DNN SAML Single Sign-On (SSO) with Azure AD as IDP

• After successful license activation, the plugin dashboard will open as shown below.

• In the plugin dashboard, click on the Service Provider Metadata button from the top menu. This will open the Service Provider Metadata page.
• Select the required NameID Format from the dropdown (for example, Email Address or Unspecified) based on your Identity Provider configuration, and click on the Save button to update the settings.
• The NameID Format defines which user identifier (such as email or username) will be sent during the SAML login process.

• Scroll down to the Share SAML Metadata section.

You can obtain the SAML SP metadata using either of the two methods described below to configure it on your Identity Provider end.

A] Using SAML metadata URL or metadata file

• On this page, you can find the Metadata URL as well as the option to download the SAML metadata XML file.
• Copy the Metadata URL or download the metadata file to configure the same on your Identity Provider end.
• You may refer to the screenshot below:

B] Uploading Metadata Manually

• On this page, you can manually copy the service provider metadata such as SP Entity ID, ACS URL, SP Logout Url and share it with your Identity Provider for configuration.
• You may refer to the screenshot below:

Steps to Configure Azure AD IdP

• Log in to Azure AD Portal.

• Select Azure Active Directory.

• Select Enterprise Application.

• Click on New Application.

• Click on Create your own Application.

• Enter the name for your app, then select Non-gallery application section and click on Create button.

• Click on Setup Single sign-on.

• Select the SAML tab.

• After clicking on Edit, enter the SP Entity ID for Identifier and the ACS URL for Reply URL from Service Provider Metadata tab of the plugin, which you will get from Step 2B.

• By default, the following Attributes will be sent in the SAML response. You can view or edit the claims sent in the SAML response to the application under the Attributes tab.

• Copy the App Federation Metadata Url to get the Endpoints required for configuring your Service Provider.

• Assign users and groups to your SAML application
  • Navigate to Users and groups tab and click on Add user/group.
  
  
  
  • Click on Users to assign the required user and then click on select.
  
  
  
  • You can also assign a role to your application under Select Role section.

You have successfully configured Microsoft Entra ID (formerly Azure AD) as SAML IDP (Identity Provider) for achieving DNN Single Sign-On (SSO).

• Click on the Add new IDP button to configure a new Identity Provider.

• Under the Plugin Settings tab, select Azure AD as your identity provider from the list shown.

• After selecting your IdP from the list, the Identity Provider Settings page will open. Here, you can either click on the Upload IdP Metadata button to configure the Identity Provider automatically using metadata, or manually enter the required Identity Provider details under the Identity Provider Settings.

There are two ways detailed below with which you can configure your SAML Identity Provider metadata in the plugin.

A] Upload metadata using the Upload IDP Metadata button:

• Click Choose File to upload the metadata XML file using the Upload XML File option, then click Upload. Alternatively, provide the metadata URL in the Enter metadata URL section and click Fetch Metadata to retrieve the Identity Provider configuration automatically.
• You may refer to the screenshot below:

B] Configure the identity provider metadata manually:

• Alternatively, under the Identity Provider Settings tab, you can manually fill in the mandatory fields like IDP Name, IDP Entity ID and Single Sign-On URL and click Save Settings.

• After uploading the metadata details, navigate back to the Dashboard. Hover over the Select Actions dropdown next to the configured Identity Provider and click Test Configuration.

• On successful configuration, you will get attributes name and attribute values in the test configuration window.

Attribute Mapping

• After testing the configuration, Map your application attributes with the Identity Provider (IdP) attributes.

• From the Select Actions dropdown, choose Edit Configuration to open the Attribute Mapping settings.
• Map the required IdP attributes (such as Username, Email, Firstname, and Lastname) received in the SAML Response to their corresponding fields.

• Once the attributes are mapped, click Save to apply changes.

Default Role Mapping

• Navigate to the Default Role Mapping section and select the role you want to assign to users after successful SSO login from the Default Role dropdown.
• Choose the appropriate role (for example, Registered Users, Subscribers, or Administrators) and click on the Save button to apply the changes.

Advance IDP Settings

If you want to configure additional advanced settings, scroll up and click on the Advance IdP Settings button from the top menu.

Custom Attribute Mapping

• If you want to pass additional attributes from your IdP, enter the Attribute Name and corresponding Attribute Value under Custom Attribute Mapping.
• From the Attribute Value dropdown, select one of the attributes received in the Test Configuration results, for example: NameID.
• These attributes correspond to the values sent by your Identity Provider (IdP).

• In the Attribute Name field, enter the name of the DNN user attribute, it will get mapped to IDP attributes value during the SSO login.
• You can add multiple mappings if your application requires multiple attributes by clicking on the + button.
• After defining all the required mappings, click on Save Attribute Mapping to store the configuration.

• The plugin will translate the incoming SAML attributes from your Identity Provider (IdP) into the custom attribute names configured here for your DNN site.

Advance Role Mapping

• In the Advance Role Mapping section , enter the Group Attribute Name exactly as configured in your Identity Provider to fetch the user group information.
• Enter the Role Name received from the Identity Provider and map it to the appropriate Role Vaue field. In the Role Value field, enter the roles defined in your DNN site.
• For example: Map the IdP group Group1 or Group10 received under the UserGroups attribute to the corresponding role configured in your DNN site.
• After adding the required mappings, click on Save Role Mapping to save the configuration successfully.

Domain Restriction

• This feature can be used to restrict user access to the site based on the domain of their mapped “Email“ Attribute.
• In the Email Attribute field, enter the attribute name that contains the user's email address as received from your Identity Provider (IdP).

• In the Domain Name field, enter the domain(s) you want to allow or restrict, separated by commas if adding multiple domains.
• Enable the Restrict toggle based on your requirement to configure blacklist or whitelist access.
• After completing the configuration, click on Save to save the settings successfully.

Redirections After SSO and SLO

• In the Login Redirection section, enter the endpoint URL where users should be redirected after a successful SSO login.
• In the Logout Redirection section, specify the endpoint URL where users should be redirected after a successful logout (SLO), and click Save to update the configuration.

Modify SAML Request

• In the Modify SAML Request section, enter the required Parameter Name and Parameter Value, click the + button to add the parameter, and then click Save to apply the changes.

Additional Settings

• Enable Auto Register User to automatically create a new user account in DNN if the user does not already exist during SSO login.
• Enable Override Email Attribute to update the user’s email address in DNN with the email attribute received from the Identity Provider (IdP).
• Enable Find User By Email to allow the plugin to identify and match existing users in DNN using their email address.
• Enable Multiportal SSO if you want to allow Single Sign-On across multiple DNN portals using the same Identity Provider (IdP), then click Save to update the settings.

• Hover over the Select Actions dropdown next to the configured Identity Provider and click Copy SSO Link.
• Use this SSO link to initiate Single Sign-On (SSO) for users logging into your DNN portal.

• User gets logged in to the DNN site by entering the credentials of Azure AD.