If your team is using the single sign-on with Azure Active Directory you can require that your members use their SSO credentials to create and sign in to their Employee Community accounts, without any extra credentials needed.

Please note this is only for configuring the Azure Active Directory single sign-on to your Employee Community org, not syncing users.

Let's get started...

1. Begin by going to the Enterprise Applications Tab in Azure Active Directory.

2. Click on + New application in the top toolbar.

3. Click on + Create your own application in the top toolbar

4. Name your application “Honey” and select Integrate any other application you don’t find in the gallery (Non-gallery) then click Create.

5. Click the Set up single sign-on prompt once the application is available to edit.

6. Select create a SAML application option from the menu.

7. Once you’ve chosen SAML as your single sign-on type, begin by editing the Basic SAML Configuration.

8. Copy the Entity ID from the single sign-on section of the Honey admin page and paste it into the field in Azure Active Directory, then hit Save.

9. Copy the Assertion Consumer URL from the single sign-on section of the Honey admin page and paste it into the field in Azure Active Directory, then hit Save.

10. Download Certificate (Base64) from the SAML Signing Certificate section in Azure Active Directory. Then open this file in Notepad or TextEdit to copy the contents.

11. Then paste them into the Identity Provider Certificate field in the single sign-on section of the Employee Community admin page.

12. Next, copy the Login URL, Azure AD Identifier, and Logout URL from the Set up Honey section in Azure Active Directory.

13. Then paste those URLs into Remote Login URL, Issuer URL, and Remote Logout URL (respectively) in the single sign-on section of the Employee Community admin page.

14. Take note of the Attributes in the single sign-on section of Employee Community admin. Each of these can be set up in the User Attributes & Claims section in Azure Active Directory.

15. The Unique User Identifier (Name ID) attribute in User Attributes & Claims is mapped to user.userprincipalname by default.

If for some reason the user.userprincipalname field is mapped to something other than a user’s email address in your Active Directory profiles, then set Unique User Identifier (Name ID) to user.mail instead.

16. Delete all the Additional claims and then add new ones using each of the Attribute names from the single sign-on section of Employee Community admin.

Please note, it is best not to add a claim for Location unless there is a consistent field for this within your Active Directory profiles, in this example the user.state field has been assigned for Location.

17. After the claims have been updated and saved in Azure Active Directory, set the Enable Single Sign-On toggle in the single sign-on section of Employee Community admin to ON and then click Save Settings.

18. Finally, go to the Domains section of Employee Community admin. Then add and verify the domain that will be associated with Active Directory and SSO.

When the domain has been added, click on the lock icon and click Require SAML as the Domain Security setting and save changes.

Once this setting is toggled, anyone using an email with this domain name will be routed through Azure Active Directory for authentication when signing in to Employee Community.

19. From here, your users should now be able to successfully use their Azure Active Directory credentials to log in to Employee Community.