Configuring Tenfold SSO to use Azure AD as an identity provider
Overview: This article provides a walkthrough of configuring Azure AD as an identity provider for Tenfold’s Single Sign-On solution.
1. In Azure AD Admin console navigate to Azure Active Directory and then Enterprise Applications
2. Select All Applications and then New Application
3. Select Non-Gallery Application. Type in name of the application (E.g. Tenfold) and press Add.
4. Click on Single Sign-On and then select SAML.
5. In the Basic SAML Configuration section click on the edit (Pencil) icon.
6. Enter the Reply URL and Entity ID then click Save.
Reply (Assertion Consumer URL):
Identifier (Entity ID):
7. In the User Attribute & Claims section click on the edit (Pencil) icon.
8. Click on the edit (Pencil) icon next to Name Identifier Value. In Source Attribute select user.mail from the drop-down and press Save.
9. In the SAML Signing Certification section click on download next to Federation Metadata XML
10. Go back to the Add an Application section, select Users & Groups and press Add.
11. Click on Users & Groups, click on the users that are to user Azure SSO with Tenfold, then press Select and then Assign.
12. In the Tenfold dashboard, navigate to the Single Sign-On feature configuration page. Set the Domain to the value which you want your users to enter when logging in to Tenfold (E.g.
acme-org ), click on Upload file and select the Federation Metadata XML file which was downloaded in step #9. Click Save at the bottom of the page.
13. You are ready to use Azure AD to authenticate to Tenfold. The below gif demonstrates the login flow with the Azure after using Microsoft multi-factor authentication:
If you have multiple Tenfold organizations connected to a single Identity Provider you will need to enable the ‘Multi-Tenant’ preference in order for Tenfold to properly identify which organization a user belongs to during login. Tenfold accomplishes this by pairing a specific Attribute from the SAML payload, and directing users to the applicable Tenfold environment based on the Value of the associated user.
- Identify an Attribute within Azure AD, or create a new one, that can be used to group users based on the related Tenfold environment.
- Enable the ‘Multi-tenant’ setting on the ‘Single Sign-On’ feature. Select ‘Custom Field’ in the dropdown.
- Configure the Attribute and Value to relate users to the associated Tenfold environment you are updating. The Attribute is set first, and should follow the same syntax as Azure AD. This same Attribute can be, and often should, be used for any additional Tenfold environments you have. Value is set later, and should be unique to this Tenfold environment.
- Follow steps 2-3 in any additional Tenfold environments you may have, bearing in mind that although ‘Attribute’ can be shared across multiple Tenfold environments the ‘Value’ must always be unique to that Tenfold environment.
If you are encountering any issues with authenticating users into the proper Tenfold environments after configuring ‘Multi-Tenant’ settings, one should inspect the SAML payload that is sent from Azure AD to Tenfold when attempting login while using a SAML decoding tool. The payload will indicate both the ‘Attribute’ being pushed to Tenfold, as well as the ‘Value’ such as: