To configure SSO in your NowSignage account, please follow the steps below:
1 - Enter Azure AD and go to “Enterprise Applications”.
2 - Create a new application with the top bar → “+ New application” → “Create your own application”
3- Create the app as “Non Gallery” app and give it a name
4 - Go to “Single Sign On” on the lefthand side of the site
5 - Select “SAML”
6 - Fill the steps by editing them
- On ”Identifier (Entity ID)” → “https://secure.nowsignage.com/saml/metadata” and make default
- On “Reply URL (Assertion Consumer Service URL)” → https://secure.nowsignage.com/customers/saml/auth and make default
- Save the settings
7 - Once filled in, Azure will create some URLs and the certificate needed for SSO into NS
8 - In point 2: Attributes & Claims
-
Change Unique User Identifier (Name ID) from
user.principalnametouser.mail
9 - Make sure you add the users you want to grant the ability to SSO into the app
Please note - You must firstly invite this user into your NowSignage account in order for them to have access.
10 - Go into your NowSignage account and click into your initials in the top right of the platform then select 'My Account'. Now click 'Users and Roles' on the top menu bar and then select 'SSO Configuration':
- Go into your NowSignage account and click into your initials in the top right of the platform then select 'My Account'. Now click 'Users and Roles' on the top menu bar and then select 'SSO Configuration':
11 - To enable SSO for all users of your account, tick the 'use SSO for customer login' box, then copy & paste in the information required (located within your Azure AD portal). Once you have filled in the required fields, click 'Save' to enable SSO within your account.
Within Azure, the Identity Provider Id is called 'Microsoft Entra Identifier' located within step/section 4.
The certificate can be downloaded from the Certificate (Base64) section in Azure.
The 'Authn Context' is :
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
12 - SSO is now enabled for all users in your account, they will now be required to only sign into NowSignage through SSO and will no longer be able to log in using their NowSignage password.
How to exclude users from SSO:
After setting up SSO, you can exclude specific users from the SSO requirement to allow them to also log in with their NowSignage user account. To do this, within the SSO configuration page, scroll to the bottom of the page and you will see an user exception list:
You can now search for and select specific users you wish to add to the exception list. Users can be removed from this list at any stage.
It is recommended to exclude at least one user with Account Owner permissions. In the event your identity provider is down, they can log in and untick the 'Use SSO for customer login' checkbox to allow all users to log in with their NowSignage accounts.
permissions. In the event your identity provider is down, they can log in and untick theUser Management Configuration (Optional):
User ManagementThis section is optional and contains various additional advanced options for your SSO setup:
This section is optional and contains various additional advanced options for your SSO setup:-
Create new users (checkbox on/off): If this option is enabled, new users will be able to register for a NowSignage account. When they are registering, we will check if the user is registered, if not, the system will register the user into the account (identified by the IDP credentials from the basic configuration) and assign it to the role you have selected in the Role for new users dropdown.
-
The new registered users, will be granted access to the Projects for users selected. You can select either a singular project or multiple projects for your users to have access to when they register.
-
If the Update users checkbox is selected, then every time a user logs in using SSO, the system will perform a user update. It will check and update the Role of the user, the access to the projects and the access tags, for the ones set up in this section. So if you amend your settings at any stage, this will update any users access to reflect your new settings when they log back into NowSignage.
-
IDP attributes mapping: This section is used to create custom mappings between the IDP and our CMS. These mappings can be used to replace the email and name from the default ones, as well as assign the values from the selected fields as Access Tags to customers.
Please Note: To ensure the successful creation of new users, it is essential to first add them to the NowSignage SSO user group within Azure.
After adding the user to the Azure SSO user group, they need to complete their first login to NowSignage via the Azure portal by selecting the NowSignage SSO app, which can be found at https://myapplications.microsoft.com/.
This action will redirect them to NowSignage and automatically create their user profile.
Once this initial login process is complete, the user can access the NowSignage SSO login portal at https://secure.nowsignage.com/customers/sso_login for future logins.
Verification Certificate (Optional):
Verification CertificateIt is possible to enable a verification certificate within the NowSignage SSO app, to do this within Azure, please edit the area shown below:
The NowSignage verification certificate for uploading can be downloaded from the link below:
https://drive.google.com/file/d/18LSJ-93aEwhvULVRPe8addwQnLJUn_xC/view?usp=sharing