Log in to the Azure admin portal for your organization.

For most companies, the portal will be https://portal.azure.com/.

Click the View button on the Manage Azure Active Directory tile.

Click on Enterprise applications in the Manage menu.

Click on New application at the top of the window.

Type "Dozuki" into the search bar.

Type a display name for your Dozuki site into the name field.

For customers with a single Dozuki site, we recommend using Dozuki as the display name.

Click the Add button at the bottom of the window.

Click on the Assign users and groups tile in the Getting Started section.

Click the Add user button to add users and groups.

You can read more about assigning users and groups in Azure here.

Click on the Set up single sign on tile in the Getting Started section.

Click on the SAML tile under Select a single sign-on method.

Click the edit icon on the Basic SAML Configuration tile.

Open the management console of your Dozuki site in another browser window.

From the Configuration section in the sidebar menu, select Security.

Download the SAML `metadata.xml` file.

Open this file with text editor.

Enter the Basic SAML Configuration settings.

Refer to the values in the SAML `metadata.xml` file.

Alternatively, you can use the Upload metadata file tab to upload these values directly into Azure.

Click the Save icon to save your changes.

Click the 'X' at the top of the window to leave the Basic SAML Configuration settings.

Click the edit icon on the User Attributes and Claims tile.

Click on Add a new claim under User Attributes & Claims.

Enter userid into the Name field.

Enter user.objectid into the Source attribute field.

If your company uses additional unique identifiers for your users, you can use those attributes instead of user.objectid, but it should be a constant and unique value.

Click the Save button to save your changes.

Click the 'X' at the top of the window to return to the User Attributes & Claims section.

Click on Add a new claim under User Attributes & Claims.

Enter username into the Name field.

Enter user.displayname into the Source attribute field.

Click the Save button to save your changes.

Click the 'X' at the top of the window to return to the User Attributes & Claims section.

Click on Add a new claim under User Attributes & Claims.

Enter email into the Name field.

Enter user.mail into the Source attribute field.

Click the Save button to save your changes.

Click the 'X' at the top of the window to return to the User Attributes & Claims section.

Click the 'X' at the top of the window to leave the User Attributes & Claims settings.

Click on Add a new claim under User Attributes & Claims.

Enter role into the Name field.

Enter user.assignedrole into the Source attribute field.

Click the Save button to save your changes.

Click the 'X' at the top of the window to return to the User Attributes & Claims section.

Click the 'X' at the top of the window to leave the User Attributes & Claims settings.

In the SAML Signing Certificate section, click the Download link for Certificate (Base64).

Save the certificate file when prompted.

Open the certificate in a text editor.

Open the management console of your Dozuki site in another browser window.

From the Configuration section in the sidebar menu, select Security.

Under the Authentication heading section of the Security page, click on SAML: Identity Provider X.509 Certificate.

Copy the body of certificate from your text editor.

The certificate should be formatted similar to the example shown under the Authentication section.

Paste the certificate into the text field.

Click the Save button to save your changes.

Copy the Azure AD Identifier

Paste the Azure AD Identifier into the SAML 2.0: Identity Provider ID text field in your Dozuki site.

Click the Save button to save your changes.

Click on the SAML: Identity provider URL heading under Authentication.

Under the Set up section in the Azure portal, click on the Copy icon next to Login URL.

Paste the Login URL into the Test a SAML identity provider URL text field in your Dozuki site to test the SSO connection.

We recommend testing the SAML connection through your Dozuki site before enabling SAML 2.0 as the authentication mechanism. Testing the connection from within Dozuki will prevent disruption to your active site and current users.

After testing the connection, paste the Login URL into the SAML: Identity provider URL field.

Click the Save button to save your changes.

Click on the SAML: Logout URL heading under Authentication.

Under the Set up section in the Azure portal, click on the Copy icon next to Logout URL.

Paste the Logout URL into the SAML: Logout URL text field in your Dozuki site.

Click the Save button to save your changes.

Click on the Single sign on heading under Authentication.

Click on the Single Sign On type dropdown menu.

Select SAML 2 from the dropdown menu.

Click the Save button to save your changes.

Once SSO is enabled on your Dozuki site, you have the option to add a role attribute prefix. This helps when syncing to third-party IdPs and will allow roles to be passed as `dozuki-<role>` (`dozuki-admin`, `dozuki-author`, etc.)

Dozuki defined roles (admin, author, user, etc.) cannot be customized.

Click Edit.

Add your desired role attribute prefix.

Click Save.

Your role attribute prefix will be displayed.

Once Single Sign On is enabled, SSO auth for signoffs & approvals will appear in the Authentication section of the Security settings.

This feature allows users to enter their SSO authentication for Signoffs and Approvals instead of a separate Dozuki password.

SSO auth for signoffs & approvals is enabled by default when you enable SSO authentication.

Only disable SSO authentication for signoffs & approvals if you want your users to enter a separate Dozuki password for signoffs and approvals.