Single Sign On Module

The Single Sign On module allows authentication with SAML 2.0 enabled SSO Identity Provider software (IdP).  The module acts as a gateway to features beneath this module within the app.  Access to those features is only allowed if the user successfully authenticates with SSO.

SSO may be integrated for the mobile application (AppArmor Safety, Command, WorkAlone, Report, Academia), the dashboard, the subscriber's portal (AppArmor Alert), or the report portal (AppArmor Report). While our integration method (SAML 2.0) is IdP agnostic, we have provided specific direction for Azure AD below. We have also included tech diagrams for clarity on how the data flows through SSO integrations.

SSO Data flow diagram for any mobile applications
SSO Data flow diagram for any dashboard or portal applications

Microsoft Azure AD SSO Configuration

Overview

In scenarios where a project implementation requires that end users or administrative users confirm their identity, we integrate with the customer IdP via SAML 2.0. This integration allows for verification of user identity and for the customer to pass relevant data points (known as "claims") to the AppArmor system. These claims can then be used for project / software specific objectives. 

For example, an end user that has credentials to your organization (youremail@yourdomain.com and using their password) logs in successfully. This verifies their ID and provides the app/dashboard with claims, such as first name, last name, email address, ID number, and possibly school affiliation (student / faculty / staff). The actual claims that are passed through are determined by your IT group.

Microsoft Azure AD is an IdP which AppArmor has integrated with in a number of scenarios. Consequently, we have provided more detailed instructions on how to establish this integration. However, many of these instructions are similar for other IdPs with the exception of the links to Microsoft Azure AD. For specific guidance on other systems, please contact your project manager.

Configuration

Below are steps on how to configure specifically for Azure AD.

  1. As a first step, AppArmor and customer exchange metadata files. AppArmor is the SP (Service Provider) and your organizations is the IdP (Identity Provider). The customer can request AppArmor metadata via their project manager (note that this information is generally included in your Teamwork project as well). AppArmor will need the IdP metadata from your IT SSO team to continue the integration. Note: Metadata is required for each SSO integration needed. That is, if you’re integrating SSO for the mobile app and the dashboard, two metadata files must be exchanged; one for the mobile app, and another for the dashboard. '

  2. Your IT SSO team then uploads our AppArmor metadata file(s) into your Azure AD and configures AppArmor as a Custom Enterprise Application. To create a custom application in Azure AD, please follow these instructions: Quickstart: Add an enterprise application - Microsoft Entra ID . For information on providing AppArmor your metadata file(s), or on how to upload our metadata in Azure AD, please see this guide from Microsoft: Microsoft Entra Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra ID. Your IT team must create a custom application for each SSO integration. If you are integrating SSO for a mobile app and the dashboard, then you’d require 2 Custom Enterprise Applications.

Because all AppArmor dashboards are unique to the customer (e.g. yourdomain@apparmor.com) we are not able to add an application into the Azure Marketplace. Each integration is a Custom Enterprise Application.

3. Once the Custom Enterprise Applications are created and AppArmor (SP) metadata loaded, your project manager will complete and test the integration. To do so, your project manager needs to be provided IdP test credentials. This is a username and password for your SSO. Note that the test user created must also be added to the assigned to the AD applications for the test credentials to work. AppArmor would also request that the following claims, at a minimum are included with the test account (although your project manager may have more specific direction):

  • SSOID

  • First Name

  • Last Name

  • Email Address

Assuming the log in is successful, the integration is complete. If there are any issues, please contact your project manager for troubleshooting assistance.