How to Integrate with Azure AD using SCIM user provisioning and SAML single sign-on.
Using this integration will allow for single sign-on and automatic user provisioning of trainees from your Azure Active Directory (AD) instance.
To do this you'll need to:
- Add the Velpic Application to your Azure AD Portal
- Assign users to Damstra Learning
- Enable User Provisioning (SCIM)
- Enable Single Sign-on (SAML)
Step 1 - Add the Damstra Learning Application to your Azure AD Portal
Adding the Velpic application to your Azure portal will enable the configuration options for syncing information from Azure AD to Velpic.
1. Login into the Azure portal.
2. Select the Azure Active Directory menu item.
3. Select Enterprise applications.
4. Select New application.
5. Search for Damstra Learning, select it in the list and then select Add at the bottom of the form.
Now the Damstra Learning app is enabled in your Azure AD portal, you can configure it!
Step 2 - Assign users to Damstra Learning
This step will define the user set that will be synced to Damstra Learning. These users are also the ones that will have single sign-on access to the platform. If there are users in Damstra Learning that do not exist in Azure AD they will not be deleted or inactivated. If a user in Azure AD has the same username as a user in Damstra Learning then the existing Damstra Learning user will be linked to their Azure account and their information will be updated with information from Azure. Their Azure AD login and their current username and password login will both work for the same account.
We recommend starting with this option first, even if you plan on syncing everything.
1. In the Damstra Learning App settings, select Users and groups.
2. Select Add user.
3. Select Users and groups. Note: If you are on the basic plan, you will only be able to select your assignment by users.
4. Search for the users (and groups if you have this feature) then click the checkbox on them. Click the Select button when you're done.
5. Select Assign.
6. You should now see the Users (and Groups) assigned to the Velpic app on the Users and Groups page.
Step 3 - Enable User Provisioning (SCIM)
User provisioning from Azure AD to Damstra Learning is done using the SCIM protocol. This will update user's details, active status, and group information from Azure AD in real time. It is important to note that sometimes it can take up to 30 minutes for changes to be sent from Azure AD to Damstra Learning.
1. First, select Provisioning in the Damstra Learning app menu in Azure AD.
2. Change the Provisioning Mode to Automatic.
3. In a new browser window and log in to Damstra Learning as an Administrator.
4. Navigate to Admin > Integrations > Plugins.
5.Select on Add Plugin.
6. Select SCIM 2.0.
7. Name the plugin then select the Add button.
8. If you want to stop welcome emails for newly synced users from AzureAD you can click edit, enable the "Suppress welcome emails" option then click save. We recommend you do this.
9. Copy the fields, Provisioning Endpoint URL and Authentication Token from Damstra Learning to Tenant URL and Secret Token in Azure AD respectively, and leave the Damstra Learning tab open.
10. Select Test Connection in Azure AD. to ensure the credentials are correct. If they are click save at the top. If not verify the credentials were correct and try again.
11. Turn on Provisioning and select Save.
After a few minutes, you should be able to refresh the page and see a successful sync status.
You should now be able to see the users and groups you assigned in Damstra Learning.
If you want to sync everything then you can change the Scope option to sync all users and groups.
Step 4 - Enable Single Sign-on (SAML)
Enabling the Single sign-on option in the Damstra Learning application in Azure AD will allow your users to access Damstra Learning with their Azure AD credentials.
- In the Damstra Learning app menu in Azure AD, select the Single sign-on menu item.
2. Change the Single Sign-on Mode to SAML-based Sign-on.
3. Configure Plugin in Damstra Learning
At the bottom of the page, select the Configure Damstra Learning button.
This will open Azure's documentation for setting up the plugin for AzureAD SAML/SSO in Damstra Learning. It includes links for the AzureAD Metadata config file and Issuer URL required to configure Damstra Learning.
Important: When you get to the step in the documentation that has the option to create the SAML plugin in the Damstra Learning Platform, Make sure to leave the "Auto-create new users" option unchecked as SCIM is responsible for the user provisioning.
Click on the X on the top right to close the documentation when you are done.
5. Configure Damstra Learning SSO in AzureAD
In AzureAD you need to configure the following settings
6. Configure Single Sign-on URL - This is the Damstra Learning web address your organisation uses to access Damstra Learning (e.g. https://yourorganisation.velpic.net)
7. Configure Identifier - Go back to the browser where you're logged into Damstra Learning, goto Manage > Integrations > Plugins > SAML SSO and copy the Single sign-on URL.
8. Paste the Single Sign-on URL from Damstra Learning into the Identifier field in the Azure AD configuration Form
9. Select Show advanced URL settings checkbox.
10. Paste the Single Sign-on URL from Damstra Learning into the Reply URL
11. Paste the Single Sign-on URL from Damstra Learning into the Reply State.
12. Select Save at the top of the form.
13. Important: Log out from Damstra Learning.
14. Click Test SAML Settings.
15. Select the "Login with..." button and you should be automatically logged in using your Azure AD login.
Once you've completed these 4 steps with the Damstra Learning Azure App your users will be automatically provisioned and have the ability to access Damstra Learning using their AzureAD credentials.
If you have any questions about this integration reach out to us at firstname.lastname@example.org.