprise applications > New application
  3. Select Create your own application
  4. Give your app a name, e.g., Haiilo, and choose Non-gallery as the type
  5. Select Create

Screenshot 2024-08-15 at 15.55.05.png

Assign test user

  1. In your newly created application, go to Users and groups
  2. Select Add user/group
  3. Select None selected to select a test user to assign to the application. The user should already exist on your Haiilo platform.
  4. Confirm and assign

Screenshot 2024-08-15 at 15.55.37.png

Obtain IdP information

  1. Go to Single sign-on and select method SAML
  2. Scroll down to step 4 of the SAML setup in Entra ID
  3. Copy and save the Login URL, Microsoft Entra Identifier, and Logout URL

Screenshot 2024-08-15 at 15.56.08.png

Keep the browser tab for Microsoft Entra ID open so you can complete the setup after configuring SAML in Haiilo.

2. Set up a SAML authentication provider in Haiilo

When setting up a SAML authentication provider, it can only apply to one user directory and that directory's users. You need "Manage authentication providers" permission to set up an authentication provider in Haiilo.

Define basic information

  1. Go to Administration > Authentication
  2. Select Create authentication provider
  3. Enter a name. The name is displayed to users on the login screen after "Authenticate with"
  4. Choose a type: SAML
  5. Check Active
  6. Decide if you want to use Automatic login. This automatically redirects the user from the login screen to the identity provider after a few seconds. If users don't want to be redirected, they can select Sign in as a local user before the redirect.
  7. Decide whether this authentication provider sends session emails for new logins.

Configure SAML

  1. Enter the Entity ID (Microsoft Entra Identifier), Authentication endpoint (Login URL), and Logout endpoint (Logout URL) that you copied from Entra ID.
  2. Set both Authentication endpoint and Logout endpoint to REDIRECT.
  3. Choose a Logout method: Local or Global/Federated. This defines whether the user is logged out locally (only Haiilo) or globally (SAML logout) when they log out of Haiilo.
  4. Enter an Answer validity, i.e., the timeframe for queries. We recommend the standard 300 seconds.
  5. Choose the User directory that can use this authentication provider. The options depend on your user directory settings.
  6. In the Response Validation tab, check Disable certificate trust check.
  7. Select Save to create the configuration and generate the Haiilo endpoints and metadata XML

Obtain metadata

  1. Select Edit on your newly created SAML authentication provider
  2. On the General tab, scroll down to the bottom
  3. Open the Local service provider XML metadata and save it on your computer

saml auth provider.png

3. Finalize SAML setup on Entra ID

After configuring the authentication provider in Haiilo, you can upload Haiilo's metadata to Microsoft Entra ID.

  1. In your SAML application on Entra ID, go to Single sign-on
  2. Select Upload metadata file and select the local service provider file you saved from Haiilo. Alternatively, you can fill in the values manually. They follow the pattern:
    • Identifier (Entity ID): {HOST}/web/sso/{NAME}
    • Reply URL: {HOST}
    • Sign on URL: {HOST}/web/saml/sso/alias/{NAME}
    • Relay State: {HOST}
    • Logout URL: {HOST}/web/saml/slo/alias/{NAME}
  3. In Attributes & Claims, select Edit
  4. Change the Unique User Identifier to user.mail
  5. Select Save

Screenshot 2024-08-15 at 15.56.34.png

Now, if the authentication provider is activated in Haiilo, users can log in to your platform with their Microsoft credentials.

Was this article helpful?