SAML Setup with Microsoft Entra
Introduction
If you would like to use a Microsoft Entra (formerly known as Microsoft Azure AD) Enterprise Application for Single Sign On with PerformYard, please contact your Customer Success Manager to ensure the capability is enabled for your organization. Once that is done, follow these instructions. Note that user email addresses in Azure must match the email address in the corresponding PerformYard account. Before getting started, we recommend opening PerformYard in one tab of your browser and Microsoft Entra Admin Center in another.
Starting in PerformYard
Step 1: Sign into PerformYard and navigate to the Administration page.
Step 2: Navigate to Authentication and select SAML Settings.
Step 3: Click Add SAML Object. You should now see a pop up on your screen with PerformYard URLs and an empty form. We’ll be using the URLs (PerformYard Entity ID, PerformYard Single Sign On URL, and PerformYard Single Logout URL) and filling out the form in the following steps.
In Microsoft Entra
In Microsoft EntraStep 4: Sign into the Microsoft Entra Admin Center.
Step 5: On the left hand side of the Microsoft Entra Admin Center homepage, under Identity, click the Applications dropdown and then select Enterprise Applications.
Step 6: At the top of the Enterprise Applications page, click + New Application.
Step 7: At the top of the Browse Microsoft Entra Gallery page, click + Create your own application.
Step 8: Input a name for your application, make sure “Integrate any other application you don’t find in the gallery (Non-gallery)” is selected, and then click Create.
Step 9: On the next screen, under Manage, click Single sign-on and then SAML.
Step 10: In the Attributes & Claims section, click Edit.
Step 11: Under Required Claim, click the row for Unique User Identifier (Name ID).
Step 12: Change the Source Attribute to user.mail then click Save.
In PerformYard & Microsoft Entra
Step 13: In Microsoft Entra, in the Basic SAML Configuration section, click Edit.
Step 14: Navigate back to PerformYard and copy PerformYard Entity ID. Then, in Microsoft Entra, under Identifier (Entity ID), click Add identifier and then paste in the PerformYard Entity ID.
Step 15: Navigate back to PerformYard and copy PerformYard Single Sign On URL. Then, in Microsoft Entra, under Reply URL (Assertion Consumer Service URL), click Add reply URL and then paste in the PerformYard Single Sign On URL.
Step 16: In Microsoft Entra, once both steps 11 and 12 are completed. Click Save. You can leave the optional fields in this pop-up empty.
Step 17: In Microsoft Entra, in the SAML Certificates section, click Download next to Certificate (Base64). Open the downloaded file on your computer and copy the text of the certificate.
Step 18: In PerformYard, paste the copied certificate text in step 14 inside the x509cert field. Ensure that you copy the entire certificate, including the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” lines.
Step 19: In Microsoft Entra, in the Set up name of your application section, copy the Microsoft Entra Identifier. Then, back in PerformYard, paste the Microsoft Entra Identifier into the Entity ID field.
Step 20: In Microsoft Entra, in the Set up name of your application section, copy the Logout URL. Then, back in PerformYard, paste the Logout URL into the Single Logout URL field.
Step 21: In Microsoft Entra, under Manage, click Properties and locate the User access URL and copy it. Then, in PerformYard, paste the User access URL into the Single Sign On URL field.
Step 22: In Microsoft Entra, verify that your employees that need to access PerformYard are given the appropriate permissions to utilize the single sign on capability. In the same Properties section, you may choose to set “Assignment required?” to No. Alternatively, select the Users and groups section in the Manage menu to assign access to PerformYard using SAML.
In PerformYard
Step 23: In PerformYard, add an appropriate Label that describes your SAML provider. This label will appear on your login pages as “Sign in with Label.” For example, if your label is Microsoft Entra, then your button on the PerformYard login page will say “Sign in with Microsoft Entra.”
Step 24: In PerformYard, once you have completed the Label, Entity ID, Single Sign On URL, Single Logout URL and x509cert, click Add SAML Object. A custom attribute is not required.
Step 25: In PerformYard, enable the SAML object you just created by toggling the slider to on. This will allow the Entra Application to be used by your staff.
