SSO with Azure AD using SAML

Overview

This guide provides step-by-step instructions for configuring SAML 2.0 Single Sign-On (SSO) between Microsoft Azure Active Directory and Bambuser Virtual Commerce. This integration allows your organization to manage user authentication through your existing Azure AD infrastructure.

Recommendation

For a more seamless experience with automated user provisioning, we recommend using our native Microsoft Azure AD OIDC integration.

Prerequisites

• Administrative access to Microsoft Azure AD
• A verified domain for user email addresses
• Manage Users permission in Bambuser dashboard

Step 1: Register a New Application in Azure

1. Sign in to the Azure Portal
2. Navigate to Azure Active Directory > Enterprise applications
3. Click New application
4. Select Create your own application
5. Enter a name (e.g., "Bambuser SAML") and select Integrate any other application you don't find in the gallery (Non-gallery)
6. Click Create

Step 2: Configure Single Sign-On

1. In your new application, go to Manage > Single sign-on
2. Select SAML as the single sign-on method

Step 3: Configure Basic SAML Settings

1. In the Basic SAML Configuration section, click Edit
2. Enter the following values:
   • Identifier (Entity ID): bambuser_saml_service_provider
   • Reply URL (Assertion Consumer Service URL):
     • US: https://svc-prod-us.liveshopping.bambuser.com/functions/auth/sso/saml/callback
     • EU: https://svc-prod-eu.liveshopping.bambuser.com/functions/auth/sso/saml/callback
3. Click Save

Step 4: Configure Claims

1. In the Attributes & Claims section, click Edit
2. Make sure you have the following claims:

   Claim name	Type	Value	Require?
   email	SAML	user.mail	Yes
   firstName	SAML	user.givenName	Optional
   lastName	SAML	user.surname	Optional
   nameID	SAML	user.userPrincipalName	Optional
   groups	SAML	user.groups	Optional

3. Click Save

Step 5: Configure User Assignment

1. In the application's Properties section, set User assignment required? to Yes
2. Go to Users and groups to assign users or groups to the application

Step 5: Share Configuration with Bambuser

Contact your Bambuser representative and provide the following information:

Required Information

• Domain: Your organization's email domain (e.g., yourcompany.com)
• SAML Certificate: Download the Base64 certificate from the **SAML Certificates ** section
• Login URL: Found in the Set up [Application Name] section
• Azure AD Identifier: Found in the Set up [Application Name] section
• Logout URL: (Optional) If you want to enable single sign-out

Metadata XML file

Alternatively, you can share the federation metadata XML file from the **SAML Certificates ** section. This file will include all information needed to configure SAML SSO.

Step 6: Configure User Access

Option A: Manual User Management (Default)

Manage users/roles manually in the Bambuser dashboard.

For each new user:

• Add them to your Azure AD
• Manually create their account in the Bambuser dashboard
• Assign appropriate roles and permissions on the Bambuser dashboard

Option B: Group-based Management (Recommended)

Manage users/roles through groups in Azure AD:

1. In Azure AD, create groups for different permission levels (e.g., bambuser-owner, bambuser-moderator)
2. Share the group names with your Bambuser representative
3. Bambuser team will map these groups to existing roles in Bambuser ecosystem

Step 6: Test and Verify Your Integration

Once the SAML configuration is completed by Bambuser on your workspace, test the integration:

1. Test authentication flow

   • Navigate to Bambuser dashboard
   • Enter a test user's email
   • Verify redirection to Azure AD login
   • Complete authentication
   • Confirm successful login to Bambuser

2. Verify user attributes

   • Check that user details (name, email) are correctly passed
   • Verify role assignments

Test on Staging

If you have a separate Bambuser workspace for testing, you can ask us to set up a separate SAML integration for testing.

• Use a test domain (e.g., test.yourcompany.com) to avoid impacting production users
• Create test users in Azure AD

Support

For assistance, contact:

• Your dedicated Bambuser representative
• Or our support team at support@bambuser.com (Subject: "Azure SAML Integration")

Optional: Automated User Provisioning (SCIM)

For organizations requiring automated user provisioning and deprovisioning, you can implement a custom SCIM (System for Cross-domain Identity Management) integration using our public API. This allows for:

• Automatic user creation when added to your Azure AD
• Role and permission synchronization
• Immediate access revocation when users are deprovisioned

To implement SCIM integration:

1. Review our API documentation for user management endpoints
2. Develop a SCIM service that interfaces with Azure AD
3. Contact support to enable the necessary API access

note

SCIM implementation requires development resources and is recommended for organizations with significant user management needs.