Warning
Potential for Data Loss: The steps detailed in the resolution of this article may result in a loss of critical data if not performed properly. Before beginning these steps, make sure all important data is backed up in the event of data loss. If you are unsure or unfamiliar with any complex steps detailed in this article, please contact Product Support for assistance.
Issue
Need to setup SAML SSO with Azure EntraID
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Workstation
- Azure
Cause
The SAML configuration requires details setup
Resolution
Part 1: EBO configuration
Creating and Configuring the SAML Configuration Object
To create and configure a SAML configuration object.
- In WorkStation, in the System Tree pane, expand the System folder.
- Expand the Federated Authentication folder.
- Select the SAML Authenticator object.
- On the File menu, click New object.
- Select SAML Configuration.
- Enter a name, path, and description on the object you want to create.
- Click Create.
- Configure the settings.
Enabling Federated Authentication
To enable federated authentication
- In WorkStation, in the System Tree pane, select the EcoStruxure BMS server you want to configure.
- Click the Control Panel tab.
- Click Security Settings.
- Select Enable federated authentication.
- Click the Save button.
Configure SAML Configuration object
Service Provider
To configure the service provider.
- In WorkStation, in the System Tree pane, click the SAML Configuration object.
- Click the Service Provider Settings tab.
- Configure the settings.
Identity Provider
To configure the identity provider.
- In WorkStation, in the System Tree panel, click the SAML Configuration object.
- Click the Identity Provider Settings tab.
- Configure the settings.
Configuring the Security
To configure the security.
- In WorkStation, in the System Tree pane, click the SAML Configuration object.
- Click the Security Settings tab.
- Configure the settings.
Create and configure domains
Create and configure a domain to be used for Federated Authentication.
- Create a Domains
- Create a group
- Configure the permission for the group
Part 2: Azure Configuration
Login to https://azure.microsoft.com/
Create SAML application under Entra ID
- Click Microsoft Entra ID
- Click Enterprise Application
- Select Create your down application
Enter the name of the App
Select “Integrate any other application you don’t find in the gallery (Non-gallery)” - An Enterprise Application is created with the name
Create a group
- Select Groups
- Click New Group
- Select “Microsoft 365” for the Group type
Enter the name of the group, the “Group name” must match the Domains Groups name in EBO.
- Add Owners and Members to the group
Configure Entra ID
- Select Assign users and groups in the Enterprise Application Overview
- Select Add user/group then click Assign
- The selected group is under the application
- Select Set up single sign on in the Enterprise Application Overview
- Under Basic SAML configuration
Enter the information from EBO SAML Authenticator Basic Tab
The Sign on URL is Base URL
The Identifier is Entity ID
The Reply URL is AAssertion Consumer Service URL - Click on Edit from Attributes & Claims
- Click on “Add a group claim”
Select Groups assigned to the application
Select Cloud-only group display names under Source attribute
update the “Unique User Identifier” Value to user.displayname - Download the “Federation Metadata XML” certificate
- Open the XML file and find the line with certificate, it will start with <XXXXCertificate>
- Copy the string between the two brackets and paste it in Public key certificate under Identity Provider Settings
- Copy the Entity id and Single Sign On Service URL from Azure to EBO.
The Entity Id is Microsoft Entra Identifier.
The Single Sign On Service URL is Login URL.
Part 3: Testing
Test Single Sign On
- Go to Webstation by entering the SmartX Server network address.
- Click on Log on with SSO
- Select the account within the Azure Group
- Successful login screen
