Microsoft Entra ID
The following steps describe how to configure SAML SSO in Microsoft Entra ID. For more information, refer to Microsoft Entra seamless single sign-on.
Download the SSO settings for your iManage environment
Before you begin, download your iManage environment settings in XML format. These settings are used to configure Microsoft Entra ID using information about your iManage environment.
- In iManage Control Center, browse to Network & Security > Single Sign-On (SSO).
- Select Download XML in the Service Provider Settings section. Save the file for use in Configure SSO in Microsoft Entra ID.
Figure: Download XML option in iManage Control Center
Configure SSO in Microsoft Entra ID
Complete the following steps in Microsoft Entra ID to configure single sign-on for iManage users:
- After signing into Azure, browse to Microsoft Entra ID.
In Enterprise Applications, select New Application.
NOTE:
When migrating from the Identity Provider (Legacy) SAML SSO to the Service Provider (Recommended) SAML SSO configuration in iManage Control Center, we recommend that you create a new application in Microsoft Entra ID. Creating a new application in allows you to preserve your existing SSO application and roll back to it if necessary.
- Select Create your own application. The Create your own application panel appears on the right side of the screen.
- In What's the name of your app?, enter a name—for example, iManage.
- Select Integrate any other application you don't find in the gallery (Non-gallery).
- Select Create at the bottom of the panel.
- In the left navigation panel, select Single sign-on.
- Select SAML.
- Select Upload metadata file.
Figure: Upload metadata file- Select the XML file you downloaded from iManage Control Center in Download the SSO settings for your iManage environment.
- Select Open, and then select Add.
The Basic SAML Configuration panel appears.
The metadata file you uploaded automatically populates the information from iManage in the panel.
- In the Basic SAML Configuration panel, select Save.
- In the User Attributes and Claims section, select Edit.
- To edit the values in Unique User identifier (Name ID), select ... . The Manage claim page appears.
- In Source attribute, ensure the value matches the user ID value in iManage.
The most common option is:user.onpremisessamaccountname.
This should be used if you have your user IDs in iManage configured as the first initial of first name and full last name. For example, "Barbara Cummings" would be "bcummings".
For a description of all options available, visit https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type#table-3-valid-id-values-per-source. - Select Save.
- Configure Microsoft Entra ID to sign both the certificate assertion and response:
- In SAML Signing Certificate, select Edit. The SAML Signing Certificate panel appears.
- In Signing Option, select Sign SAML response and assertion.
By default, this is set to sign the assertion only, and not the response. Failure to set this properly will cause a SAML Login error "invalid response" error for users attempting to sign in. - Select Save.
- In SAML Signing Certificate, select Edit. The SAML Signing Certificate panel appears.
Assign Users
- In the left navigation panel, select Users and groups.
- Select +Add user/group.
- To open the Users panel, under Users, select None Selected. Search for, and add each user or group that needs to authenticate with iManage, then select Select.
- When you have completed adding all the users, select Assign.
Download and import settings to iManage Control Center
- In the left navigation panel, select Single Sign-on.
- Download the Federation Metadata XML file. In the SAML Signing Certificate section, locate Federation Metadata XML, and select Download.
Figure: Download Federation Metadata XML - Import the Federation Metadata XML file into iManage Control Center by returning to iManage Control Center and completing the steps in Enable SAML SSO.
Troubleshooting SAML SSO with Microsoft Entra ID
If users receive a "SAML Login Error: invalid_response" error message, perform the following steps to troubleshoot the issue:
- Confirm that the Name ID claim Source Attribute is configured properly in Microsoft Entra ID, as described in Step 13 of Configure SSO in Microsoft Entra ID.
Figure: Unique User Identifier (Name ID) value
The Name ID value must match the User ID format in iManage for Microsoft Entra ID to properly match the users in Microsoft Entra ID with the users in iManage. - Confirm that Microsoft Entra ID is configured to sign both the SAML response and assertion as described in Step 15 of Configure SSO in Microsoft Entra ID.