Single sign-on: First time configuration with Azure as IDP

This is an example on setting up Barco Single sign-on with Microsoft Azure as your Identity Provider (IDP).

To find detailed steps using Barco Management Suite, see [KB12591].

OpenID Connect v1.0

1. Navigate to Azure portal and search for the resource Azure Active Directory.
    
2. On this page, under the Manage tab find and go to App Registrations → New registration.
    
   1. Enter any appropriate Name for this application for you to track it by.
   2. Under Supported account types, the API access selection may be left to default (Single Tenant).
   3. Under the Redirect URI, select platform as Web and past the Redirect URI (obtained from the Barco Management Suite) and click on Register. You will now be navigated to the overview page for this new registration.
      
      
       
3. Under Manage section, navigate to Certificates & secrets → New client secret.
    
   1. Add any Description for this new secret to track it by and set an Expiration period. Click on Add.
   2. Copy the newly added client secret Value and save it somewhere safe. This is accessible only once!
      
      
       
4. Go to Overview, under the Essentials section and copy the Application (Client) ID and save it somewhere.
    
5. Optionally, you can set the claims for this application by going to Token configuration (see Microsoft Docs).
    
6. Complete the form on the Single sign-on settings page in Barco Management Suite:
    
   1. For Discovery URI enter "https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" where {tenant} is the domain name of Azure AD tenant or it's GUID identifier (see Microsoft Docs).
   2. Optionally, add your own scopes to the Scope field.
   3. For Client ID, enter the Application ID copied earlier.
   4. For Secret, enter the client secret Value that was saved earlier.
   5. Optionally, change the Claims when you've specified your own before.
   6. Save this configuration by clicking on Save.

SAML v2.0

1. Navigate to Azure portal and search for the resource Azure Active Directory.
    
2. On this page, under the Manage tab find and go to Enterprise applications → New application.
    
   1. Click on Create your own application
   2. Enter any appropriate Name for this application for you to track it by
   3. For the query “What are you looking to do with your application?”, select option – ‘Integrate any other application you don’t find in the gallery (Non-gallery)’
   4. Click Create.
      
      
       
3. Under Manage section, navigate to Single sign-on and select SAML as single sign-on method.
    
   1. You will now be taken to setup page for Single Sign-on with SAML, from where we will get the metadata file for your application.
   2. Go to the SAML Signing Certificate section and copy the App Federation Metadata URL.
   3. Open new tab, paste this URL and navigate. Once the page loads save this file by: (Ctrl + S) → Save or Right click → Save as → Save.
      
      
       
4. Upload the federation metadata file you saved in previous step on Barco Management Suite.
    
5. After the metadata is uploaded successfully, download the Barco Metadata.
    
6. Navigate back to Azure portal tab on the setup Single sign-on page, click on Upload metadata file → Select file → Add.
   
   
    
7. After the metadata file uploaded successfully, click on Save.
   
   
    
8. Go to the SAML Signing Certificate section and Edit. Select Signing Option and change it to Sign SAML Response and Assertion and click Save.
   
   
    
9. Go to the SAML Signing Certificate section and download Federation Metadata XML.
    
   1. Navigate to Management Suite, on the Single Sign-on settings page.
   2. Update the metadata by changing the file under Your Metadata → Click Upload.
   3. Once file is uploaded, click Save.
       

Manage which users can access this SSO configuration

Azure AD allows an option to prevent everyone from signing in to an application by requiring user assignment (see Microsoft Docs).

You can make changes to this by following these steps:

1. Go to Enterprise applications, and then search for and select the application you have created for this SSO.
2. To give access to all users, turn off user assignment:
   1. Under Manage, go to Properties.
   2. Set option Assignment required to No and click Save.

3. To give access to specific users, turn on user assignment:
   1. Under Manage, go to Properties.
   2. Set option Assignment required to Yes and click Save.

3. Now you can assign specific users by going to the Users and groups page and selecting Add user/group (see Microsoft Docs).