Microsoft 365

Setting up SAML authentication in Microsoft 365 requires use of Azure Active Directory.

Azure Active Directory Set Up

1. Go to the Microsoft 365 Admin console and log in with an admin account.
2. Click on 'Show all' in the sidebar, and then on 'Azure Active Directory'.
   
   
3. The Azure Active Directory admin center will show. Click on your company name in the dashboard.
   
4. Click on 'Enterprise applications' in the sidebar.
   
5. Click 'New application', type 'SAML toolkit' in the search, and select 'Azure AD SAML Toolkit'.
   
   
6. Set the name to 'SupportPro SAML' and click 'Create'. Wait until the page reloads and the application has been created.
   
7. Click on the 'Set up single sign on' and choose the 'SAML' option.
   
   
8. Click 'Edit' in the Basic SAML Configuration area. Set the text boxes like shown and set the relevant options as default, replacing the start of the URL with your help desk URL. To use this on the frontend (for users), replace 'operator' with 'frontend'. Click 'Save' once all the fields have been set.
   
   
   If you have more than one brand in SupportPro, and users access the helpdesk using different URLs, you will have to set the relevant URLs for each brand individually.
9. Next click 'Edit' in the User Attributes & Claims area. Delete the existing claims and create new claims like shown. The 'role' claim can be ignored if using on the frontend, and additional claims can be configured as per our documentation.
   
   
10. Once all that is done, your configuration should look like this:
    
11. Finally, click 'Users and groups' in the sidebar, then click 'Add user/group'. Select all users that you would like to be able to login using SAML, leaving the role as 'Default Access', and click 'Assign'.
    
    

SupportPro Configuration

1. Create the file /config/production/saml.php in your SupportPro installation as below.
   config/production/saml.php Expand
   If you wish to use it on the frontend, you can change the file as per our documentation.
2. Update the 'idp' configuration in config/production/saml.php using the details from the 'Set up Azure AD SAML Toolkit' section:
   
   • For the entityID value, use the Azure AD Identifier value.
   • For the singleSignOnService value, use the Login URL value.
   • For the singleLogoutService value, use the Logout URL value.
   
   For the x509cert value, download the Federation Metadata XML and copy the value of the X509Certificate from this file.
3. Create a signing certificate for SupportPro using openssl:

   openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout samlcert.key -out samlcert.pem

4. Update config/production/saml.php:
   • Replace X_PASTE_SUPPORTPro_SIGNING_CERT_HERE with the contents of samlcert.pem
   • Replace X_PASTE_SUPPORTPro_SIGNING_CERT_PKEY_HERE with the contents of samlcert.key
5. The configuration is complete - verify by logging in with the 'Microsoft 365' button as a user that you assigned earlier to the application.
6. To force use of SAML over the normal login, change the dualLogin value to false.