To configure SSO in your NowSignage account, please follow the steps below:
1 - Enter Azure AD and go to “Enterprise Applications”.
2 - Create a new application with the top bar → “+ New application” → “Create your own application”
3- Create the app as “Non Gallery” app and give it a name
4 - Go to “Single Sign On” on the lefthand side of the site
5 - Select “SAML”
6 - Fill the steps by editing them
- On ”Identifier (Entity ID)” → “https://secure.nowsignage.com/saml/metadata” and make default
- On “Reply URL (Assertion Consumer Service URL)” → https://secure.nowsignage.com/customers/saml/auth and make default
- Save the settings
7 - Once filled in, Azure will create some URLs and the certificate needed for SSO into NS
8 - In point 2: Attributes & Claims
Change Unique User Identifier (Name ID) from
user.principalnametouser.mail
9 - Make sure you add the users you want to grant the ability to SSO into the app
(Please note - You must firstly invite this user into your NowSignage account in order for them to have access. Guidance on inviting users can be found below:
https://nowsignage.freshdesk.com/a/solutions/articles/44002458397)
10 - Go into your NowSignage account and click into your name in the top right of the platform then select 'My Account'. Now click 'Users' on the top menu bar and then select 'SSO Configuration':
11 - To enable SSO for all users of your account, tick the 'use SSO for customer login' box, then copy & paste in the information required (located within your Azure AD portal). Once you have filled in the required fields, click 'Save' to enable SSO within your account.
Within Azure, the Identity Provider Id is called 'Microsoft Entra Identifier' located within step/section 4.
Also for Azure, the 'Authn Context' is :
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
12 - SSO is now enabled for all users in your account, they will now be required to only sign into NowSignage through SSO and will no longer be able to log in using their NowSignage password.
How to exclude users from SSO:
After setting up SSO, you can exclude specific users from the SSO requirement to allow them to also log in with their NowSignage user account. To do this, within the SSO configuration page, scroll to the bottom of the page and you will see an user exception list:
You can now search for and select specific users you wish to add to the exception list. Users can be removed from this list at any stage.
It is recommended to exclude at least one user with Account Owner permissions. In the event your identity provider is down, they can log in and untick the 'Use SSO for customer login' checkbox to allow all users to log in with their NowSignage accounts.
User Management Configuration (Optional):
This section is optional and contains various additional advanced options for your SSO setup:
Create new users (checkbox on/off): If this option is enabled, new users will be able to register for a NowSignage account. When they are registering, we will check if the user is registered, if not, the system will register the user into the account (identified by the IDP credentials from the basic configuration) and assign it to the role you have selected in the Role for new users dropdown.
The new registered users, will be granted access to the Projects for users selected. You can select either a singular project or multiple projects for your users to have access to when they register.
If the Update users checkbox is selected, then every time a user logs in using SSO, the system will perform a user update. It will check and update the Role of the user, the access to the projects and the access tags, for the ones set up in this section. So if you amend your settings at any stage, this will update any users access to reflect your new settings when they log back into NowSignage.
IDP attributes mapping: This section is used to create custom mappings between the IDP and our CMS. These mappings can be used to replace the email and name from the default ones, as well as assign the values from the selected fields as Access Tags to customers.
Verification Certificate (Optional):
It is possible to enable a verification certificate within the NowSignage SSO app, to do this within Azure, please edit the area shown below:
The NowSignage verification certificate for uploading can be downloaded from the link below:
https://drive.google.com/file/d/18LSJ-93aEwhvULVRPe8addwQnLJUn_xC/view?usp=sharing