LogoLogo
  • PlaceOS Documentation
  • Overview
    • Key Concepts
      • Drivers
      • Interfaces
      • Modules
      • Settings
      • Systems
      • Triggers
      • Zones
    • Languages
      • Crystal
      • TypeScript
    • Protocols
      • MQTT
      • SAML
      • OAuth2
  • How To
    • Configure PlaceOS for Microsoft 365
      • Step 1: Room Calendar Access
        • Create Azure App Registration (Application Permissions)
        • Exchange Calendar Group
        • Limit Application Permissions
        • Configure PlaceOS Calendar Driver
      • Step 2: User Authentication & Calendar Access
        • Create a PlaceOS Authentication Source
        • Create Azure App Registration (Delegated Permissions)
        • Configure PlaceOS Authentication Source
        • Add User Login Redirects
      • Concierge Access
      • Troubleshooting
        • Blocked or Blacklisted IP Error
    • Configure PlaceOS for Google Workspace
      • Google Configuration
        • Create Google Cloud Project & Enable API
        • Configure Google Cloud Service Account
        • Add Google Workplace Permissions
        • Create Google Marketplace App (optional)
        • Google Workspace Service User (RBAC)
        • Configure Access to Google Resource Calendars
      • User Authentication
        • Create a PlaceOS Authentication Source for Google
        • Create Google Cloud OAuth2 Client App
        • Configure PlaceOS Auth Source for Google
        • Add User Login Redirects
    • Deployment
      • Deploy AWS Fargate on Modular CloudFormation Stacks
      • Deploy AWS Fargate on Nested CloudFormation Stacks
      • Writing Import Scripts
    • Analytics
      • MQTT Integration
    • Backoffice
      • Add a Domain to PlaceOS
      • Backoffice File Upload
      • Configure Staff API
      • Calendar Driver
      • Enable Sensor UI
      • Bookings Driver
      • Configure a webhook
    • Authentication
      • Azure B2C
        • Azure B2C Custom Policy Framework
        • Configure PlaceOS for Azure B2C
        • 365 Room Resources on Azure B2C
      • Configure SAML SSO
        • Configure SAML2 with AD FS
        • Configure SAML2 with Auth0
        • Configure SAML2 with Azure AD
        • Configure SAML2 with Google Workspace
      • Configure OAuth2 SSO
      • X-API Keys
      • Bearer tokens
    • Location Services
      • Location Services
      • Area Management
      • Discovering User Devices
      • Locating Users on a Network
      • People Finding with Cisco Meraki on PlaceOS
      • People Finding with Juniper Mist on PlaceOS
    • Notifications
      • Catering Orders
    • User Interfaces
      • Booking Panel App
      • Workplace App
      • Native Booking Panel App
      • Deploy a Frontend Interface
      • Microsoft Outlook Plugin
      • Configure Endpoint Auto Login
      • SVG Map Creation
      • Configuring a default UI
  • Tutorials
    • Setup a dev environment
    • Backend
      • Troubleshooting Backend Failures
      • Import Bookable Rooms
      • Writing A Driver
        • Testing drivers
        • ChatGPT / LLM Capabilities
          • Native GPT Plugins
      • Testing Internal Builds
    • Backoffice
      • Adding Drivers & Modules
      • Add Zone Structure
    • Common Configurations
      • Asset Manager
      • Catering
      • Locker Booking
      • Webex Instant Connect
      • Desk booking
      • Sensor Data Collection
        • Configure Kontakt IO
        • Configuring Meraki
        • Configuring DNA Spaces
      • Elevated Privileges
  • Reference
    • API
      • Real-time Websocket
      • Rest API
      • Staff API
    • Drivers
      • PlaceOS
        • Bookings
        • Staff API
        • Visitor Mailer
        • Lockers
      • Microsoft
        • Graph API
    • PlaceOS Skills
    • Privacy Policy
    • Recommended Products
    • Supported Integrations
    • System Architecture
    • System Functionality & Requirements
    • Infrastructure Requirements
    • Security Compliance
      • FAQ
      • GDPR
      • Security
    • Microsoft Azure Permissions
  • Glossary
  • 🎯PlaceOS Roadmap
  • 🆘PlaceOS Support
  • 👩‍💻PlaceOS Github
  • 📝PlaceOS Changelog
Powered by GitBook
On this page
  • Step 1 - New or Existing App Registration
  • Step 2 - Edit the App Manifest
  • Step 3 - Collect data required by Backoffice
Export as PDF
  1. How To
  2. Authentication
  3. Configure SAML SSO

Configure SAML2 with Azure AD

Steps required for enabling SAML2 sign on for PlaceOS on Azure AD

PreviousConfigure SAML2 with Auth0NextConfigure SAML2 with Google Workspace

Last updated 3 years ago

This page will help you if you are using Azure Active Directory for SSO. You will need to configure a new or existing "App Registration" to be the SAML2 identity provider for PlaceOS.

Step 1 - New or Existing App Registration

  1. Login to portal.azure.com and browse to

  2. Locate the existing app created for o365 Graph API access. If there isn't one yet, create a new app registration now. You can use this app for both SSO and o365 Graph API access

    • To create a new app registration:

      • Name it and select the appropriate "Support Account types" (typically "Single tenant")

      • Paste the PlaceOS Assertion URL (generated in Step 1 of ) into the Reply URL field. Leave the type as "Web". Click Register to finish

    • To configure an existing app registration:

      • Navigate to Overview -> Redirect URIs

      • Paste the PlaceOS Assertion URL (generated in Step 1 of ) into the Redirect URI field. Leave the type as "Web". Click Save to finish

  3. Confirm that you have access to the for your Azure Tenant. You will need data from this XML file later in Step 3, OR if you configure advanced custom claims. The file URL is generally in the format: https://login.microsoftonline.com/<Tenant_ID_or_Domain_Name>/FederationMetadata/2007-06/FederationMetadata.xml

Step 2 - Edit the App Manifest

In the app Manifest, you need to edit groupMembershipClaims and optionalClaims.

  1. Select the app from Step 1 from the list of . Then select Manifest (near the bottom) from the menu on the left

  2. In the editor, set to either “All” or “SecurityGroup”. may help you decide which is most suitable for your organization. If unsure, select All. For each option the groups claim will contain:

    • “SecurityGroup” - identifiers of all security groups of which the user is a member

    • “All” - identifiers of all security groups and all distribution lists of which the user is a member

  3. Set the value of the optionalClaims to include first name, last name, UPN, and email in the saml2Token. An example is below:

  "optionalClaims": {
      "idToken": [],
      "accessToken": [],
      "saml2Token": [
          {
              "name": "email",
              "essential": true
          },
          {
              "name": "upn",
              "essential": true
          },
          {
              "name": "family_name",
              "essential": true
          },
          {
              "name": "given_name",
              "essential": true
          }
      ]
  },
  1. Click Save

Step 3 - Collect data required by Backoffice

Issuer

You will need the "Application (client) ID" found on the Overview page of your App Registration. Adding spn: to the front will give the "Issuer", e.g. spn:00000000-0000-0000-0000-000000000000. The 0 digits are the "Application (client) ID" from Azure AD. Paste this value into the Issuer field of the SAML2 authentication object you created in PlaceOS.

IDP Target URL

Also known as SAML2 sign-on endpoint. This is the URL that PlaceOS redirects users to, so they can login with your SAML2 ID provider. For Azure AD, the URL is: https://login.microsoftonline.com/<TENANT-ID>/saml2. The "Directory (tenant) ID" can is in the Overview tab of your Azure App Registration. Paste this into the IDP Target URL field of the SAML2 authentication object you created in PlaceOS

The App Registration is now configured for PlaceOS. You now need to enter two pieces of information into Backoffice (Step 3 of ):

Azure AD > App Registrations
Configuring PlaceOS for SAML2
Configuring PlaceOS for SAML2
SAML2 Federation Metadata URL
App Registrations
groupMembershipClaims
This page
Configuring PlaceOS for SAML2