Set up Azure Active Directory Security Groups

Open Azure Active Directory and add two Active Directory Groups. The group type should be Security.

The first group is for Device Magic users that may access the Device Magic web application and the second is for the devices that will be joined to your organization through the mobile app. These two newly created groups will be referred to as the Users and Devices security groups throughout this article.

Note: When a device signs in using SSO, they will automatically be joined to your organization without an administrator first approving each device. Any SSO devices will be billed at your current subscription rate.

Assign any users who will access the website to the Users security group.

Assign users using the iOS or Android mobile apps to the Devices security group.

Also, note the Object ID of the two newly created Users and Devices security groups as you will need it to complete the setup in Device Magic later.

Create application in Azure Active Directory

Set up the application in Azure Active Directory

Please visit https://portal.azure.com and log in.

When logged in, select Azure Active Directory.

Select Enterprise applications and then + New Application.

Select Non-gallery application and type a name for the application, ideally something like Device Magic Single Sign On. Then, click Add at the bottom.

Again, click Azure Active Directory in the left menu bar, then choose App Registrations and change the selection drop down from Owned applications to All applications.

Click the application you created, then click Manifest. In the application manifest, add a role for any Device Magic user roles that you want to assign to your users.

Later, when we assign users or groups to access the application, we will assign one of these roles to them. When the user signs into Device Magic they will be assigned the matching role and permissions in Device Magic.

The value of the roles you create should match the exact name of an existing user role in your Device Magic organization. See the Forms-Read-Only role example in the images below.

Also, in the manifest, find the key groupMemberShipClaims and set it to SecurityGroup

Click Save. Open the left menu bar and click Azure Active Directory.

Next, select Enterprise Applications, then All Applications, then the application you created, then Users and groups. Now click + Add User. Any users or groups who are allowed to access Device Magic using single sign on will be added here. We will also assign a Device Magic user role to the users or groups.

In the example below, we will select all users or groups that will belong to the Device Magic Forms-Read-Only role we created earlier.

First select any users or groups. Then click the Select button.

Now select the Device Magic user role which will be assigned to the users or groups. Click Select and then click the Assign button.

Now you will configure the Single Sign On settings. Below Users and groups, click Single sign-on. Then, click Edit in the Basic SAML Configuration section.

Set the following values:

Identifier (Entity ID):

https://www.devicemagic.com/users/saml/metadata

Reply URL (Assertion Consumer Service URL)

https://www.devicemagic.com/users/saml/auth

https://mobileforms.devicemagic.com/users/saml/device_auth

Sign on URL

https://www.devicemagic.com/users/saml/login

Relay State

https://www.devicemagic.com

Logout URL

https://www.devicemagic.com/users/saml/idp_sign_out

Now click the Save button.

Next, click Edit in the User Attributes & Claims section. In the section that opens, click on Add new claim.

In the Manage claim section that opens, type the following values (do not paste) and click Save.

Roles attribute (Required)

Name: roles

Value: user.assignedroles

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Make sure the new attribute shows up and click Save.

Telephone attribute (Optional)

To set the Device Magic user telephone number, another claim can be added. Add a new claim and use the following values, making sure to save once set.

Name: phone

Value: user.telephonenumber

Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Once done, close the section. Make a note of your thumbprint value as well as the 3 configuration URLs.

Setting up SSO in your Device Magic organization

Click Organization Settings when logged in and then SAML Settings.

Enter the 3 configuration URL's and thumbprint that you made a note of in the earlier steps. Also set your Azure Active Directory SSO email domain. Only users with emails ending in this domain will be able to sign in.
The Group Object ID's we noted earlier must be configured in the User Group identifier and Device Group identifier fields.

To test that your setup was successful - save and then log out. Visit https://www.devicemagic.com/users/login and select Log in with SSO.

Enter the email address of an existing AD user that belongs to the Device Magic AD User Group that you configured earlier.

If everything is configured correctly, you will get the Microsoft Sign in page where you can enter your AD user's password to complete the sign in process.


If you have any questions or comments feel free to send us a message at support@devicemagic.com.

Did this answer your question?