This Guideline will enable you to setup anything necessary in Software Asset and Service Management (SASM) to let your end users login to Self-Service with an Azure Active Directory (AAD) User.
Supported Authentication Protocols for Identity Providers:
After setting up the SAML2 Integration, please make sure technically any user needs to be introduced from your Azure Tenant to the Software Asset & Service Management User Management. This will enable employees to login with their existing AAD User to Software Asset & Service Management (e.g. Self-Service Portal). Matrix42 MyWorkspace enables you to import all AAD Users to your Software Asset & Service Management Instance. Please find the documentation to connect Matrix42 MyWorkspace to Azure here.
In order to import the AAD Users from Matrix42 MyWorkspace to Software Asset & Service Management, please follow this documentation.
Azure Active Directory Tenant with Admin Access
Software Asset & Service Management Instance with Admin Access
- Matrix42 MyWorkspace Tenant with Admin Access
Setup SAML2 Configuration in AAD
Login to Azure Portal with Admin User (https://portal.azure.com)
Create a new Enterprise Application
1. Go to Azure Active Directory > Enterprise Applications
2. Click on “New Application” to create a new Enterprise Application for Single-Sign On
3. Choose “Non-gallery application” and give the app a meaningful unique name before you click on “add”
4. Once the app is created, goto its “Single-Sign On” Page and choose “SAML”
5. Click “Switch to the old experience” to have a more sophisticated settings view
6. Add as “Identifier” your Software Asset & Service Management URL
7. Add as “Reply URL” the following: https://[yourdomain].m42cloud.com/m42services/authorize/login (make sure to insert your domain into the URL).
8. Set the checkbox to “Show advanced URL settings” and add as “Sign in URL” https://[yourdomain].m42cloud.com/wm (make sure to insert your domain into the URL).
9. Scroll down and set the “User Identifier” as “user.mail”
10. Scroll down to Certificates and download the Metadata XML
11. Click "Save"
User Management and their entitlement to login to Software Asset & Service Management is managed by Software Asset & Service Management Roles. Enterprise Applications in AAD do have limited access by default. This needs to be changed.
1. In Properties set the “User assignment required” to “No”
2. You can decide if the application is visible to end users in their Office 365 Portal. By default we recommend to set “Visible to users” to “No”
3. Click "Save".
SAML2 Single-Sign On is correctly setup in your Azure Tenant!
Configure Software Asset & Service Management
To configure SAML2 in your Software Asset & Service Management please make sure that Secure Token Service (STS) is generally enabled. You can find the documentation to do so here. In the following steps we assume that STS is correctly enabled.
Configure SAML2 Settings in STS (Software Asset & Service Management)
1. Open your Software Asset & Service Management Instance and Login with an Admin User
2. Goto Administration > Settings and click “Edit” in “Global System Settings”
3. Goto and start editing “Secure Token Service”
4. Set “SAML2 enabled” to let user login with an AAD User
5. If “Browser Credentials enabled” are enabled users will also be able to login with a local user. This may be relevant for local Admin and System Users
6. If you have “Browser Credentials enabled” checked, please make sure to give the Login Button on the Login Page a meaningful name (e.g. “Sign-In with your Azure AD User”)
7. Open the Metadata XML downloaded in the previous section
8. Copy the “Address” of the “ApplicationServiceEndpoint” Tag in the XML to “SAML2 Identity Provider ID” in Global System Settings
9. Set the “Service Provider Issuer Name” to your Software Asset & Service Management URL
10. Copy the “Location” of the “SingleSignOnService” Tag in the XML to “Single Sign-on URI Endpoint” in Global System Settings
11. Copy the “Location” of the “SingleLogoutService” Tag in the XML to “Singl Sign-out URI Endpoint” in Global System Settings
12. Copy the Value of the “X509Certificate” Tag in the XML to “Identity Provider Certificate” in Global System Settings
13. Make sure “SAML2 Name Id Policy” is set to “Persistent” and “SAML2 Name Id Allow Create” is set to “None”
14. Click “Done” to save the configuration
If you only want users to Login with an AAD User please make sure to disable “Browser credentials enabled” but also “Single sign-on enabled”. This causes that local users cannot login anymore.
Bypass Automatic Login
It may happen that for some reason your SAML2 authentication no longer works. In case of Single sign-on enabled, you now have the issue that you are no longer able to enter the application to change your configuration, maybe to update the certificate. In this case you can force the system to show you the login page to make it possible to login with a non SAML2 account. You have to add the predefined parameter "ForceLoginPage" to your url, like this: https://myhost.mydomain.com/wm?ForceLoginPage
Configure MyWorkspace Data Provider in Software Asset & Service Management
To import all AAD Users to Software Asset & Service Management User Management please follow our guide here. Make sure the data provider imported the user before trying to login.