The following steps describe how to configure SAML SSO in Microsoft Entra ID.  For more information, refer to Microsoft Entra seamless single sign-on.

Download the SSO settings for your iManage environment

Before you begin, download your iManage environment settings in XML format. These settings are used to configure Microsoft Entra ID using information about your iManage environment.

1. In iManage Control Center, browse to Network & Security > Single Sign-On (SSO).

2. Select Download XML in the SAML Service Provider Settings section. Save the file for use in Configure SSO in Microsoft Entra ID.

Configure SSO in Microsoft Entra ID

Complete the following steps in Microsoft Entra ID to configure SAML single sign-on for iManage users:

1. After signing into Azure, browse to Microsoft Entra ID.

2. In Enterprise Applications, select New Application.
   
   NOTE: If switching from OpenID Connect (OIDC) SSO to SAML SSO in iManage Control Center, we recommend that you create a new application in Microsoft Entra ID. Creating a new application allows you to preserve your existing SSO application and roll back to it if necessary.

3. Select Create your own application. The Create your own application panel appears on the right side of the screen.

4. In What's the name of your app?, enter a name—for example, iManage.

5. Select Integrate any other application you don't find in the gallery (Non-gallery).

6. Select Create at the bottom of the panel.

7. In the left navigation panel, select Single sign-on.

8. Select SAML.

9. Select Upload metadata file.
   

   Figure: Upload metadata file

   

   1. Select the XML file you downloaded from iManage Control Center in Download the SSO settings for our iManage environment.

   2. Select Open, and then select Add.
      The Basic SAML Configuration panel appears.
      The metadata file you uploaded automatically populates the information from iManage in the panel.

10. In the Basic SAML Configuration panel, select Save.

11. In the User Attributes and Claims section, select Edit.

12. To edit the values in Unique User identifier (Name ID), select ... . The Manage claim page appears.

13. In Source attribute, ensure the value matches the email value in iManage. The most common options are:

    1. userprincipalname: The user principal name of the user.

    2. mail: The email address of the user.
       For a description of all options available, see the following Microsoft documentation: Claims mapping policy type.

14. Select Save.

15. Configure Microsoft Entra ID to sign both the certificate assertion and response:

    1. In SAML Signing Certificate, select Edit. The SAML Signing Certificate panel appears.

    2. In Signing Option, select Sign SAML response and assertion. 
       By default, this is set to sign the assertion only, and not the response. Failure to set this properly will cause a SAML Login "invalid response" error for users trying to sign in.

    3. Select Save.

Assign Users

1. In the left navigation panel, select Users and groups.

2. Select +Add user/group.

3. To open the Users panel, under Users, select None Selected. Search for, and add each user or group that needs to authenticate with iManage, then select Select.

4. When you have completed adding all the users, select Assign.

Download and import settings to iManage Control Center

1. In the left navigation panel, select Single Sign-on.

2. Download the Federation Metadata XML file. In the SAML Signing Certificate section, locate Federation Metadata XML, and select Download.
   

   Figure: Download Federation Metadata XML

   

3. Import the Federation Metadata XML file into iManage Control Center by returning to iManage Control Center and completing the steps in Enable SAML SSO.

Troubleshooting SAML SSO with Microsoft Entra ID

If users receive the following error when attempting to sign in:

1. Confirm that the Name ID claim Source Attribute is configured properly in Microsoft Entra ID, as described in Step 13 of Configure SSO in Microsoft Entra ID.

   Figure: Unique User Identifier (Name ID) value

   

   The Name ID value must match the Email address in iManage for Microsoft Entra ID to properly match the users in Microsoft Entra ID with the users in iManage.

2. Confirm that Microsoft Entra ID is configured to sign both the SAML response and assertion as described in Step 15 of Configure SSO in Microsoft Entra ID.

If further assistance is needed, contact iManage Cloud Support.