Phocas has a new user documentation site. This site will be retired soon.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

[Re the title, are Azure Ad / Entra the same thing? Or different apps? We switch between both names in steps]

This page outlines how to configure Phocas with Microsoft Azure to enable single sign-on (SSO). The steps involve moving between the two applications.

  1. Enable SSO in Azure:

    1. Click + New Application > + Create your own application.

    2. On the right of your screen, enter an application name in the text box and select this option: Integrate any other application you don’t find in the gallery (Non-gallery) option.

    3. In the application, click 2. Set up single sign on.

    4. Click SAML.

    5. Click the Edit button for Basic SAML Configuration. where?

    6. In the side panel that displays, click Enable SAML and enter a name. Keep this screen open.

  2. In Phocas, click Administration > Configuration, then scroll down to the Single sign-on (SSO) section.

  3. In Azure, enter the Phocas Service Provider (SP) details:

    1. Copy the Service Provider Entity ID from Phocas and paste it into the Identifier (Entity ID) box in Entra.

    2. Copy the Service Provider ACS URL from Phocas and paste it into the Reply URL box in Entra.

      image-20240319-021127.png

  4. Save the application to complete the creation process. how/where?

  5. Open the application in Entra and on the left-hand side, select the section Single Sign On.

  6. Scroll down to section 3 SAML Signing Certificate and download the Certificate (Base64) file.

  7. Open the downloaded certificate file in Notepad and copy the contents.

  8. Back in Phocas, paste the copied certificate contents into the X509 Certificate box.

  9. Enter the Entra details into the Phocas Indentity Provider (IP) section:

    1. Copy the Login URL from Entra and paste it into the Single Sign On Service URL box in Phocas.

    2. Copy the Azure AD Identifier from Entra and paste it into the Entity ID box in Phocas.

  10. Complete the SSO setup on the Phocas Configuration page, then click Save. [new, need more? add link]

  11. In Azure, add the Phocas users in Users and Groups in the left-hand menu. [more how or screenshot? you gave more steps in other steps above]

  12. In Phocas, edit the user accounts (or create new user accounts if required) to use the Azure usernames. For example, use the email address or User Principal Name (UPN) [like one in screenshot below?]. [denise to add link]

    • The usernames are dependent on the source attribute sent from Azure, this can be found in the user attributes & claims section. [correct name? how do i get there?]

    • Example of edited usernames in Phocas:

      image-20240319-024807.png

Troubleshooting

If the user signs in to Phocas using SSO and returns to the sign-in page, the issue is most likely a user authentication issue. The username in Azure must match the username in Phocas; just a matching email address will not work.

If you have the Logs user permission, you can check whether the username is correct in Phocas.

Go to Logs > Security and see what the Login failed via ‘SAML' entry shows for the user and what the error message is. Here is an example of such a log:

Login failed via 'SAML' for user 'john@example.com' with ID '' 
from IP address 'xx.xx.xx.xx' with User Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31' 
due to reason 'InvalidUser'

If the SSO is not working and the Logs > Security displays the following message, the configuration in Phocas is likely wrong. The best steps are to get the two URLs and the Certificate again from Entra. [repeat steps above?]

Login information is incorrect. SAML configuration may be incorrect.

If you continue to have issues after setup, please contact our Support team. [denise add link]

  • No labels