SAML with Azure
- Create Microsoft account, and register to Azure.
- In the left hand navigation pane, click on Azure Active Directory.
- Click on the App registrations tab, and click Add.
- Follow the prompts and create a new web application.
- Name it “Alma”, Application Type “Web app / API”. Provide the Alma Sign-On URL (https://###SERVER_DOMAIN###/mng/login, e.g. https://na01.alma.exlibrisgroup.com/mng/login). This represents the service provider issuer (entity ID of Alma). In Azure the field is called “App ID URI”. Changing it afterwards is possible but we noticed that with some browser it’s problematic. If you are not able to save changes, try with IE.
- Add the Assertion Consumer Service URL (https://###SERVER_DOMAIN###/mng/pdsHandleLogin) in the “Reply URLs” section.
- Azure will generate a metadata document. Under “App registrations” click on the “Endpoints” link at the top of the App registration page. If you have both Primo and Alma note that the metadata and endpoints are the same for all apps registered with this Azure Active Directory.
Copy the FEDERATION METADATA DOCUMENT URL. You will need it in order to define the Alma SAML integration profile (see below).
Configuring the SAML integration profile in Alma
- Define a SAML integration profile in Alma – see OLH for more details.
- In the Alma SAML integration profile, select Metadata upload method: Metadata link. Supply the link to Azure metadata file, as copied in step 6 above:
- Press Populate fields. Alma will automatically populate the following fields:
– IdP issuer
– IdP login URL
– IdP single logout service
- Define the following field as a match point for user details:
– User ID location: User ID in an attribute element
– User ID attribute name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Note that if you make changes in Azure configuration, the integration profile in Alma might need to be updated in order to reflect these changes.