1. Sign in to Azure portal via https://portal.azure.com -> Azure Active Directory -> Enterprise applications -> +New application:
2. Within the ‘Enterprise applications’ select ‘+Create your own application’:
3. Enter the name for ClickView application, and select the option of ‘Integrate any other application you don't find in the gallery (Non-gallery)’ and click on the ‘Create’ button:
Within 'Single sign-on' option on the left-hand-side pane, click on 'SAML' tile on the right-hand-side:
4. In step 1 : Basic SAML Configuration - Enter the 'Reply URL (Assertion Consumer Service URL)' and 'Identifier (Entity ID)' as follows:
A:Identifier (Entity ID)
B: Reply URL (Assertion Consumer Service URL)
C: Sign on URL
Leave blank as it is optional, this will be provided once the onboarding process is completed.
Sign on URL will be used to authenticate to ClickView directly.
D: Logout URL (Default across all regions)
Upon completion, the field will look like as depicted in the example below:
5. Moving on to the 'User Attributes & Claims' section:
The standard four attributes will be displayed by default:
An attribute to identify the level of access of users, i.e. staff and the year level of students, we need to add a Group Claim, click on '+ Add a group claim', select 'Groups assigned to the application'. In 'Source attribute' section, select 'Group ID' then 'Save':
6. Assign groups
Security groups of students and staff members can be assigned from the 'Overview' page of the ClickView Enterprise application: https://portal.azure.com/ -> Home -> Enterprise Applications -> ClickView -> Assign users and groups
Once in the 'Users and Groups' section, add the desired group via the '+Add user/group' button to the ClickView application:
7. SSO Onboarding
This is the final step of the setup process, for the completion of this setup, please provide us with:
A.App Federation Metadata URL which can be retrieved as follows:
Single sign-on -> SAML Signing Certificate -> App Federation Metadata Url
B. A list of all staff and student Security groups. This will allow us to map users to relevant year group in ClickView. This can be found in: Home -> Groups -> All Groups -> Search for relevant groups
Below is an example shown for staff group and its corresponding 'objectId':
C. Synchronising Security Groups from your Active Directory (Azure Active Directory Connect)
In case that you would like to use the security group from your local AD instead, Azure AD Connect can be used to synchronize these values, as described in the official Microsoft knowledge-based article: Azure AD Connect sync.
D. Adding Group Claims in Azure AD
For synchronizing group claims and avoiding the use of 'ObjectIDs' as described in 6B, group claims can be configured in Azure as per the steps in Add group claims to tokens for SAML applications using SSO configuration.
NOTE:The number of user groups that Azure Active Directory adds to a SAML token is limited to 150. If this limit is exceeded, a link to the Graph API endpoint is returned instead of a group list. ClickView doesn’t support retrieving user groups this way, because it would require additional authentication between ClickView and Azure AD.
If you exceed the 150 limit, consider one of the following options:
- Limit the number of groups that users are assigned to.
- Configure Azure AD to send only security groups.
E.Test student and test staff account credentials that have all attributes (including group membership) correctly populated so that we can test the single sign-on integration and confirm claims are exposed.
8. Submitting your information
To start a new onboarding please click on the flag of your region below, otherwise please continue with the form if you are already in the process of completing according to your region: