To set up Single Sign On using Carousel and Azure AD you'll need to have administrator access in both systems and have two browser windows open. Ensure you have access to Azure AD premium and then follow these steps and you'll be all set.
Log into Carousel in one browser window and navigate to Settings > Users > Single Sign On
Click the 'New Identity Provider' button.
Log into Azure AD in the other browser window and navigate to Identity → Azure Active Directory → Enterprise Applications
Click 'New Application'.
Choose a Non-Gallery application, give it a name and click 'add'
Choose Users and Groups and Add Users to the application. You will still need to create users in Carousel using their email address and provide them with the desired access rights for Carousel.
Select 'Single Sign On' and Choose 'SAML' as the method
Use this information from the Carousel window...
...to fill in this information in Azure.
ACS Route → Reply URL (Assertion Consumer Service URL)
Entity ID → Identifier (Entity ID)
https://your_carousel_server/Carousel/login → Sign On Url
Download the Base64 encoded Certificate file, open it in a text editor and copy the contents, then use it and the information found in this section...
...to populate the fields in Carousel seen here.
Name of your choosing
Login URL → Sign On Url
Azure AD Identifier → Identity Issuer Id
Text of 509 Certificate → x509 Certificate
Login with SSO only can be turned on or off, based on your own preferences.
Optional logo file (use a png with transparency)
Selecting the SSO ONLY toggle will configure the system so that only site admins will be able to log in using an email/password.
Finally, log out of Carousel and then test the integration and make sure you can log in with Azure. Please note - Users’ email addresses are not necessarily their AD Principal Name. Using their AD Principal Name may be necessary depending on your setup.
Congratulations! You can now use Azure Single Sign On to log into your Carousel server.
Additional Troubleshooting Information
We're extracting the username by looking up the principal's http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim—this would be your email—and we use that value to match against known Carousel users. The
nameidentifier
should match the Carousel user's email. If not, you can set the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name claims to the user.email