Deployment in an Organization

Deployment in an Organization / Configuring SSO and Provisioning / SAML Authentication and Provisioning / Configuring SAML With Entra ID

Configuring SAML With Entra ID

If your organization uses Microsoft Entra ID, follow this detailed procedure to set up the SAML protocol. This process has four parts:

A. Preparing the Client Portal

B. Preparing Entra ID

C. Configuring SAML With Entra ID

D. Configuring SAML in the Client Portal

If you have an Antidote Pro subscription, you can configure authentication for the installation of Antidote 12 with the Deployment Manager on Windows:

E. Configuring Authentication for Antidote 12

A. Preparing the Organization Client Portal

  1. Go to the Settings tab in the Organization Client Portal.

  2. Make sure all domain names needed for SAML authentication have been added and verified. If you need to add one, see the instructions provided in the Domain Names section.

    1
    2

  3. Go to the SAML Authentication and Provisioning section.

  4. Begin Step 1 of the configuration process as indicated on the screen. Select Microsoft as your identity provider (ID Provider).

  5. Select the domain name(s) involved in the authentication process.

  6. Click Next.

    3
    4
    5
    6

  7. On the next screen, Step 2: SAML Configuration, download the XML metadata file. Leave this window open and start preparing Entra ID in a new browser window.

    7

B. Preparing Entra ID

  1. In your Azure portal, go to the Enterprise applications section. You can access it quickly by typing the first few characters of the section name in the search bar.

    1

  2. Click New application.

    2

  3. On the next page, click Create your own application.

  4. Name the application (e.g. Client Portal - Druide).

  5. Select Integrate any other application you don’t find in the gallery (Non-gallery).

  6. Click Create. Application creation can take several minutes.

    3
    4
    5
    6

  7. Once the application has loaded, indicate which users can use it: all users (A) or only some (B).

A) For all users

Go to Properties (A1) and set Assignment required to No (A2).

A1
A2

Click Save and close the panel.

B) For certain users only

Go to Users and groups (B1) and click Add user/group (B2).

B1
B2

Click the names of the desired users (B3), then the Select button (B4).

B3
B4

Finally, click Assign (B5).

B5

All preparations in Entra ID are now complete and you can begin SAML configuration.

C. Configuring SAML With Entra ID

  1. In the application you just created in Entra ID, go to the Single sign-on tab.

  2. Select the SAML tile.

    1
    2

  3. Click Upload metadata file.

  4. Select the metadata file you downloaded earlier from the Client Portal (section A, step 7).

  5. Click Add.

    3
    4
    5

  6. Click Save in the next panel, then close it.

    6

Tip — You can also configure the data manually (see detailed instructions).

Note — If Microsoft asks whether you would like to do a test now or later, choose later.

  1. Go to the next block, Attributes & Claims, and click Edit.

7

Tip — If you do not use Entra ID, you can find the required attributes in the Organization Client Portal User Guide.

  1. Next, click Unique User Identifier (Name ID) to make changes to the claim.

    8

  2. Click Choose name identifier format and change the format to Persistent.

  3. Change the source attribute to user.objectid.

    9
    10

Important — You must do one final verification in Attributes & Claims. Make sure that your configuration of the claim emailaddress (set to the attribute user.mail by default) contains an email address. If this is not the case, use another attribute such as user.userprincipalname, which usually corresponds to the user’s email address.


  1. Click Save and close the panel.

  2. Go to the next block, SAML Certificates, and click Edit.

    12

  3. Select Sign SAML response and assertion in the signing options.

  4. Click Save, then close the panel.

    13
    14

  5. Download the Certificate (Base64) file.

  6. Download the Federation Metadata XML file.

    15
    16

SAML configuration in Entra ID is now complete. Keep this window open in case you need to configure SAML manually in the Client Portal.

D. Configuring SAML in the Client Portal

  1. Return to the Client Portal window and go to Step 2: SAML Configuration. Click Upload a file and select the XML metadata file you just downloaded from Entra ID.

1

Tip — You can also configure the data manually (see detailed instructions).

  1. It is recommended you assign a resource person to receive technical details in case of login or configuration issues.

  2. Click Next.

    2
    3

  3. If your organization has one or more active subscriptions to Antidote, choose how you would like to manage Antidote access. You have three options:

  • Manual management
    Choose this option to activate SAML authentication without automatically granting access to Antidote. You can grant users access to Antidote from the Users tab in the Client Portal.

  • Impose access to Antidote upon login
    Choose this option to automatically grant access to Antidote to all users who log in with SAML authentication. If your organization has multiple subscriptions, specify which one should be used. If a user already has access to another subscription, their subscription will be changed the next time they log in.

  • Grant Antidote access to users who do not have access upon logging in
    Choose this option to grant Antidote access to users who do not already have it. For example, this option is useful if your organization already has a subscription, and you want new users to have access to a different subscription than those who already hold one.

Note — If you intend to set up SCIM automated provisioning later, please note that the Antidote access management settings defined by that configuration will override the options described here.

  1. Click Next once you have made your choice.

4
5


  1. On the next screen, click Try logging in. The result of the test will appear in a new window, confirming a successful connection or providing an error report if the connection fails.

  2. Finally, click Activate SAML authentication.

    6
    7

You do not need to send out invitations from the Client Portal for users to activate their Antidote access. You can simply send users an email explaining how they can connect.

E. Configuring Authentication for Antidote 12

This optional procedure allows you to automatically fill in the user account field or display the account selector when first logging in to Antidote 12. For the configuration to take effect, you must enable one of these two options in the Deployment Manager configuration. This procedure is only available on Windows and with an Antidote Pro subscription.

  1. Change services in Azure, and go to the App registrations section. You can access it quickly by typing the first few characters of the section name in the search bar.

    1

  2. Click All applications.

  3. Select the application you created for Druide’s Client Portal.

    2
    3

  4. Copy the Application (client) ID.

    4

  5. Go to the Authentification section.

  6. Click Add a platform.

    5
    6

  7. Click Mobile and desktop applications.

    7

  8. Check the box next to https://login.microsoftonline.com/common/oauth2/nativeclient.

  9. In the Custom redirect URIs field, enter ms-appx-web://Microsoft.AAD.BrokerPlugin/{ClientId} and replace {ClientId} with the Application (client) ID you copied in step 4.

    8
    9

  10. Scroll down the page to the Advanced settings section. Click Yes to Enable mobile and desktop flows.

  11. Click Save to complete the configuration.

    10
    11

Note — If you get an error message when you enable this option, follow the steps below, then complete steps 10 and 11.

A) Go to the Expose an API section.

B) Click Edit.

A
B

C) Edit the Application ID URI field to remove the slash “/” at the end of the URI.

D) Click Save.

C
D