# Active Directory

## **Configuration of the application in the Azure portal**

* Go to the Microsoft Azure portal: <https://portal.azure.com/>
* Click on Active Directory
* In the left navigation, click on Enterprise Applications
* Click on the **New application** button
* Then click on **Create your own application**
* Enter the name of the application, you can simply put "Dastra"
* Select the box "**Integrate any other application you don't find in the gallery (Non-gallery)**"
* Your application is created!
* Click on Single-Sign-On and select SAML
* **You will arrive to this page:**

<figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2FcCYRWEqvoBLd7DIee7eN%2Fad1.png?alt=media&#x26;token=c6305495-bc05-4fc0-a972-cffe6f4707fb" alt=""><figcaption></figcaption></figure>

## **SSO Client Configuration in Dastra**

### **Step 1: Create an OpenId SSO login in Dastra.**

* Go to the [Dastra SSO configuration page](https://app.dastra.eu/general-settings/sso)
* Click on "**Add an SSO login**"
* Select SAML as the "**SSO Protocol**" type
* Enter a connection label. For example, "Active Directory"

### Step 2: Configure the SSO login in Active Directory

* Return to the SAML configuration page of Active Directory
* Click on the **"Edit"** button in the first part.
* Enter the connection information (Entity ID and ACS Url) in the following way:

<figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2F8NpFQUm2qwcEqtN5Sy1g%2Fad2.png?alt=media&#x26;token=c2066a2d-57f8-484c-918b-d4c75cd3f29d" alt=""><figcaption></figcaption></figure>

* Click on Save
* Go directly to part 3 to download the certificate in base64 format.

<div align="center"><figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2FI0uNiNATYFk48pdbwkZT%2Fad3.png?alt=media&#x26;token=174c2af8-03b4-450b-86b2-27a7c84ee820" alt=""><figcaption></figcaption></figure></div>

Open the CER file with your preferred text editor (for example, Notepad) and copy the content (CTRL + C).

<figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2FvMh4x37Efm49eNOGscPp%2Fad4.png?alt=media&#x26;token=4a34e7db-dd7c-431c-bd39-a015a4c87809" alt=""><figcaption></figcaption></figure>

### **Step 3: Add the Certificate to the Dastra Client**

* Return to the SAML connection creation screen in Dastra
* Paste the text of the certificate into the "Identity Provider Certificate (RAW)" field (CTRL + V)

### **Step 4: Configure the IdP URLs in Dastra**

* Copy the three links Entity Id, SSO Url, and Logout Url from step 4 of Active Directory
*

```
<figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2FTOULSprl3dhvynsRFqO7%2Fad5.png?alt=media&#x26;token=197a593b-e780-4926-945a-71fb642e5d76" alt=""><figcaption></figcaption></figure>
```

* Copy the URLs following this scheme:
* Login URL => Single sign-on url
* Azure AD Identifier => Identity provider's Entity Id
* Logout Url => Identity provider Signout url
* Your SSO configuration form in Dastra should look like this:
*

```
<figure><img src="https://2697025545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LvBxs22wUMicv9uWp6C-1972196547%2Fuploads%2FSUSPv2rjmf4WtTdom91e%2Fad6.png?alt=media&#x26;token=f06dc0e2-5615-4b06-a083-9a69d415f8e0" alt=""><figcaption></figcaption></figure>
```

* Save your changes in Dastra.

{% hint style="info" %}
Before testing the connection, make sure that a user is assigned to the new application.
{% endhint %}

### Test your SSO Connection

Then click on the "Test" button at the bottom of the form in the Active Directory. If everything works correctly, you should be redirected to the Dastra application.

{% hint style="info" %}
If you have not activated automatic account provisioning, Dastra will deny access if the local account has not been created via an invitation.
{% endhint %}

### For further information

{% content-ref url="known-problems" %}
[known-problems](https://doc.dastra.eu/en/features/settings/single-sign-on-sso/known-problems)
{% endcontent-ref %}

{% content-ref url="saml-2" %}
[saml-2](https://doc.dastra.eu/en/features/settings/single-sign-on-sso/saml-2)
{% endcontent-ref %}