Skip to main content
Skip table of contents

SAML SSO with Microsoft Azure AD (Office 365)

Please Note: TASS Support cannot set this up for you. Your IT environment requirements are separate to TASS Product Support. These guides are designed to assist your qualified IT team or consultants with these set ups.

This guide is intended for IT administrators who want to configure SAML SSO with TASS using Microsoft Azure AD (Office 365).

Please Note: SAML needs to be configured individually for each product or portal in each company. For example, if you want to enable SAML SSO for both TASS.web and Staff Kiosk, you would need to follow these steps for each of those so that they are registered independently with your identity provider. 

Requirements

  • Azure AD P1 or P2 licensing for your school (this is required so you can create a custom application).

  • An account with admin rights to Azure AD.

Setup Instructions

  1. Go to the Azure AD Portal (https://portal.azure.com/) and sign in with your Azure AD admin credentials. 

  2. Click on 'Azure Active Directory' (you may need to search the list of services if it is not visible), then under Manage, click on 'Enterprise Applications'.

  3. Click 'New Application', then click 'Create Your Own Application'.

  4. In the 'Create Your Own Application' blade:

    1. Enter a name of your choice. This will be shown to users if they browse to the App Gallery, so make sure the name is friendly.

    2. Select 'Integrate any other application you don't find in the gallery'.

    3. Click 'Create'.

  5. In your newly created application, under Manage, click 'Single Sign-On'.

  6. Click 'SAML'.

  7. In Section 1: Enter your 'Identifier (Entity ID)' and 'Reply URL (Assertion Consumer Service URL)'.
    These can be found in program System Admin > Users > LDAP/SAML Maintenance > SAML tab in each portal product. Copy the 'SP Entity ID' and 'SP Endpoint ID' entries from TASS into the corresponding Azure fields.

        SP Entity ID  →  Identifier (Entity ID)
        SP Endpoint ID → Reply URL (Assertion Consumer Service URL)

  8. In Section 2: User Attributes & Claims, click 'Edit'. Set the Unique User Identifier to match the field you want you to use as the LDAP/SAML Username in TASS. 

    Are you currently using LDAP with Active Directory On-Premises?

    If you are using Azure AD Connect to synchronise your on-premises Active Directory with Azure AD, and you wish to preserve your existing user mappings, which are usually the Pre-Windows 2000 Usernames (also known as SAM Account Names), select user.onpremisessamaccountname. 

    Have you set up your mappings yet?

    If you are unfamiliar with mappings or how to set these up, please review the LDAP/SAML Maintenance article before proceeding further. 
  9. In Section 3: SAML Signing Certificate, create a certificate for this registration. Ensure that the email address is set to a mailbox that will be monitored so that the renewal can be processed in a timely manner. 

    It is possible to inadvertently create multiple certificates. TASS only requires one, so it is best to delete any additional certificates. 

  10. In Section 3: SAML Signing Certificate, copy the App Federation Metadata URL to your clipboard, as you will need it in a following step. 

  11. Keep your Azure AD session open, but in another browser window or tab, log in to TASS.web

  12. Switch into the relevant company (if you haven't already), then go to TASS.web program System Admin > Users > LDAP/SAML Maintenance

  13. Next to the product you are configuring, click 'View'. 

  14. Click on the 'SAML' tab, then click 'Edit SAML'. 

  15. Click Refresh to ensure the SP Metadata URL is correct. 

  16. Paste the App Federation Metadata URL that you copied to your clipboard into the IDP Metadata XML field.

  17. Click on 'Fetch IDP Metadata XML'. You'll be prompted to accept some updates on other fields, which you should click 'OK' to accept.

  18. Click on 'Save'.

  19. Click on 'Download SP Metadata XML'. Save this as you'll need it in a following step. 

  20. Go back to Azure AD.

  21. Click on 'Upload Metadata File', select the SP Metadata XML file you downloaded from TASS in a prior step, then click 'Add'.

  22. Click 'Save' to accept the changes that the SP Metadata XML file will make to your configuration.

    What to do if the Reply URL is missing

    If the Reply URL is missing, this usually indicates an issue with the configuration of the product/portal URL. To investigate and resolve:

    1. Go to TASS.web > System Admin > Utilities > Product Activation Maintenance
    2. Confirm that the URL for each product/portal has a trailing forward-slash character. For example: https://tass.school.edu.au/kiosk/ 
      If this is missing, edit the URL and add it in.
    3. Return to Step 11 in this guide and proceed from there (the SP metadata will need to be regenerated and downloaded). 
  23. Configure user access to the TASS product or portal from Azure AD. You have two options, noting that access granted here only determine which users Azure AD will attempt to authenticate and hand over. TASS makes the final determination about whether the user can log in, and what they have access to.

    1. Under Manage, click on 'Properties', then set User Assignment Required to 'No'.
      or

    2. Under Manage, click on 'Users and Groups', and add the users or groups that will need access. We suggest adding an 'all staff' group for TASS.web, Staff Kiosk, or webBook; or an 'all students' group for Student Café. You will also need to add the TASS support account to ensure that the root user can log in. 

  24. Go back to TASS.web.

  25. Click 'Edit SAML'.

  26. Set Enabled to 'Yes', then click 'Save'.

  27. Open a private browsing session to test that your SAML SSO works as expected. If it does not, your existing session will be preserved, and you can reconfigure or disable as required. 

TASS Support Access

Once SAML is enabled, TASS requires an account to use to provide remote support and services. This account should be:

  • Enabled for use with your identity provider (ensure it is synchronised to Azure AD - if using Azure AD Connect to synchronise Windows Server Active Directory into Azure, check that the account previously used for support has a UPN suffix which matches a domain registered with Azure as this can prevent it from synchronising).

  • Mapped to the TASS applications registered with your identity provider (see Step 22). 

  • Mapped to the TASS.web root user (see LDAP/SAML Maintenance for guidance on configuring mappings, and ensure that the format matches what was defined in Step 7).  

  • Details stored by TASS to use for provided support and services as required. 

If MFA is enabled, this can only use the TOTP method. Other methods, such as mobile apps and SMS messages, are not supported. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.