Single Sign-On Guide for Internal Staff for Azure/Entra ID

Setup Guide for Internal Staff

The customer is going to need to get us some information on the setup you should be able to provide them the following link

https://helpdesk.growthzone.com/staff/kb/articles/2185-multi-factor-authentication-setup
 

And they would need 3 pieces of information from us:
 

1. Identifier (Entity ID),
This normally uses the following format
normally uses spGrowthZone*****

Replace the ******with something based off the name of the database or organization

2. Reply URL
     https://growthzoneapp.com/auth/saml/assertion

This will always be this

3. Sign on URL
     https://cioassociationofcanada.growthzoneapp.com/auth

This is the customers database URL with /auth at the end

1. Get the required information from the customer
   1. Should need the App Federation Metadata URL from AZURE/ENTRA ID SAML setup
   2. 
   3. The paths and what they match up to in GrowthZone
   4. The Identifier (Entity ID) (You probably told them what this is but they might have done something different)
2. Sign into T1 > Setup > SAML Service Providers
   1. Click the Add Button
   2. 
   3. Name is whatever you want
   4. Service Provider Name should be the Identifier (Entity ID)
   5. 
   6. Click Done
3. Sign into T1 > Setup > SAML Identity Providers
   1. Import (this is currently broken -- you will need to add the certificate data manually)
   2. 
   3. Name is whatever you want
   4. MetaData URL would be the App Federation Metadata URL that the customer provided
   5. 
   6. Click Done
   7. Find the Identity Provider you just found in the list and click on it
   8. In the Contact Matching area you need to Add whatever Paths you need using the + icon using the Attributes and Claims and what fields they let you know they matched with
   1. 

You now need to sign into the Customers Database.
 

MFA Settings 

***IMPORTANT***

If the customer does NOT already have "Enable Single Sign On" checked in their database account in SETUP > SINGLE SIGN ON > GENERAL TAB (as in the screenshot below):


 

The following steps must be completed first before configuring the setup, otherwise the MFA settings that are enabled for that customer may cause login issues or errors.

If the customer already DOES have "Enable Single Sign On" checked, the below steps are not necessary and can be skipped.

1. Put a message in Invictus Office hours – Disable “Use Fusion Auth” for X tenant ID. Also note that this integration is for staff only, as there is an extra setting for this option.

Please confirm that step is completed before you continue to next step.

2. Let Janine Jamieson know that the following steps need to be completed (include ticket link).  If Janine is currently out, move ticket status = Escalated/'Urgent' status and change the category to GrowthZone.

3. L2 will do the following:

Find all the users that are set to IsConverted (in the Logins table) in that Tenant.
Set them to ISConverted=False
UPDATE Logins SET IsConverted = 0 WHERE LoginId IN (<list of login ids>)
Create a Jira for Platform Engineering team.
Ask PE to purge the identified users from Fusion Auth and MFA settings.
Share the Login Key and UserName off the Logins table
This does not need to be completed by PE before moving on. This step is for when/if they switch back to FA so there is no old login info that messes them up in the future.

After L2 has completed the above, you can then proceed to the steps below.
 

Setup > Single Sign On > Enable Single Sign On.

Check Enable Passive Sign On (Hub)?
Pick a Label for the Button Text on the login page
Check Enable Passive Sign On (Public)?  *** IMPORTANT -- if this is checked, public Event Registration links will require Azure log in, so only check this option if they want to force an Azure log in when registering for events (non-staff members such as members will have to log in via Azure rather than via GrowthZone) ***

In the SAML Service Provider and SAML Identity Provider pick the options you created above.

The members should now have a button for Login in on their info hub login page and you should be completed




If some staff members are able to log in successfully, while some are not, you may need to have the Organization check to make sure that the exact same first name, last name and email address for the staff members in the CONTACTS area of the database match with what they have configured in Entra ID/Azure.

Also, if there are multiple contact records for staff members that have a status of 'Non Member' with the same contact information, it may cause error messages and fail to login. There should be only a single Contact record for each staff member with their correct contact into (first name, last name, email address) for successful SSO logins (extraneous staff member contact records may need to be deleted from the CONTACTS area).