Azure AD

The following steps describe how to configure SAML SSO in Azure Active Directory (AD). For more information, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Download the SSO settings for your iManage environment

Before you begin, download the settings in XML format for your iManage environment. These settings are used to configure Azure for your iManage environment.

In iManage Control Center, navigate to Network & Security > Authentication & SSO, then select Download XML.

Figure: Download XML option in iManage Control Center

images/download/attachments/125061168/image2021-8-4_8-47-28.png

Configure SSO in Azure

Complete the following steps in Microsoft Azure to configure single sign-on for iManage users:

  1. After signing into Azure, navigate to Azure Active Directory.

  2. In Enterprise Applications, select New Application.

    NOTE:

    When migrating from the Identity Provider (Legacy) SAML SSO to the Service Provider (Recommended) SAML SSO configuration in iManage Control Center, we recommend that you do not modify an existing application in Microsoft Azure. Creating a new application in Azure enables you to preserve your existing SSO application and roll back to it if the need arises.

  3. Select Create your own application. The Create your own application panel appears on the right side of the screen.

  4. In What's the name of your app?, enter a name—for example, iManage.

  5. Select Integrate any other application you don't find in the gallery (Non-gallery).

  6. Select Create at the bottom of the panel.

  7. In the left navigation panel, select Single sign-on.

  8. Select SAML.

  9. Select Upload metadata file.
    Figure: Upload metadata file

    images/download/attachments/125061168/image2021-8-12_15-38-33.png


    1. Select the XML file you downloaded from iManage Control Center.

    2. Select Open, and then select Add.
      The Basic SAML Configuration panel appears.
      The metadata file you uploaded automatically populates the information from iManage in the panel.

  10. In the Basic SAML Configuration panel, select Save.

  11. In the User Attributes and Claims section, select Edit.

  12. To edit the values, in Unique User identifier (Name ID), select ... . The Manage claim page appears.

  13. In Source attribute, ensure the value matches the user ID value in iManage.
    The most common option is: user.onpremisessamaccountname. This should be used if you have your user IDs in iManage configured as the first initial of first name and full last name. For example, Barbara Cummings would be bcummings.
    For a description of all options available, see the following Microsoft documentation: Claims mapping policy type.

  14. Select Save.

  15. Configure Azure to sign both the certificate assertion and response:

    1. In SAML Signing Certificate, select Edit. The SAML Signing Certificate panel appears.

    2. In Signing Option, select Sign SAML response and assertion.
      By default, this is set to sign the assertion only, and not the response. Failure to set this properly will cause a SAML Login error "invalid response" error for users attempting to sign in.

    3. Select Save.

Assign Users

  1. In the left navigation panel, select Users and groups.

  2. Select +Add user/group.

  3. To open the Users panel, under Users, select None Selected. Search for, and add each user or group that needs to authenticate with iManage, then click Select.

  4. When you have completed adding all the users, select Assign.

Download and import settings to iManage Control Center

  1. In the left navigation panel, select Single Sign-on.

  2. Download the Federated Metadata XML file. In the SAML Signing Certificate section, locate Federation Metadata XML, and select Download.
    Figure: Download Federated Metadata XML

    images/download/attachments/125061168/image2021-8-12_15-26-58.png


  3. Import the Federated Metadata XML file into iManage Control Center by returning to iManage Control Center and completing the steps in Authentication & SSO.

Troubleshooting SAML SSO with Azure AD

If users receive the following error when attempting to sign in:

Figure: SAML Login Error

images/download/attachments/125061168/image2021-8-5_9-58-28.png

  1. Confirm that the Name ID claim Source Attribute is configured properly in Azure, as described in step 13 above.
    Figure: Unique User Identifier (Name ID) value
    images/download/attachments/125061168/image2021-8-5_9-59-19.png

    The Name ID value must match the User ID format in iManage in order for Azure to properly match the users in Azure with the users in iManage.

  2. Confirm that Azure is configured to sign both the SAML response and assertion as described in step 15 above.