This article gives the procedure of integrating with Azure AD (AAD) and enable SSO from AAD to TMCM/Apex Central™. It can be applied to on-premise TMCM, Apex Central™ and Apex One™ as a Service.
To enable Azure AD(AAD) to be able to SSO to Apex Central, the following tasks have to be done:
- Integrate AAD with on-premise AD by using "Azure AD Connect". For reference, visit this Microsoft article: Custom installation of Azure AD Connect.
- In Azure AD panel, go to Enterprise applications.
- Create a new application for the Apex Central instance:
- Configure Single sign-on of Apex Central application:
- Go to Single sign-on page.
- Select SAML-based Sign-on as Sign on mode.
- Edit Basic SAML Configuration and configure SAML Settings:
- Edit User Attributes & Claims to add custom attributes with following settings:
- Click Add new claim.
- Configure the custom claim settings:
- Name: windowsaccountname_TM
- Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims
- Change Source type to Transformation and configure the following parameters:
- Transformation: Join()
- Parameter 1: user.netbiosname
- Separator: \
- Parameter 2: user.onpremisessamaccountname
- Confirm the settings.
- Assign users who can log in to the Apex Central application.
- Integrate AD with Apex One as a Service.
For detailed instructions, visit the Integrate Active Directory (AD) with Apex One as a Service support page and go to step 2 of Synchronize AD information and authenticate AD accounts.
- In Apex Central, go to Administration > Account Management > User Accounts.
- Click Add.
- Select Active Directory user or group, specify the User/Group name, and click Next.
The Add New User screen appears.
- Select the desired role, configure folder options and access rights, and then click Save.
- Go to Administration > Settings > Active Directory and Compliance Settings > Active Directory Settings.
- Configure ADFS for Apex Central.
- Tick Enable Active Directory synchronization and Enable Active Directory authentication.
- Specify the SSO service URL and Service identifier, and select the Signing certificate.
Field name on Apex Central Setting page Azure AD SSO Attribute Name SSO service URL Login URL Server identifier Azure AD Identifier Server certificate certificate downloaded from AAD enterprise application
Identity (IdP) initiated SSO
- Go to https://account.activedirectory.windowsazure.com/.
- Click the application to initiate a single sign on to Apex Central.