SSO (Single Sign On) Guide for Microsoft Entra (formerly Azure AD)

Owned by Chemwatch IT
Last updated: Nov 22, 2024 by Ankit Khatri
5 min read

Prerequisites:
- You already have properly configured Entra (Azure Active Directory) and users for the organisation.
- You already have asked for and received the metadata from Chemwatch IT. Please email itsupport@chemwatch.net if not.

- Login to your organisation’s Microsoft Entra portal: https://entra.microsoft.com/

- Select Enterprise applications as highlighted below to create a new application for Chemwatch:

- Select ‘New application’ as highlighted below:

- Select to switch to the legacy app gallery experience as highlighted below:

- Select Non-gallery application as highlighted below:

- Type in the application name as below and click Add:

- Click the Enterprise applications link from the top left just under the Entra (Microsoft Azure) title. You will see the application you have just now created below. Click the application name to navigate to its Overview page.

- Select the ‘Get started’ link Setup single sign-on box as highlighted below:

- Select the SAML box from below as highlighted to navigate to the SAML-based Sign-on settings page:

 

- Select the Upload metadata file as highlighted below to import the Chemwatch SSO settings:

- Browse the Chemwatch sent metadata file and click Add as below:|

- You’ll see the Chemwatch SAML parameters below, click Save as highlighted:

- Close the above page after saving. Refresh the page and you will see below where the required Basic SAML configuration section has been filled out. Now click Edit to configure the User Attributes & Claims section as highlighted below:

- You get a screen as below. Select the Required claim: Unique User Identifier (Name ID) to edit that as highlighted below:

IMPORTANT NOTE: If user.employeeid value is not defined in your organisation, please disregard the required claim change and leave it as it is (i.e. user.userprincipalname).

-Change as highlighted below, Name Identifier format to Unspecified and Source attribute to user.emplyeeid, assuming that user.emplyeeid uniquely identifies a user in your organisation. Click Save as highlighted below.

- From below delete the 2 additional claims for user.userprincipalname and user.surname as highlighted below:

- Change claim for givenname from user.givenname to user.displayname by clicking that row as in above, then from Source attribute pull-down menu select user.displayname, click save as highlighted below:

- You should now end up with only 3 claims as below. Click the SAML-based Sign-on link from the top as highlighted below:

Please follow the below example if user.employeeid is not defined in your organisation.

- Now you can see that all required has been filled out and this now should be ready for Chemwatch SSO. Ensure that your intended Active Directory users/groups have access to this application by checking the left menu option for User and group as highlighted below:

Adding a Group Claim (Only for Okta, Auth0, Google Workspace, OneLogin, JumpCloud, IBM Verify and PingFederate IDPs)

You can now pass the group claim to us which will put the self-registered user in the same group in Chemwatch as long as the group names match. Please note your domain administrator in Chemwatch needs to preconfigure the matching group with the appropriate permissions first. Please note this functionality is not applicable for MS Entra as it doesn’t include the group name in clear text, only its object ID.

Finalising SSO Setup

  • Copy your metadata URL by clicking the copy icon from the App Federation Metadata URL link and share it with Chemwatch IT.

  • Please wait for Chemwatch IT to complete setting up SSO with your Metadata at their end and notify you.

  • We recommend using the direct SSO Sign-on URL provided by Chemwatch IT. With the direct link, the users can seamlessly log in to the Chemwatch web application via the IDP login page. The Chemwatch SSO Sign-on URL usually looks like this: https://jr.chemwatch.net/chemwatch.web/sso/login?domain=<YOUR_CHMWATCH_DOMAIN_NAME>.

  • The above procedure was a typical scenario example with the following assumptions for the User Attributes and claims. It may be different for your organisation:

  • user.employeeid is the unique identifier of your user, eg, john.doe.101 - This value goes into the User Login field inside the Chemwatch application as in below.

  • user.mail is the user’s email address, eg, john.doe@yourdomain.com - this value goes into the Email field inside the Chemwatch application as in below.

  • user.displayname is the full name of the user, eg, John Doe - this value goes into the Person Name field inside Chemwatch application as in below.

 

Â