Saltar al contenido principal

Domo University Videos

Domo

Enabling Single Sign-On with Azure Active Directory

Important: When referencing this page outside of Knowledge Base, use this link: http://knowledge.domo.com?cid=azuread

Microsoft's Azure Active Directory Application Gallery is an "app store" where users can search for and deploy apps that are tested and certified by Microsoft. Both Premium and Standard users can integrate with Domo for Single Sign-On (SSO).

Users are responsible for properly setting up their Azure AD instance. This includes creating a directory, adding users to the directory and entering all user information such as name and email address. For more information, see https://azure.microsoft.com/en-us/do...single-sign-on

To implement SSO with Azure AD,

  1. Within Azure, from the manage.windowsazure.com portal, navigate to Active Directory and select the directory that you will use with Domo.

  2. After selecting your directory, click the APPLICATIONS link.

  3. At the bottom of the screen, click ADD

  4. Select An application from the gallery.

  5. Locate the Domo application in the Azure AD Application Gallery.
    The application will be called "Domo" and can be found within the Application Gallery under the Business ManagementData Services, or Collaboration categories. Or you can simply search for "Domo" in the Microsoft Azure Marketplace.

    After installing the application, you will need to configure Single Sign-on. This requires steps in both Azure and Domo. 

  6. Within Azure, select Configure Single Sign-On.

  7. In the new window, select Microsoft Azure AD Single Sign-On then click the arrow in the bottom right corner.

  8. In a separate browser tab, log into Domo as an "Admin" user and navigate to  > Major Domo Center.

  9. Select Security.
    This tab is visible only if you are logged in as an "Admin" user. For more information about security roles, see Security Role Reference

  10. Select Single Sign-On.

  11. Click Enable Single Sign-On.

  12. At the bottom of the Single Sign-On tab, copy the URL in the SAML Assertion Endpoint URL field up to ".com" as shown below. This will be used as both the Azure "Sign On URL" and "Identifier."

  13. Return to the Azure browser tab.

  14. In the Azure AD Configure App Settings screen, paste the copied URL into the Identifier field. Do NOT proceed to the next screen at this time.

    Note: You may also select Show advanced settings in the Configure App Settings screen and enter the "Sign-On URL" as the Domo instance URL, but this is not necessary.  



  15. Return to Domo.

  16. At the bottom of the Single Sign-On tab, copy the entire URL from the SAML Assertion Endpoint URL field.

  17. Return to Azure.

  18. In the Azure AD Configure App Settings screen, paste the copied URL into the Reply URL field.

     
  19. Click the arrow in the bottom right corner to proceed.

  20. Copy the URL from the Single Sign-on Service URL field. (Note that this URL is the same as the one in the Single Sign-Out Service URL.)



    You may ignore the Issuer URL as this is not used.
    Do not click the Next arrow at this time.

  21. In the Single Sign-On tab in Domo, paste the URL from the previous step into the Identity Provider Endpoint URL field.

     

  22. Enter the Domo instance URL from step 12 into the Entity ID field.
    Note this must match the value you entered in the Azure AD Identifier field in step 14.

  23. Return to the Azure configuration screen.

  24. Download the "Base 64" version of the certificate.

  25. Return to Domo.

  26. Click the up arrow in the X.509 Certificate field and enter the Base 64 certificate you downloaded in step 24.

  27. Select the checkbox next to Import groups from identity provider if you wish to copy your groups from Azure to Domo. Please note that Azure does not currently support groups that represent company departments, so Domo does not recommend enabling this option.

  28. Select the checkbox next to Only invited people can access Domo if you wish to prevent users from logging into Domo until they are invited to Domo. (By default, when SSO is enabled in Domo, any user in your Azure AD directory will be able to log into Domo.)

  29. Return the Azure AD configuration screen.

  30. In the Azure AD configuration wizard, check the box that asks you to confirm that you configured the settings correctly.
    You must check this box before you can proceed to test your SSO configuration within Domo.

  31. To complete the configuration in Azure, click the check icon in the bottom right corner.
    When you return to your Domo application page in Azure, you should see a gray check mark next to the green configuration button indicating that SSO is enabled.



    Before continuing, it is necessary to configure your Domo SAML token attributes. If you do not, then the Azure AD default settings will be used and usernames within Domo will be overwritten with email addresses.

  32. To configure your SAML token attributes, click ATTRIBUTES.


     

  33. Configure what user information is sent to Domo.

    Domo accepts the following attribute names and Azure allows you to assign values.

    Attribute

    Description

    name

    The full name of the user

    name.personal

    The user's first name

    name.family

    The user's last name

    email

    The email address of the user

    email.secondary

    A secondary email address for the user

    title

    The job title of the user

    user.phone

    The primary phone number of the user, usually a mobile phone number

    desk.phone

    The number for the user's desk phone

    group

    The group that the user belongs to, usually a department name

    role

    The user's role in the company

    employee.id

    The user's employee ID

    hire.date

    The user's hire date

    title

    The user's job title

    department

    The user's department in the company

    location

    The company location for the user

    locale

    The user's locale, which determines settings such as number formats, measurements, etc.

    timezone

    The user's time zone

    All attributes are optional except "email" (though "name" is strongly recommended). The email can actually appear in two places in the SAML assertion—as the subject and as the email attribute. Either will be accepted. 

    Due to the way that Azure AD supports groups, Domo does not recommend sending a “group” attribute.

    The next few steps explain how to set the “name” and “email” attribute within Azure AD.

    Below are the default Azure AD attributes. All rows should be deleted (except for the first row, which cannot be removed). To delete a row, mouse over it and click the "x" icon. Delete rows with names ending in “claims/givenname,” “claims/surname,” “claims/emailaddress,” and “claims/name.”



    If you make a mistake, Azure allows you to "reset to default" and start over.

    After you delete the unnecessary rows, your list should look like the list below. It only contains a row with a name ending in “claims/nameidentifier.”

  34. Add two new rows for “name” and “email” with values that Domo expects.

    1. To add “name,” do the following:

      1. Click the green button called add user attribute.
        This bring up the window shown below.


         

      2. Type "name" in the ATTRIBUTE NAME field. 

      3. Select user.displayname in the ATTRIBUTE VALUE field. 

      4. Click the check button at the bottom right of the screen.

        Note: Display Name is the default field that contains the user's full name. If you customized this field or do not use it, you may need to contact the Azure team for help in identifying which field to use to get the user's full name.
    2. To add "email," do the following:

      1. Click the green button called add user attribute.

      2. Enter "email" in the ATTRIBUTE NAME field.

      3. Select "user.mail" in the ATTRIBUTE VALUE field.

      4. Click the check button on the bottom right of the window.



        Your final attributes should look like the screenshot below:

    3. (Optional) If you want to add title, phone, and/or group, do so now using the same workflow that you did for "name" and "email."

  35. Click the Apply Changes button at the bottom of the screen.
    This concludes the SSO setup within Azure.

  36. Test your connection in Domo by clicking the Test Connection button at the bottom of the Single Sign-On tab. 
    Note that Azure may take up to five minutes to apply your settings, so the connection test may not immediately work. 

    If you followed the preceding steps correctly you should see a success message. If not, review the above steps or contact Domo Support if necessary.

  37. Save your SSO configuration by clicking the orange Save Changes button.