Microsoft Azure Active Directory SSO Integration
Adding Microsoft Azure Active Directory Single Sign On to a Periscope Data account is done in two steps. First, create a registered application from the Microsoft Azure Portal that points to Periscope Data. Second, configure Periscope Data to direct users to the custom app.
Adding a registered application in Microsoft Azure
The administrator of the Microsoft Azure account is required to set up a a registered application for active directory in Azure. From the Azure portal, select Active Directory and then "Enterprise Applications"
Click the "New application" plus sign icon in the upper left-hand corner to add a new registered application. This will bring up a Create form.
Select "Non-gallery application" from the "Add your own app" window:
Enter Periscope Data's Service Provider Details:
- Display Name: PeriscopeData
- Application Type: Web app/API
- Sign-on URL: https://app.periscopedata.com/auth/saml/callback
Click "Create". Once the app is created, click on it and then choose the "Manifest" tab with the pencil icon. This will open up an XML file for editing.
In this XML file, find the attribute: "identifierUris", and add "https://www.periscopedata.com/sso" to the list, There might be other URIs in the list. The Periscope Data URi can be added with a comma separator.
Finally, make sure that the app has permissions to access Azure Active Directory. Click on the app and navigate to the "Settings" tab. Here, choose "Required Permissions" and then "Microsoft Azure Active Directory"
Check the 'Access the directory as the signed-in user' permission if it's not checked already. Then, Click "Save"
In Periscope Data, open the gear menu in the bottom left and open the Billing & Security menu. Only admins have access to these settings.
In the "Single Sign-On" section, select "Azure Active Directory". Fill in the SSO fields 'SSO URL', 'SLO URL', 'Issuer', and 'Certificate'. To find these values in the Azure Portal, select the app and and choose the 'Endpoints' on the App Registrations page.
Copy the URL for 'Federation Metadata Document' and open it in a browser. This will open up an XML document.
The first tag of the XML file, note down the value for 'entityID', this is the 'Issuer' in the Periscope Data Form.
Find the tag 'IDPSSODescriptor' with SAML protocol. Within that section, find the tag 'KeyDescriptor' with use=signing. The value of X509Certificate is the 'Certificate' in the Periscope Data Form.
Next, find the tag 'SingleSignOnService'. The value for 'Location' is the 'SSO URL' in the Periscope Data Form.
Last, find the tag 'SingleLogoutService'. The value for 'Location' is the 'SLO URL' in the Periscope Data Form.
Sites with multiple spaces can choose the default space from the "Default Space" drop down. This will be the space new users get added to when they log in to Periscope Data for the first time and are provisioned through the Active Directory Single Sign On.
Finally, click "Save" and confirm the SSO settings change by typing "Logout".
With that complete, Microsoft Azure Active Directory Single Sign On can be used to login to Periscope.