Using Azure AD as identity provider¶
SAML IdP instructions¶
- Open Chemaxon prod / Customer tenant Okta Admin dashboard
- Select Directory → Groups → Add group
- Create a group that will store all users created via this IdP. Suggested naming convention:
CXNC_PROD_<TENANT_ID>_IDP_USERS
- Create a group that will store all users created via this IdP. Suggested naming convention:
- Select Security → Identity Providers → Add Identity Provider
- Select SAML 2.0 IdP and click Next
- General settings
- Name: select an appropriate name - this will be seen by the Customers. Suggested:
<client company> Okta
- Name: select an appropriate name - this will be seen by the Customers. Suggested:
- Authentication settings
- IdP usage: SSO Only
- IdP Username:
idpuser.email - Match against: Okta Username
- Filter: leave blank. (This could be used to limit access to this IdP by email address pattern if required.)
- Account Link Policy - Must be Automatic
- If no match is found: Create new user (JIT)
- JIT settings
- Profile source: Tick "Update attributes for existing users" checkbox
- Group Assignments: Assign to Specific Groups
- Specific Groups: the group created above named
CXNC_PROD_<TENANT_ID>_IDP_USERS
- SAML Protocol Settings (leave defaults)
- IdP Issuer URI: use dummy value initially and update with what the client provides later
- IdP Single Sign-On URL: use dummy value initially and update with what the client provides later
- IdP Signature Certificate: use dummy value initially and update with what the client provides later
- The file received from the Customer might have
.certextension, simply rename it to.pemand the upload should work.
- The file received from the Customer might have
- Click Finish
- Forward the URLs below to the Customer
- Assertion Consumer Service URL (Hub ACS URL)
- Audience URI
SAML application instructions¶
- Open Azure AD directory
- On the left pane click "Enterprise applications"
- On the top bar click "New application"
- On next screen:
- Click "Create your own application"
- Set name for the application (for this example, this will be "CXN_Product")
- Select "Integrate any other application you don't find in the gallery (Non-gallery)"
- Click "Create"
- On the overview screen of the newly created application:
- click "Single sign-on" on the left pane
- Select "SAML"
- On the "SAML-based Sign-on" screen:
- On "Basic SAML Configuration" panel, click "edit"
- For "Identifier (Entity ID)" set the value of "Audience URI" as provided by Chemaxon
- For "Reply URL" set the value of "Assertion Consumer Service URL" as provided by Chemaxon
- Click "Save"
- On the "SAML Certificates" panel:
- Click "Download" link for "Certificate (Base64)" and send back to Chemaxon
- On the "Set up your application name" (for this example it's "Set up CXN_Product") panel:
- record the values below and send back to Chemaxon:
- Login URL
- Azure AD Identifier
- record the values below and send back to Chemaxon:
- On the overview screen of "CXN_Product" application:
- click "Users and groups" on the left pane
- On Top bar click "Add user/group"
- Assign users who need access to the application
Chemaxon adds IdP routing rule¶
This is the final action on Chemaxon's side for configuring the IdP. ln order for Okta to offer the Customer's identity provider as a login option, a Routing Rule needs to be configured.
This routing rule states that if the user is trying to access the specific Okta application that was created above, i.e. the Terminus tenant, then the usable IdPs are "Okta" (self / Chemaxon's Customer Okta) and the Customer IdP created in step 1.
This leads to both Chemaxon's Okta and the Customer's Okta being available on the login screen.
Routing rule instructions¶
Note / risk: these routing rules are ordered. It is quite possible for a broad rule to have a higher priority than our specific tenant-level rules, and thereby override our rules. It is also quite possible to break many routing rules by adding such an "early catch-all" rule. It is also possible to add a new routing rule at such a position (i.e. as the last one) that it will never be triggered, since it is after a "catch-all rule". The general recommendation is to add routing rules for external IdPs at the top of the list.
- Open Chemaxon prod / Customer tenant Okta Admin dashboard
- Select Security → Identity Providers → Routing Rules
- Add Routing Rule
- Rule name:
CXNC_PROD_<TENANT_ID>_IDP - User is accessing: Any of the following applications
- Select the
CXNC_PROD_<TENANT_ID>application
- Select the
- Use this identity provider:
- Leave Okta (to allow Chemaxon Okta to still be used)
- Add
<client company> Okta
- Rule name:
Configuration is now complete. If the configuration has also been completed on Chemaxon's side (likely), then the integration should work. It can be tested by logging in to one of the Chemaxon products in your Chemaxon Cloud tenant.
Important notes¶
- After doing changes in the Single sign-on attributes, new certificate needs to be downloaded and transferred to Okta
- Okta Mapping
- External name of Attribute is the path in the SAML assertion for example "login.login"
- Required properties for Okta:
- firstName
- lastName
- Flow of user profile attributes is:
- Azure > Claims > Setup name and source attribute AND don't set namespace
- Create Custom attribute for the field (different external name if source attribute has a namespace)
- Set Mapping from attribute to userProfile value
- When creating Identity Provider:
- Authentication Settings "IdP Usage" is very important: This value will select where will Okta look for the Unique Id of the User in the SAML Response