Note! This set-up guide is for customers that are using a custom domain name to log into Cloudmore.
Cloudmore supports single sign-on (SSO) with SAML Single Sign-On.
SSO will enable you to manage your users and their level of access to Cloudmore in one central location. Advanced password rules or multifactor authentication (MFA) will be required.
This guide will help you to set up SSO with Microsoft Azure Active Directory (Azure AD).
To get started, you need the following items:
- An Azure AD subscription
- An account in Azure that allows you to create Azure Enterprise Applications
Cloud Service Brokers are required to set up their Azure Enterprise application in their Azure AD. Each Azure Enterprise application requires the completion of a manual step so that the Azure AD Federation Metadata can be sent to Cloudmore.
An Azure user account needs to have a corresponding account in Cloudmore to be able to use SSO. Access levels and permissions are all handled in Cloudmore.
The Cloudmore user account should also have a username that matches the mail attribute of the SSO claim. You can either use the AD user’s user.mail property or configure another field to be sent to the mail property, as long as the name is formatted as an email address and matches the user's username in Cloudmore.
If you want to prevent your users from logging into Cloudmore directly, please create long, complex passwords that you don’t share with your users.
Setting Up an Azure Enterprise Application
Before you begin, you need to get a SAML Metadata XML file from Cloudmore. You can get the SAML Metadata XML file by emailing: firstname.lastname@example.org.
1. Sign into the Azure portal (https://portal.azure.com).
2. On the left navigation pane, select the Azure Active Directory.
3. Navigate to Enterprise Applications.
4. Click the New application button at the top.
5. Select the Non-gallery application option under Add your own app.
6. Enter a name for the Enterprise application, for instance 'Cloudmore', and click the Add button at the bottom.
7. Wait for the success message that tells you that your Enterprise application has been created.
8. Click the Users and groups option under Manage from the navigation pane.
9. Here you can add the users that should already have access to this Enterprise application and use single sign-on. Add at least one user to test by clicking the Add user button at the top.
10. Click on the Users and groups option to select users.
11. Use the search tab to find the user you are looking for and add them by clicking on them. They will now show up under Selected members.
12. Click on the Select button at the bottom when you have finished selecting members.
13. Click on the Assign button at the bottom to assign the selected users to the Enterprise application.
14. Click the Single sign-on option under Manage from the navigation panel.
15. Click the SAML option.
16. Click Upload metadata file.
17. Select the Cloudmore Metadata XML file that you received from email@example.com and click on the Add button.
18. As this is a branded URL, you need to change some properties to reflect this. In the Basic SAML Configuration, change both the field's Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), and replace the text “cloudmore.com” with your branded domain. Keep everything else as it is.
19. In the Basic SAML Configuration click on Save at the top.
20. Click on the X in the top right corner to close the Basic SAML Configuration.
21. If you get a message to Test single sign-on, click on No, I’ll test later as we have a few steps left.
22. Scroll down to section 2 (called User Attributes & Claims) and click on the pen.
23. Click the Add new claim button at the top.
24. In the Name field enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail and select user.mail from the Source attribute dropdown.
If your users are not using Microsoft O365 Exchange you can map it to the user.userprinciplename instead by selecting it from the Source Attribute dropdown. This will map it to the user's username.
25. Click the Save button at the bottom.
26. Click the X in the top right corner to close the User Attributes & Claims Click No, I’ll test later again.
27. Scroll down to section 4 called 'Set up Cloudmore' (if you selected another name for your Enterprise application in Step 6 it will say that instead) and click the copy button next to the Azure AD Identifier. We need to copy this value to Cloudmore.
28. Now use a separate tab to log into Cloudmore.
29. Navigate to the Cloud Service Broker or organization that should be enabled for SSO and go to the Security center.
30. Scroll down to the SSO section and click the checkbox called Enable saml sso.
31. In the Identity Provider entityID, enter the value you copied from the Azure AD identifier from step 26.
32. Click on the Update button to save your changes.
33. Go back to the Azure portal tab.
34. In section 3, called SAML Signing Certificate, click on the Download text next to the Federation Metadata XML.
35. Your federation metadata XML will start to download. This file needs to be sent to firstname.lastname@example.org to get you set up in Cloudmore.
36. Once we have confirmed that your Federation Metadata XML has been set up you can proceed to testing.
Now everything should be set up and working. You have several options to test your SSO setup. You can navigate back to the Azure portal and click on the test button at the bottom.
Or, you can go to the Cloudmore login page and click on the Log in via your home company and enter your username.
Microsoft has a browser extension which allows you to quickly sign into Enterprise applications. Useful links and information on Microsoft’s browser add-ons can be found here.