Single sign-on (SSO)
  • 10 Jul 2024
  • 1 Minute to read
  • Contributors
  • PDF

Single sign-on (SSO)

  • PDF

Article summary

Microsoft Entra ID

  1. Communicate your tenant ID to devteam@icfm.ch
  2. We will configure your tenant in Campos accordingly and communicate back the admin consent link, in the form of:
    https://login.microsoftonline.com/{your tenant ID}/adminconsent?client_id={Campos client ID}
    For more information, see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent
  3. After granting tenant-wide admin consent (permissions profile and User.Read and claims email, given_name und family_name are requested), the SSO configuration is finished.

OpenID Connect

Contact devteam@icfm.ch to schedule a short Microsoft Teams meeting to setup SSO.
The following claims are required:

  • sub
  • email
  • given_name
  • family_name

It is recommended to use a stable ID for the sub claim that never changes (like a GUID) and avoid unstable attributes like email address (may change on marriage).

ADFS with SAML2

  1. Communicate the entityID (authority-URL) to devteam@icfm.ch
  2. We will add your identity provider and give you the URL for the SAML metadata XML. It will look like https://signin.campos.ch/saml2/{your auth scheme }
  3. Import the metadata XML
  4. Typical claim rules:
  • User-Principal-Name -> email
  • Given-Name -> given_name
  • Surname -> family_name
  • ObjectGUID -> Name ID

What's Next