The single sign-on (SSO) capability in Device Magic allows you to leverage an identity provider like Azure Active Directory to handle user authentication, user provisioning, and device provisioning for Device Magic.
Set up in Azure Active Directory
Open Azure Active Directory and add two Active Directory Groups.
The group type should be Security.
The first group is for Device Magic users that may access the Device Magic web application.
The second group is for the devices that will be joined to your organization through the mobile app.
These two newly created groups will be referred to as the Users and Devices security groups throughout this article.
Note: When a device signs in using SSO, they will automatically be joined to your organization without an administrator first approving each device. Any SSO devices will be billed at your current subscription rate.
Assign any users who will access the website to the Users security group.
Assign users using the iOS or Android mobile apps to the Devices security group.
Also, note the Object ID of the two newly created Users and Devices security groups as you will need it to complete the setup in Device Magic later.
Create application in Azure Active Directory
Set up the application in Azure Active Directory
Please visit https://portal.azure.com and log in.
When logged in, select Azure Active Directory.
Select Enterprise applications and then + New Application.
Select Non-gallery application and type a name for the application, ideally something like Device Magic Single Sign On. Then, click Add at the bottom.
Again, click Azure Active Directory in the left menu bar, then choose App Registrations and change the selection drop down from Owned applications to All applications.
Click the application you created, then click Manifest. In the application manifest, add a role for any Device Magic user roles that you want to assign to your users.
Later, when we assign users or groups to access the application, we will assign one of these roles to them. When the user signs into Device Magic they will be assigned the matching role and permissions in Device Magic.
Note: The value of the roles you create should match the exact name of an existing user role in your Device Magic organization. See the Forms-Read-Only role example in the images below.
"id" : This "id" will need to be a manually generated random uuid. Use an online tool to generate this uuid.
Also, in the manifest, find the key groupMemberShipClaims and set it to SecurityGroup
Click Save. Open the left menu bar and click Azure Active Directory.
Next, select Enterprise Applications, then All Applications, then the application you created, then Users and groups. Now click + Add User. Any users or groups who are allowed to access Device Magic using single sign on will be added here. We will also assign a Device Magic user role to the users or groups.
In the example below, we will select all users or groups that will belong to the Device Magic Forms-Read-Only role we created earlier.
First select any users or groups. Then click the Select button.
Now select the Device Magic user role which will be assigned to the users or groups. Click Select and then click the Assign button.
Now you will configure the Single Sign On settings. Below Users and groups, click Single sign-on. Then, click Edit in the Basic SAML Configuration section.
Set the following values:
Identifier (Entity ID):
Reply URL (Assertion Consumer Service URL)
Sign on URL
Now click the Save button.
Next, click Edit in the User Attributes & Claims section. In the section that opens, click on Add new claim.
In the Manage claim section that opens, type the following values (do not paste) and click Save.
Roles attribute (Required)
Make sure the new attribute shows up and click Save.
Telephone attribute (Optional)
To set the Device Magic user telephone number, another claim can be added. Add a new claim and use the following values, making sure to save once set.
Once done, close the section. Make a note of your thumbprint value as well as the 3 configuration URLs.
Setting up SSO in your Device Magic organization
Click Organization Settings when logged in and then SAML Settings.
Enter the 3 configuration URL's and thumbprint that you made a note of in the earlier steps. Also set your Azure Active Directory SSO email domain. Only users with emails ending in this domain will be able to sign in.
The Group Object ID's we noted earlier must be configured in the User Group identifier and Device Group identifier fields.
To test that your setup was successful - save and then log out. Visit https://app.devicemagic.com/users/login and select Log in with SSO.
Note: The user does not have to exist in the Device Magic Management console prior to setting up SSO. Logging in with SSO will automatically create them.
Enter the email address of an existing AD user that belongs to the Device Magic AD User Group that you configured earlier.
If everything is configured correctly, you will get the Microsoft Sign in page where you can enter your AD user's password to complete the sign in process.
If you run into the issue of an "Device Magic Internal Error" when trying to save your SAML settings / logging in, please see below:
Error can occur when there is no role associated with the account. Check that User Roles set up in both Device Magic and Azure Active Directory are exactly the same.
If you have any questions or comments feel free to send us a message at firstname.lastname@example.org.