MoveinSync SSO Process

Scope:

This document aims to guide administrators through the process of configuring Single Sign-On (SSO) for the Moveinsync application using Azure Active Directory (Azure AD). It provides step-by-step instructions for configuring the application within Azure AD and downloading the necessary Federation Metadata file.

An authentication method that enables users to securely authenticate with Moveinsync ETS web applications by using just one set of credentials. SSO integration also requires a set of items to be exchanged by both parties, namely Service Provider (SP) & Identity Provider (IDP) for set-up, It also details the SSO workflow overview. The document lists the SSO integration for both UAT and Production Server environments.

Objectives:

1. To enable seamless authentication for users accessing the Moveinsync application by integrating it with Azure AD's Single Sign-On functionality.

2. To ensure secure access to Moveinsync while reducing the need for multiple login credentials.

3. To facilitate administrative setup and management of SSO configuration within the Azure AD environment.

Procedure to Configure the SSO on Azure AD

Step 1: Configure the Moveinsync App on Azure Active Directory

1. Sign in to Azure Portal: Go to portal.azure.com and sign in with your Azure AD administrator account.

2. Navigate to Azure Active Directory: In the left-hand navigation pane, select "Azure Active Directory".

3. Select Enterprise Applications: Under "Manage", select "Enterprise Applications".

Procedure to Configure the SSO on Azure AD

Step 1: Configure the Moveinsync App on Azure Active Directory

1. Sign in to Azure Portal: Go to portal.azure.com and sign in with your Azure AD administrator account.

2. Navigate to Azure Active Directory: In the left-hand navigation pane, select "Azure Active Directory".

3. Select Enterprise Applications: Under "Manage", select "Enterprise Applications".

4. Add New Application: Click on "New Application" and select "Create your own application".

5. Name the Application: Enter a name for the application (e.g., "MoveInsync SSO").

1. Configure Single Sign-On: Select "Setup single sign-on

Select SAML: Choose SAML as the single sign-on method.

Upload Metadata File:

Select the 'Upload metadata file' option.

Upload the metadata file provided by Moveinsync (e.g., 'moveinsync-sp.xml').

Basic SAML Configuration:

Ensure that the fields in the 'Basic SAML Configuration' dialog are pre-populated.

Fill in the reply URL and relay state fields (relay state should be your tenantID in MoveInSync).

Save and close the dialog.

Step 2: Download Federation Metadata

    1. Access Azure Active Directory: Navigate to Azure Active Directory on the Azure portal.

    2. Select Enterprise Applications: In the left-hand menu, select "Enterprise applications".

    3. Choose Configured Application:

        Select the application you configured to grant SSO access to MoveInSync.

    4. Access Single Sign-On Settings:

        Navigate to "Single sign-on" to access the 'SAML Signing Certificate' section.

    5. Download Federation Metadata:

•   Download the file from the 'Download' button next to 'Federation Metadata xml'.

•   Alternatively, copy and share the link corresponding to 'App Federation Metadata Url'.

Process & Details to be Exchanged b/w Client & MoveInSync team:

Moveinsync Single Sign-On for Production:

What software (OpenSAML/Ping Identity/ADFS/ Okta )?

• MoveInSync ETS application supports SSO OpenSAML 2.0 with POST SAML profile and can be integrated with any Identity Provider (IDP) that uses this protocol for communication.

What does Moveinsync provide to the client?

• If client IDP supports uploading of SP metadata, An SP metadata xml file for production would be provided.

• Production Connection Id / Entity Id would be moveinsync.

Moveinsync Single Sign-On for UAT: 

What does Moveinsync provide to the client?

• If client IDP supports uploading of SP metadata, An SP metadata xml file for UAT would be provided.

• UAT Connection Id / Entity Id would be moveinsync-uat.

What details does Moveinsync expect from the client?

1. IDP metadata: file/link to download the file.

2. UserName Type: which they use for SSO.

Note: MoveInSync currently supports 3 username types: 

1. Email ID

2. Employee ID

3. Email ID without domain name.

3. Downtime: 15-30 minutes for server restart (Services will be interrupted during the restart activity).

4. Test Users Profiles: A user with a profile available in the moveinsync ETS application for confirming us that the SSO login is happening successfully or not.

5. SSO_SHA256: to be Enabled / Not.