Azure Active Directory Authentication


Organizations utilizing Azure Active Directory (Azure AD) can configure ScaleFT to authenticate against it using SAML.

Creating a Team

SAML can only be configured in ScaleFT during signup, so to get started using Azure AD authentication create a new team and choose SAML authentication when prompted.

Azure AD Configuration

Once you reach the SAML configuration step in the ScaleFT signup process you will need to add ScaleFT to Azure AD.

To add ScaleFT to Azure AD, log in to the Azure portal and browse to Azure Active Directory > Enterprise Applications, choose “New Application” then “Non-gallery application”. Assign the application a name (for example “ScaleFT”), then click “Add”.

Once you’ve created the application browse to the “Single sign-on” panel of the application’s settings in Azure and choose “SAML-based Sign-on”.

Domain and URLs

After selecting SAML on the “Single sign-on” panel of the application’s settings you’ll need to provide the following values under “Domain and URLs”:

  • Identifier - use the “Service Provider Entity ID” from the ScaleFT SAML configuration form
  • Reply URL - use the “Assertion Consumer Service URL” from the ScaleFT SAML configuration form

Next, check the Show Advanced URL settings box to expand additional settings, and fill in:

  • Sign on URL - use https://app.scaleft.com/t/<team-name>, replacing <team-name> with the name of the team your chose during ScaleFT signup
  • Relay State - leave this empty

Note: Don’t click “Test SAML Settings”; authentication isn’t yet configured in ScaleFT so it won’t work.

User Attributes

Under “User Attributes” on the “Single sign-on” panel of the application’s settings you’ll need to configure SAML attributes for ScaleFT to consume.

  • User Identifier - use user.userprincipalname

Check View and edit all other user attributes and confirm that the following attributes exist:

  • givenname
  • surname
  • emailaddress
  • name

Each of these should have a namespace of http://schemas.xmlsoap.org/ws/2005/05/identity/claims.

The value of user.principalname is not suitable for use as a ScaleFT user name, so click on the name attribute and change the value to user.mail.

Note: it is typically fine to leave the other attributes unmodified, but it is important that each of them have a value for every user who logs in to ScaleFT. For example, if a user who does not have an email address configured in Azure attempts to log in to ScaleFT authentication will fail. In some cases it may make sense to choose different attribute values in order to ensure that every user has appropriate values set.

User Assignment

Click on “Users and groups” under the application’s configuration. Click “Add user” and assign any users or groups who should be allowed to log in to ScaleFT. Alternatively, browse to the “Properties” panel and disable the “User assignment required” setting in order to allow anyone with access to your Azure account to log in to ScaleFT.

IMPORTANT: in order to complete ScaleFT signup you will need to perform a SAML log in, so it is important that you are either assigned to the application or that user assignment is not required.

ScaleFT Configuration

Once you’ve configured ScaleFT in Azure AD you’ll need to enter the following values into your ongoing ScaleFT signup.

Several of these values must come from Azure AD’s “Configure sign-on” panel which you may access within Azure by browsing back to the “Single sign-on” panel, scrolling to the bottom and clicking “Configure ScaleFT” (the exact text may be different if you chose a name other than “ScaleFT” for your application).

Identity Provider SSO URL

Use the “SAML Single Sign-On Service URL” value from the “Configure sign-on” panel in Azure, described above.

Identity Provider Entity ID

Use the “SAML Entity ID” value from the “Configure sign-on” panel in Azure, described above.

Identity Provider x.509 Certificate

On Azure AD’s “Configure sign-on panel”, described above, click “SAML Signing Certificate - Base64 encoded” to download the signing certificate. Open the file in a text editor and copy and paste the contents into ScaleFT.

Attribute Mapping

In this section you will need to input the names of the attributes from Azure:

  • User Name Attribute - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • Email Attribute - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • First Name Attribute - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Last Name Attribute - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Note: Azure AD passes fully qualified attribute names, so it is important to enter these full URLs exactly as they appear here.

Completing Signup

Once you’re happy with your configuration click “Authenticate with SAML” in ScaleFT.