Phocas has a new user documentation site. This site will be retired soon.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

This page outlines how to configure Phocas with Microsoft Azure to enable single sign-on (SSO).

  1. Enable SSO in Azure:

    1. Click + New Application > + Create your own application.

    2. On the right of your screen, enter an application name in the text box and select this option: Integrate any other application you don’t find in the gallery (Non-gallery) option.

    3. In the application, click 2. Set up single sign on.

    4. Click SAML.

    5. Click the Edit button for Basic SAML Configuration.

    6. In the side panel that displays, click Enable SAML and enter a name. Keep this screen open.

  2. In Phocas, click Administration > Configuration, then scroll down to the Single sign-on (SSO) section.

  3. In Azure, enter the Phocas Service Provider (SP) details:

    1. Copy the Service Provider Entity ID from Phocas and paste it into the Identifier (Entity ID) box in Azure.

    2. Copy the Service Provider ACS URL from Phocas and paste it into the Reply URL box in Azure.

      image-20240319-021127.png

  1. Save the application to complete the creation process.

  2. Open the application in Entra and on the left hand side select the section Single Sign On

  3. Scroll down until you see Section 3 and download the Certificate (Base64)

  4. Open the downloaded certificate file in notepad and copy the contents into Phocas into the X509 Certificate field

  5. Now copy the Login URL field in Entra and paste into the Single Sign On Service URL field in Phocas

  6. Now copy the Azure AD Identifier field in Entra and paste into the Entity ID field in Phocas

 

15. With that information saved both in Phocas and Microsoft Azure, the users will need to be added to the Phocas Application in Microsoft Azure in Users and Groups in the left-hand menu.

 

16. On the Phocas side, you will need to create/edit the users in Phocas to use the username used to log into Azure e.g. email address or UPN.

 

The username to add for the user account in Phocas is dependent on the source attribute sent from Azure, this can be found in the user attributes & claims section.

 

Note: If the user logs into Phocas using SSO and returns back to the Phocas login page, the issue most likely a user authentication issue so you will need to check whether username is correct in Phocas.

To check this, go to Logs > Security and see what the Login failed via ‘SAML' entry shows for the 'user’ field, and what the error message is, i.e.:

Login failed via 'SAML' for user 'john@example.com' with ID '' 
from IP address 'xx.xx.xx.xx' with User Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31' 
due to reason 'InvalidUser'

The user shown here must match a Username in Phocas - just a matching email address will not work.

If the SSO is not working and the Logs > Security shows the line:

Login information is incorrect. SAML configuration may be incorrect.

Then the configuration in Phocas is likely wrong, and the best steps are to get the 2 URLs and the Certificate again from Entra.

If the customer is having issues after setup, the following page can be used for troubleshooting:
Troubleshooting SAML

  • No labels