Configuring SAML using Azure Active Directory as SSO


Follow

Overview

This article provides instructions about how to configure FogBugz SAML to use Azure Active Directory (Azure AD) as Single Sign-On (SSO) identity provider.

The process can be broken down into four basic steps:

 


Solution

 

Create an Enterprise Application in Azure AD

 

  1. Log in to your Microsoft Azure portal.

  2. Search for and Click on “Enterprise Applications”.

    SAML_AzureAD_SearchFor_Enterprise_Application.jpg

  3. Click on New Application

    SAML_AzureAD_New_Enterprise_Application.jpg

  4. Click on Create Your Own Application

    SAML_AzureAD_CreateYourOwn_Enterprise_Application.jpg

  5. Enter a name for your app, select Integrate any other application you don't find in the gallery, and then Create.

    SAML_AzureAD_CreateYourOwn_Enterprise_Application_EnterName.jpg

  6. Wait a few seconds and your application will be created.

    SAML_AzureAD_CreateYourOwn_Enterprise_Application_Created.jpg

 

Back to the top


Configure the SSO for your Enterprise Application

 

  1. With your newly created Enterprise application opened, click on the "Single sign-on" in the left menu bar and select SAML.

    SAML_AzureAD_SSO_Select_SAML.jpg

  2. Edit the Basic SAML Configuration
    • Configure the Identifier (Entity ID):
      • FogBugz On-Premises: https://{site name}.{host}/saml-sp (https if using SSL)
      • FogBugz On-Demand: https://{your-fogbugz-domain}.fogbugz.com/saml-sp
    • Configure the Reply URL (Assertion Consumer Service URL):
      • FogBugz On-Premises: https://{site name}.{host}/auth/SAML2/POST (https if using SSL).
      • FogBugz On-Demand: https://{your-fogbugz-domain}.fogbugz.com/auth/SAML2/POST


  3. Configure the User Attributes & Claims. These are the user attributes that FogBugz expects.
    • FogBugzEmail – which maps to user.mail 
    • FogBugzFullName – which maps to user.onpremisesuserprincipalname
    • Unique User Identifier - maps to user.mail


    SAML_AzureAD_SSO_Configure_URLs_and_Claims.jpg

  4. A SAML Signing Certificate is provided by default.
    • If you want to change it, click on Edit, where you can create a New Certificate with a different Expiration Date or you can Import your own Certificate.
      Note: Make sure the “Notification Email” field is correct. It should be pre-populated with the email address associated with your Azure account.
    • Download the (Base64) version of your certificate and view it with a text editor. This will be the Public x509 Signing Certificate for your FogBugz.

  5. Copy the “Login URL”. This URL will be the correct Identity Provider URL for your FogBugz.

    SAML_AzureAD_SSO_Configure_Certificate_and_LoginURL.jpg

 

Back to the top


Update your FogBugz Site Configuration

 

  1. Enable SAML SSO for your FogBugz site.
  2. As Identity Provider URL use the Login URL of your Azure AD Application.
  3. For the Public x509 Signing Certificate use the (Base64) certificate that you downloaded from your Azure AD Application's Single Sign-On configuration page.

    SAML_AzureAD_FogBugz_Site_Configuration.jpg

 

Back to the top


Add Users to your Azure AD Application

 

If not already added, add users to your Azure AD Application, by clicking on Users and Groups and then Add user/group.

SAML_AzureAD_Users_Add.jpg

Note: Make sure that in Azure AD and in FogBugz their Name and Email address are the same.

In Azure AD, the attributes first name and last name will be provided with capitals, despite you creating a user with lower case. You will need to adjust your user names in FogBugz accordingly: first name and last name will need to start with capitals.

Back to the top


Testing

To test your configuration, logout from your FogBugz instance and login using Single Sign-On. If your configuration was successful, you should be able to log in with your Azure AD credentials.

 

Back to the top