How to Integrate with Azure AD using SCIM user provisioning and SAML single sign-on.
Using this integration will allow for single sign on and automatic user provisioning of trainees from your Azure Active Directory (AD) instance.
To do this you'll need to:
- Add the Velpic Application to your Azure AD Portal
- Assign users to Velpic
- Enable User Provisioning (SCIM)
- Enable Single Sign-on (SAML)
Step 1 - Add the Velpic Application to your Azure AD Portal
Adding the Velpic application to your Azure portal will enable the configuration options for syncing information from Azure AD to Velpic.
1. Login into the Azure portal.
2. Select on the Azure Active Directory menu item.
3. Select Enterprise applications.
4. Select New application.
5. Search for Velpic, select it in the list and then select Add at the bottom of the form.
Now the Velpic app is enabled in your Azure AD portal, you can configure it!
Step 2 - Assign users to Velpic
This step will define the user set that will be synced to Velpic. These users are also the ones that will have single sign on access to the platform. If there are users in Velpic that do not exist in Azure AD they will not be deleted or inactivated. If a user in Azure AD has the same username as a user in Velpic then the existing Velpic user will be linked to their Azure account and their information will be updated with information from Azure. Their Azure AD login and their current username and password login will both work for the same account.
We recommend starting with this option first, even if you plan on syncing everything.
1. In the Velpic App settings, select Users and groups.
2. Select Add user.
3. Select Users and groups. Note: If you are on the basic plan, you will only be able to select your assignment by users.
4. Search for the users (and groups if you have this feature) then click the checkbox on them. Click the Select button when you're done.
5. Select Assign.
6. You should now see the Users (and Groups) assigned to the Velpic app on the Users and Groups page.
Step 3 - Enable User Provisioning (SCIM)
User provisioning from Azure AD to Velpic is done using the SCIM protocol. This will update users details, active status and group information from Azure AD realtime. It is important to note that sometimes it can take up to 30 minutes for changes to be sent from Azure AD to Velpic.
1. First, select Provisioning in the Velpic app menu in Azure AD.
2. Change the Provisioning Mode to Automatic.
3. In a new browser window and Login to Velpic as an Administrator.
4. Navigate to Admin > Integrations > Plugins.
5.Select on Add Plugin.
6. Select SCIM 2.0.
7. Name the plugin then select the Add button.
8. If you want to stop welcome emails for newly synced users from AzureAD you can click edit, enable the "Suppress welcome emails" option then click save. We recommend you do this.
9. Copy the fields, Provisioning Endpoint URL and Authentication Token from Velpic to Tenant URL and Secret Token in Azure AD respectively and leave the Velpic tab open.
10. Select Test Connection in Azure AD. to ensure the credentials are correct. If they are click save at the top. If not verify the credentials were correct and try again.
11. Turn on Provisioning and select Save.
After a few minutes you should be able to refresh the page and see a successful sync status.
You should now be able to see the users and groups you assigned in Velpic.
If you want to sync everything then you can change the Scope option to sync all users and groups.
Step 4 - Enable Single Sign-on (SAML)
Enabling the Single sign-on option in the Velpic application in Azure AD will allow your users to access velpic with their Azure AD credentials.
- In the Velpic app menu in Azure AD, select the Single sign-on menu item.
2. Change the Single Sign-on Mode to SAML-based Sign-on.
3. Configure Plugin in Velpic
At the bottom of the page, select the Configure Velpic button.
This will open the Azure's documentation for setting up the plugin for AzureAD SAML/SSO in Velpic. It includes links for the AzureAD Metadata config file and Issuer URL required to configure Velpic.
Important: When you get to the step in the documentation that has the option to create the SAML plugin in the Velpic Platform, Make sure to leave the "Auto create new users" option unchecked as SCIM is responsible for the user provisioning.
Click on the X on the top right to close the documentation when you are done.
5. Configure Velpic SSO in AzureAD
In AzureAD you need to configure the following settings
6. Configure Single Sign-on URL - This is the Velpic web address your organisation uses to access Velpic (e.g. https://yourorganisation.velpic.net)
7. Configure Identifier - Go back to the browser where you're logged into Velpic, goto Manage > Integrations > Plugins > SAML SSO and copy the Single sign on URL.
8. Paste the Single Sign on URL from Velpic into the Identifier field in the Azure AD configuration Form
9. Select Show advanced URL settings checkbox.
10. Paste the Single Sign on URL from Velpic into the Reply URL
11. Paste the Single Sign on URL from Velpic into the Reply State.
12. Select Save at the top of the form.
13. Important: Log out from Velpic.
14. Click Test SAML Settings.
15. Select the "Login with..." button and you should be automatically logged in using your Azure AD login.
Once you've completed these 4 steps with the Velpic Azure App your users will be automatically provisioned and have the ability to access Velpic using their AzureAD credentials.
If you have any questions about this integration reach out to us at firstname.lastname@example.org.