Azure SAML
Use this guide to set up Azure SSO SAML for your organization on Popl Teams
Last updated
Use this guide to set up Azure SSO SAML for your organization on Popl Teams
Last updated
Azure SAML 2.0 is a widely-used authentication protocol that allows users to log in to multiple applications using a single set of credentials. By using this protocol, companies can centralize their user authentication and authorization, reducing the need for multiple login credentials and streamlining the user experience. Additionally, Azure SAML 2.0 provides a secure way to authenticate users, ensuring that only authorized individuals can access company resources.
Using Popl Teams Azure SAML 2.0 capabilities, companies can save time, improve security, and enhance their team's experience, making this integration a popular choice for many organizations using Popl Teams.
Start by going to Enterprise Applications on the Azure Admin Portal. Once there, click on "New Application", which will take you to browse the Azure AD Gallery.
Click on "Create your own application", which will open a side menu as shown below. Input "Popl" for the first option titled "What's the name of your app?" and check "Integrate any other application you don't find in the gallery (Non-gallery)". Then click "Create" at the bottom of the screen.
Click the option that shows "Set up single sign on", then on the next page click "SAML".
On the next page titled Set up Single Sign-On with SAML, click Edit on the "Basic SAML Configuration" pane.
For "Identifier (Entity ID)", click Add identifier and input:
For "Reply URL (Assertion Consumer Service URL)", click Add reply URL and input:
Once those two items are added, make sure that the "Attributes & Claims" pane looks like below. All values shown are set by default, but always good to double check.
Once step 5 is confirmed, you are all set to begin adding Users or groups to the SAML integration to begin testing SAML login. A user must be added to the integration either individually or via a group in order for the SAML login to work successfully. Users or groups can be provisioned to the integration for SAML via the "Users and groups" tab as shown below.
Note: Provisioning users via Azure won't actually create Popl digital business cards for each user. To create digital business cards for each user so they can log in with SAML SSO to an already set up digital card, please follow the steps for setting up our Azure AD integration here:
Syncing Members from Azure Active Directory
For the final step, please send the "App Federation Metadata Url" to teams@popl.co and we will complete the SAML setup on our end. Our team will send a confirmation email response once this process is complete. As shown below, simply copy the Url and send via email to us!
There are two types of logins available via a Desktop:
Logging in via the Azure "Application Dashboard" Screen (SAML)
This type of login starts from Microsoft on the "Application Dashboard" page (https://myapplications.microsoft.com/). When a user logs in via the Microsoft Azure dashboard, the SAML Azure app that was created using the instructions above will be used to log the user in. This SAML login method is referred to as IDP-initiated login.
Logging in via the Popl Dashboard (SAML or 0Auth)
This type of login starts from our dashboard: dash.popl.co. When a user wants to log in via dash.popl.co, they can either use the "Continue with SSO" button or the "Continue with Microsoft" button to log in.
The "Continue with SSO" button will use the Azure SAML app to log the user in, while the "Continue with Microsoft" button will use an 0Auth method. Both SAML and 0Auth are fully secure login methods and usually the company admin decides how they'd like their users to log into certain platforms.
Note: If when clicking on "Continue with SSO" a user is notified to log in using another method like email/pass, this means that Popl does not have a valid Azure SAML XML file from their particular company domain. For example, if a member is trying to log in using "Continue with SSO" with the email john@popl.co, if we don't have a valid SAML XML file from your company for @popl.co, then a popup will appear telling the user to log in using another method instead. See step 7 above for how to provide us with valid SAML information.
There are two types of logins available via mobile:
Logging in via the Azure "Application Dashboard" Screen (SAML)
This type of login starts from Microsoft on the "Application Dashboard" page in the Microsoft mobile app. When a user logs in via the Microsoft app, the SAML Azure app that was created using the instructions above will be used to log the user in. This SAML login method is referred to as IDP-initiated login.
Logging in via Popl Mobile App (SAML or 0Auth)
This type of login starts from the Popl app. When a user wants to log in via our app, they can either use the "Sign in with SSO" button (SAML) or the "Sign in with Microsoft" button (0Auth) on the app's login page. This SAML login method is referred to as SP-initiated login.
The "Sign in with SSO" button will use the Azure SAML app to log the user in, while the "Sign in with Microsoft" button will use an 0Auth method. Both SAML and 0Auth are fully secure login methods and usually the company admin decides how they'd like their users to log into certain enterprise platforms.
Note: If when clicking on "Sign in with SSO" a user is notified to log in using another method like email/pass, this means that Popl does not have a valid Azure SAML XML file from their particular company domain. For example, if a member is trying to log in using "Sign in with SSO" with the email john@popl.co, if we don't have a valid SAML XML file from your company for @popl.co, then a popup will appear telling the user to log in using another method instead. See step 7 above for how to provide us with valid SAML information.
If you run into this error, please follow the instructions on this documentation to fix: https://intercom.help/eventtemple/en/articles/5152672-need-admin-approval-approval-required-when-connecting-outlook-office365
See below, most likely the "Users can consent to apps accessing company data on their behalf" simply needs to be switched from "No" to "Yes". Once this is done, all users will be able to use Login with Microsoft to log in using SP initiated log in.
If any issues or questions, please contact us at teams@popl.co, we are available nearly 24/7 and will get back to you within 6-8 hours or less.
With 🤍 from Popl.