- 28 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Entra ID
- Updated on 28 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Step by step guide to configure Microsoft Entra ID (formerly known as Azure AD) as a SAML Identity Provider within Visma
Follow the steps below to configure Entra as a SAML Identity Provider within Visma. Keep Authentication Settings open in your browser while you access Entra in a new window or tab. You will need to return to the Single Sign-On page to complete the configuration steps.
Prerequisites
Microsoft account with Entra Premium activated
Global Admin or Co-admin account in Entra
All of your users under your account in Visma will need a pre-existing account in Azure Active Directory with exactly the same email address.
Configure Visma Single Sign-On app in Entra
On the "Single Sign-On" page go to 1. Upload the Visma file into Azure AD section. Click on Download to download the Visma SAML metadata file. This is the Visma Single Sign-On metadata information you will need to provide to your Entra in order to configure Visma as a service provider.
Log into your Microsoft Entra administrative portal.
Click on the hamburger menu icon in the upper left-hand side of the page. Click All services.
Use the Filter field to search for and select Azure Active Directory.
From the Azure Active Directory, click Enterprise applications.
Click + New application at the top of the screen.
On the Browse Entra Gallery page, type Visma in the Name field.
Select the Visma app and click Create at the very bottom of the page.
On the application Overview page, below Getting Started, click Assign users and groups.
Click + Add users and select the users and groups that should have access to log in with Entra to Visma. Once the users and groups are selected, click Assign at the bottom of the page.
On the left navigation click Single sign-on. Select SAML on the "Select a single sign-on method" page.
On the Basic SAML Configuration heading select Upload metadata file. Upload the XML file that you have downloaded from Authentication Settings Entra setup page, at step 1.
After you have successfully uploaded the XML file, all the fields within Basic SAML Configuration section will be populated. Click Save and close the "Basic SAML Configuration" editor.
Go to the User Attributes & Claims heading and select the Edit icon. Ensure that the values are exactly as below.
When a user authenticates to the application, Entra issues the application a SAML token with information (claims) about the user that uniquely identifies them. By default, this information includes the user's username, email address, first name and last name.Once all five claims have been added, click the X icon at the top right-hand side to close the view.
Configure Visma Single Sign-On to use Entra
In the SAML Signing Certificate section, ensure that the certificate status is Active (it is valid for 3 years after it was added), if not, add a new certificate clicking on the edit (pencil) button. Enter a notification email for the certificate expiry reminders and click Save.
Click the App Federation Metadata Url copy button.
Your Metadata XML link address should look like: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxxxxxxxxxxxxxxxxxxPaste this Metadata XML link address into the Single Sign-On page within Authentication Settings. It contains all your Entra endpoints and public certificate that Visma needs in order to complete the setup.
Click Save.
After you've successfully saved your Entra integration, you will see your setup details on the Single Sign-On page, below MyDomain.
Depending on your provider, the certificate can expire. In that case, we show an error message on the Entra setup.
Go to Entra and create or upload a new and valid certificate.
Come back to Authentication Settings and click the Edit icon or the Entra link. Then click Refresh certificate button and then click Save.
Testing Single Sign-On after Visma has made its configuration
To make sure SSO is working, perform these steps:
Log out and close the Azure management portal and the Entra access panel.
In a new browser session, navigate directly to the access panel at https://myapps.microsoft.com.
Enter your Entra credentials to log in. After authentication, you will be able to interact with the applications integrated with active directory.
Click on the Visma application you have have created to be redirected and logged into Visma.
Another way to test SSO access is to go to your Visma MyDomain, e.g. https://example.my.connect.visma.com directly, and then click the Entra button.
Once you have verified that both ways are working, you may want to tell Visma to disable the Visma credentials so your users can only sign in with their Entra credentials.
Enable multifactor authentication in Entra ID
Some Visma applications might require your Entra ID users to authenticate with multifactor authentication (two-step authentication). Check Entra ID documentation for how to:
Enable for single users: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
Enable for multiple users: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa