Single Sign-On with Microsoft Entra ID | Azure Active Directory

This is an Enterprise only feature and will incur an extra cost.
If you don’t have an Enterprise license yet but are interested, please contact us at success@mopinion.com.

As of October 1st, 2023 Microsoft has renamed its SSO solution from Azure Active Directory to Entra ID. In this article we still use images of and refer to the Microsoft SSO solution as Azure Active Directory, as according to this Microsoft articleNew name for Azure Active Directory - Microsoft Entra no functional changes took place.

Setting up single sign-on properly takes a bit of work but the added security is worth the trouble! Below we’ll outline the steps to enable single sign-on with Microsoft Entra ID (formally known as Azure Active Directory) for Mopinion.

Getting the data from Mopinion

To set up Mopinion in your Azure Active Directory first you’ll need to get the Uuid of your organisation. Find it in the Mopinion app by navigating to your “Organisation” page through the top right menu.

 

Then copy the identifier at the “Uuid” field.

 

Setting up your Azure application for Mopinion

Next up we’ll create the application that will be linked to Mopinion.

First, login to Azure and go to the Identity category (https://portal.azure.com/#allservices/category/Identity).

 

Then we’ll create the application, select Enterprise Applications → New Application → Create your own application. Fill in a name (“Mopinion” for example) and select integrate any other application you don't find in the gallery (Non-gallery).

 

Now click “Create”. This will take a while, after the setup is complete you’ll be redirected to the application overview.

If you come back later to Azure, your application and settings can be found under Azure Active Directory https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview.

Configuring the application in Azure

Now we’ll configure the application to be able to interact with Mopinion.

In the menu on the left, select “Single sign-on”, choose SAML as the single sign-on method, click “Edit” on the “Basic SAML Configuration”.

 

Now add the following:

  • The identifier (Entity ID), this must be the following format:
    https://<YOUR-CUSTOM-DOMAIN>.mopinion.com/<ORGANISATION-UUID>

  • The reply URL (Assertion Consumer Service URL), this must be the following format:
    https://<YOUR-CUSTOM-DOMAIN>.mopinion.com/simplesaml/module.php/saml/sp/saml2-acs.php/azure-sp-<ORGANISATION-UUID>

And save the changes!

 

If you would like to add the department of your users to Mopinion automatically when adding new users in Azure you may edit Attributes & Claims and a new claim following with the following details:
Name: department
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
Source attribute: user.department

Linking your Azure application to your Mopinion account

In Azure, on the Single sign-on page, copy the App Federation Metadata Url
It will look something like this: https://login.microsoftonline.com/<ID-HERE>/federationmetadata/2007-06/federationmetadata.xml?appid=<ID-HERE> and send it over to our support team through support@mopinion.com. We’ll set everything up on our side and we’ll let you know when you’re good to go!

If you require additional help with the set up of course our support team is ready to assist.

Add users to the application in Azure

(From your application in Azure)

  1. In the menu on the left click on Users and Groups.

  2. Click Add User/group.

  3. Under Users click on the None Selected link.

  4. Select the user or users to add and click Select.

  5. Click on the Assign button at the bottom of the screen.

From now on you can only add users to your Mopinion account by adding them through your Azure application.
https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview

Making sure single sign-on is enabled in Mopinion

You can easily check if single sign-on is enabled for you organisation in Mopinion by navigating to the “User management” section. An indicator will show next to the page title if single sign-on is enabled.

We can chose which attribute to use for main identifier, it is possible to use the principle name etc.