Using this guide, will help you integrate MontyCloud DAY2™ platform with Azure Active Directory.

When you integrate DAY2™ platform with Azure AD, you can:

  1. Control which users have access to MontyCloud DAY2™ through Azure AD

  2. Enable your users to be automatically signed-in to DAY2™ with their Azure AD accounts

  3. You can manage your accounts in one central location - the Azure portal

To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory.


Prerequisites

To get started, you will need the following items:

  1. An active Azure AD subscription.
    If you don't have a subscription, you can create a free Azure account here.
    SAML is automatically bundled into your Azure AD subscription as of April 2020.

  2. An active MontyCloud DAY2™ account (paid or trial) with the Full Admin role.
    If you don't have an active account, you can sign-up a free account here.


Before you begin

Configuring Single Sign-On between what is known in SAML terminology as a Identity Provider and a Service Provider requires sharing information in order to authorize both systems to securely talk to each other.   (Your Azure Active Directory is the Identity Provider, and MontyCloud's DAY2 platform is the Service Provider.)


We recommend opening two browser tabs, one for Azure AD, and another for DAY2™, to make this task an easier experience.


We will start the process from the Azure AD portal.


Add the MontyCloud DAY2 app to Azure AD

To configure the integration of DAY2™ into Azure AD, you need to add DAY2™ to your list of managed SaaS apps

  1. Sign in to the Microsoft Azure portal

  2. In the left pane, select the Azure Active Directory service.

  3. Go to Enterprise Applications, and then select All Applications.

  4. To add a new application, select New application.

  5. Select Non-gallery application 

  6. Enter MontyCloud DAY2™ under Name and then click Add.


Wait a few moments while the app is added to your tenant before proceeding.

Configuring and validate Azure AD single sign-on for DAY2

Once the application has been added, we can now add the configuration to the Azure AD application to create the relationship between Azure AD and DAY2™.


The next steps need to be completed in sequence:

  1. Configure Azure AD SSO - to configure the Single Sign-On settings on the identity provider side

  2. Configure DAY2™ SSO - to configure the single sign-on settings on application side (service provider).

  3. Enable SSO in DAY2™

  4. Assign Users to DAY2™ app

  5. Test SSO - to verify whether the configuration works.


Configure Azure AD SSO

Switch over to the MontyCloud DAY2 interface, but do not close your Azure AD browser window/tab.

  1. Login to MontyCloud DAY2 

  2. Select the Admin Menu, then click on Users & Roles 

  3. Click on the Single Sign-On tab

  4. Select the Configure SSO action

  5. Specify a friendly name and description for your SSO configuration, then click Next

  6. Download the DAY2™ SAML metadata file.

    This file is needed in the next step to configure your Azure AD MontyCloud DAY2™ application SAML Configuration.


Now that we have the metadata file:

  1. Switch back to your Azure portal, and on the MontyCloud DAY2 application integration page, find the Manage section and select Single sign-on.

  2. On the Select a Single sign-on method page, select SAML.

  3. On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.


4. On the Basic SAML Configuration section, enter in the URLs and Entity IDs as contained within the downloaded metadata file, or copy and paste from the DAY2 interface directly into the matching fields.


Only the Entity ID, Reply URL and Sign-On URL fields are required.  Other fields, such as Relay State can be left blank.



5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section.

Click Download for the Federation Metadata XML file and save the file to your local computer.


Keep the downloaded XML file for an upcoming step - we will need this to instruct DAY2 how to talk to Azure AD.




6. We will now configure the SAML claims.

These "Claims" are essential to take key pieces of metadata from Azure AD to be sent to DAY2 during the sign-in process, without DAY2 knowing the internals or configuration of your identity directory structure.

Let's start configuring claims by clicking on Edit under User Attributes & Claims, then we will add each required claim.




a) For the name claim, click on the claim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” and the update Window will open.

From the drop-down for Source attribute, set it to ‘user.displayname’ (to support users without First name /last name)



b) For the email claim, click on the claim, and the update Window will open. From the drop-down for Source attribute field, set the field to ‘user.userprincipalname’



c) Configure the roleid claim by clicking on "+Add new claim", then enter “roleid” in the name field, and select user.assignedRoles from the Source attribute drop-down selector.




Configure DAY2™ SSO

Now, we will switch back to the DAY2™portal, but please don't close your Azure AD browser tab, we will still need to perform a task there shortly!

  1. You should still have your DAY2 browser window/tab open at Step 2 of the Configure SSO wizard.

  2. Click Next to proceed to the next step.

  3. Upload the Identity Provider (Azure AD) Metadata file by dragging and dropping the metadata file, or click on "click to select files" to open the file browser, locate and select the metadata file.

    Click Save & Continue to progress to the next step.


Companion support article
How to retrieve your Identity Provider metadata


7. To verify that you are the owner of your domain, MontyCloud requires a DNS "TXT" record to be created within your domain's zone records.  We can then independently query this record and complete the ownership verification process.


For each domain that you want to enable SSO, add the domain using the Enter your domain text field and Add Domain button, then proceed to add the DNS TXT entry as displayed on the screen.


Use the Verify action once you have finished adding and propagating the TXT record.


Companion support article
Verifying your domain with DAY2


8. We now need to configure role mapping.  DAY2™ authorization is based on Role Based Access Control, and by integrating the application roles with the DAY2 Azure AD application manifest, we can ensure users logged in via Single Sign-on are mapped to the right RBAC role.


Download the DAY2™ Roles JSON file.



7. Switch back to the Microsoft Azure console, and we can load the JSON file you have just downloaded.  In the Azure Active Directory pane, select App registrations to view a list of all your applications.

8. Select the MontyCloud DAY2 application, then select Manifest.

9. In the Manifest Editor, you will need to add the contents of the DAY2 Roles JSON file after the "appRoles" array.  Under "appRoles" (after the default Azure AD roles), add a comma and append the copied DAY2™ Roles JSON content.

10. Click OK to save the changes.


Companion support article
How to download DAY2 Roles and map to your identity provider

11. Go back to the DAY2 console, select the default role and department for all users.


In lieu of missing roles configuration for a given user attempting to sign-in to DAY2, we provide the option to define the default Role and Scope (DAY2™ departments) for all the federated users.


Click Save & Continue once you are satisfied with your selection.


Integrating DAY2™ Roles to your Azure AD application manifest is the recommended option


12. Review the configuration on the Review page, then click Save to finish the SSO configuration process.


Enable SSO in DAY2™

Once you have completed all the above steps, Single Sign-On Configuration has been completed in both DAY2™ (SP) and the Identity Provider (Azure AD). 


When you are ready to accept Single-Sign On users, you can enable the newly created SSO configuration by clicking on the toggle button under Enabled, then click Enable on the pop window




Assign a User to DAY2™ app

Before you can login via Single Sign-On, you need to assign a user to DAY2 app.

1. Go back to the Azure portal.

2. In the Azure portal, select Enterprise Applications, and then select All applications.

3. In the applications list, select MontyCloud DAY2 app.

4. In the app's overview page, find the Manage section and select Users and groups.



5. Select Add user, then select Users and groups in the Add Assignment dialog



6. On the Users and groups tab, select your test user from the user list, and click Select. Then, click Assign.



7. Now you have users and groups assigned to the relevant Roles for DAY2™ application access



Test SSO

After the preceding configurations are completed, test the SSO configuration by following these steps:

  1. In the Azure portal, go to the MontyCloud DAY2 page, select Single sign-on, and click Test.


Once the test is successful, you should now be able to use Single Sign-On for your Azure AD users to gain access to the DAY2™ platform.



Congratulations!!!  You are all set with Single Sign-On access to MontyCloud DAY2™ platform.