Microsoft Azure single sign-on with Mercell
Contents
1 Configure single sign-on Azure
1.1 Configure Azure users
1.2 Note to PowerShell on Azure
2 Configure single sign-on Mercell website
3 For the customer's IT-department. Map own users
4 New Users
5 Change History Record
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
- To configure single sign-on for with Azure, you need to have an Azure AD subscription and a Mercell SSO product.
- In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
- Navigate to Enterprise applications. Then go to All applications.
- To add new application, click New application button on the top of dialog.
- In the search box, type Mercell, select Mercell from result panel then click Add button to add the application.
- In the Azure portal, on the Mercell application integration page, click Single sign-on.
- On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
- On the Mercell Domain and URLs section, perform the following steps:
In the Identifier textbox, type the URL: https://my.mercell.com
- On the SAML Signing Certificate section, click the copy button to copy App Federation Metadata URL and paste it into notepad.
- Click Save button.
| Anchor | ||||
|---|---|---|---|---|
|
- Select Mercell application from Azure and select Users and groups.
- Click Add button. Then select Users and groups on Add Assignment dialog.
- On Users and groups dialog, select wanted user in the Users list.
- Click Select button on Users and groups dialog.
- Click Assign button on Add Assignment dialog.
Guide from Microsoft https://docs.microsoft.com/da-dk/azure/active-directory/saas-apps/media/mercell-tutorial/tutorial_general_203.png
| Anchor | ||||
|---|---|---|---|---|
|
If you need to extract AD user information, you can do it with PowerShell. Methods can be found on Microsoft Azure documentation.
https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaduser?view=azureadps-2.0
| Anchor | ||||
|---|---|---|---|---|
|
- Login to Mercell website as customer admin
- Click on company name
- Click on Single sign-on icon
- Click add new
- Type name, use company and set domain to company domain and save
Anchor _Hlk517681041 _Hlk517681041
If you have several email domains that should be linked with different customers in Mercell, set "Email domain" to users' primary mail (SMTP) and check "Match e-mail to domain". This will enable the option to have a shared SSO connection that directs users from a shared AD to several customers in Mercell.Anchor _Hlk517679511 _Hlk517679511
- Click Update to insert SAML Entity ID URL from Azure. Insert value (See section 1. number 9) and press "Update".
- The result should look something like this
- Click save
- Your SSO setup is now completed. (SSO enforcement is optional, but recommended)
- SSO - The SSO Enforcement consequence
SSO Enforcement notice!
Please secure that all your user has been informed of the «SSO-Only» switchover, or they will see the screen below when they try to login manually without any success. (That is why it should be a planned date for going into production for all.)The same alert also happens, if you remove them from your local MS ADFS server.
- SSO: How to login?
If you usually use your corporate intranet for SSO login, then do as before.If you use an URL from Mercell, or connect directly to https://my.mercell.com, then you only need to click on the button called: «SSO login».
You will then have to enter your e-mail address as used in your company and click «Login». You will then be redirected to your own local SSO server, for a password. "Remember me" checkbox can be used to ensure that when accessing Mercell.com user is redirected directly to your own local SSO server. If login fails at local SSO server, user can access this page again and make changes.
After you entered your password inside your local corporate SSO server, then you will be redirected back to Mercell again, but you are now automatically logged into our portal.
You arrive either at your usual starting homepage, or at the specific Mercell URL you originally clicked on the first time.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
Script for extracting user's that need to be mapped to Mercell.Script:
get-aduser -filter * | ft Name,UserPrincipalName > c:\test\test.txt (or preferably a CSV-file)
The result should look like this
Rabattavtale NO rabattavtale@mercell.com
IUSR_web1 IUSR_web1@mercell.com
PdfADev pdfadev@mercell.com
Test VPN tv@mercell.com
This script is used to do an AD BIND, which ensures that your existing users inside our portal are not asked to register as new users in our portal, when they start using the SSO. You can import this as Customer administrator by first "Export users". This will export an Excel file where only "User ID" is editable.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
Before starting the implementation, it is advisable to first do a startup meeting with Mercell, as there is some planning involved, and some steps to understand to not get duplicate problems or problems with users.
There is also a large impact on how the processes for creating new users are, both before, during and after the production. The success of the implementation will be determined on good control of the monitoring of this, as well as good communication with all relevant users involved.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
When an unknown user (in the Mercell portal) logs in using SSO there are 3 possible settings. This setting applies for all users that are accessing through this connection as unknown users.
- Default action is to create a new contact. User will be created and will now be able to be found on customer contacts. Note user does not have an order so uncheck "Only users on order" and user can be found on the contacts list.
- Second option is to decline unknown (in Mercell portal) users. If you want to add users, an administrator can create the user manually and map them manually as described in section 4.
- Third option is to let unknown (in Mercell portal) users in as semi anonymous users (this is an alternative to IP restricted access). This allows these users to see agreements that are marked with: Show to intern IP/SSO restricted users.
One of the above options must be chosen and will apply for all unknown users.
| Anchor | ||||
|---|---|---|---|---|
|
Ver.no | Date | Changed by (Doc.owner) | Page | Change | Status | Approved by | Approved date | ||||||
V4 | 22.06.2018 | KE | All | Updated with option for several customers on one connection, option to map user on contact. Updated screenshots and description for better user understanding. | Approved | CTO | 26.06.2018 | ||||||
V 4.1 | 02.11.2018 | KE |
| Enhanced sections 2 and 4 | Approved | CTO | 02.11.2018 | ||||||
V 4.2 | 17.06.2019 | KE | 10 | Added section about semi anon user |
|
|
| ||||||
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
| ||||||
|
|
|
|
|
|
|
|