To set up Single Sign On using Carousel and Azure AD you'll need to have administrator access in both systems and have two browser windows open. Ensure you have access to Azure AD premium and then follow these steps and you'll be all set.
- Log into Carousel in one browser window and navigate to Settings > Users > Single Sign On
Click the 'New Identity Provider' button.
2. Log into Azure AD in the other browser window and navigate to Identity → Azure Active Directory → Enterprise Applications
Click 'New Application'.
3. Choose a Non-Gallery application, give it a name and click 'add'
Choose Users and Groups and Add Users to the application. You will still need to create users in Carousel using their email address and provide them with the desired access rights for Carousel.
Select 'Single Sign On' and Choose 'SAML' as the method
5. Use this information from the Carousel window...
6. ...to fill in this information in Azure.
- ACS Route → Reply URL (Assertion Consumer Service URL)
- Entity ID → Identifier (Entity ID)
- https://your_carousel_server/Carousel/login → Sign On Url
8. Download the Base64 encoded Certificate file, open it in a text editor and copy the contents, then use it and the information found in this section...
9. ...to populate the fields in Carousel seen here.
- Name of your choosing
- Login URL → Sign On Url
- Azure AD Identifier → Identity Issuer Id
- Text of 509 Certificate → x509 Certificate
- Login with SSO only can be turned on or off, based on your own preferences.
- Optional logo file (use a png with transparency)
13. Finally, log out of Carousel and then test the integration and make sure you can log in with Azure. Please note - Users’ email addresses are not necessarily their AD Principal Name. Using their AD Principal Name may be necessary depending on your setup.
Congratulations! You can now use Azure Single Sign On to log into your Carousel server.
Additional Troubleshooting Information
- We're extracting the username by looking up the principal's
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierclaim—this would be your email—and we use that value to match against known Carousel users. The
nameidentifiershould match the Carousel user's email. If not, you can set the
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameclaims to the user.email