Single Sign-On — Azure AD

Updated

SearchStax Site Search offers Azure AD Single Sign-On (SSO). This lets your users log in with a single ID and password across multiple software systems.

We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). This page shows you how to use Azure AD to set up SSO for SearchStax.

Note: This is an optional feature that you can add to your SearchStax account. Contact SearchStax for details.

Instructions

Once SearchStax enables SSO for your account and sets up a domain, the options to configure SSO appear in the My Profile screen of the My Account menu:

Account settings panel with Two-Factor Authentication and Single Sign-On options, including setup and management controls.

The Set Up Single Sign-On button opens a screen with configuration URLs and feature options. You'll need to refer to this screen while you set up the SSO profile with the Identity Provider.

SAML configuration form showing authentication URLs, user creation settings, and assertion options for Single Sign-On setup.

This screen contains the following fields and options:

  • Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
  • Metadata URL: SearchStax metadata endpoint.
  • Enable Checkbox: If checked, SSO is enabled for this account.
  • Assertion Responses Signed: Use the dropdown to indicate whether assertions and/or responses should be signed.
  • Allow Email Password Login Checkbox: If checked, you can log in by email and password in addition to SSO.
  • Auto Create Users Checkbox: Should the system create a new user account the first time a user logs in?
  • IDP Entry URL: Identity provider URL.
  • Metadata URL: The SAML 2 Metadata URL.
  • Sign-In URL: The URL used for signing into the SAML Identity Provider.
  • Sign-Out URL (Optional): The URL shown after a successful sign-out.

Azure AD Setup

  1. Go to Azure Active Directory. Select Enterprise Applications, then click on "New Application." Searchstax Single Sign-On
  2. Click on "Create your own application." Searchstax Single Sign-On
  3. Enter a name for the SearchStax application, such as "SearchStaxManagedSolr." Select the last dropdown: "Integrate any application you don't find in the gallery." Then click the "Create" button. Searchstax Single Sign-On
  4. The system creates a new Enterprise Application. In the screen that appears, click the link for Step 1 > Assign Users and Groups. Here you can assign which users and groups have permission to access the SearchStaxManagedSolr Enterprise Application. Searchstax Single Sign-On
  5. Click on "Add user/group" and then add all the users and groups you want to grant access to. Searchstax Single Sign-On
  6. When you're done with Step 1, click the "Get started" link for Step 2. Setup single sign on. Searchstax Single Sign-On
  7. Select the single sign-on method as "SAML." Searchstax Single Sign-On
  8. The screen displays options to configure the SAML endpoints: Searchstax Single Sign-On
  9. Click Edit on Step 3 and change the Signing Option to "Sign SAML assertion." Then click "Save." Searchstax Single Sign-On You can choose another option, but you should also select the same setting in the Managed Search Dashboard SSO settings.
  10. Click the Edit button for Step 1 > Basic SAML Configuration.
    1. Enter the "Metadata URL" shown on your https://app.searchstax.com/admin/sso/configure/saml2/ page as Identifier (Entity ID). Remove any extra entries and make sure the "default" checkbox is checked.
    2. Enter the Assertion Consumer Service URL as the "Reply URL" as shown below.
    3. Click "Save." Searchstax Single Sign-On
  11. Set up Step 2 > User Attributes & Claims. Click on Edit. Searchstax Single Sign-On
  12. Managed Search has defined roles. If your active directory has a field with role mappings, click on "Add new claim" and assign "role." If you don't have a mapping for Managed Search roles, leave it as is. Users will get created with Team Member as the default role. You can change these roles later from the Managed Search Dashboard.

    For example, we're mapping the user.jobtitle field as the "role" as shown below.

    Map the Unique User Identifier (Name ID) to your active directory field that contains the email for users who will use Managed Search. In this example, the default user.userprincipalname contained that information. Searchstax Single Sign-On
  13. Now go back to the Managed Search dashboard and do the following:
    1. Set the "Metadata url" to the "App Federation Metadata Url" shown in Step 3.
    2. Set the "Login Url" to the "Login URL" shown in Step 4.
    3. Set the "Logout Url" to the "Logout URL" shown in Step 4.
    4. Set the "Idp Entity Url" to the "Azure AD Identifier" shown in Step 4.
Single Sign-On configuration panel with authentication URLs, assertion settings, and user creation options for Azure AD integration.

Login Using SSO

The Site Search sign-in screen has a button at the bottom for SSO: "Sign-In With your ID Provider." Click this button.

Login form for Site Search with email and password fields, plus option to sign in using an ID provider.

Enter the domain that was set up for your account.

SearchStax Site Search sign-in form with subdomain field highlighted in red and Continue button.

Click Continue. This takes you to the Azure AD Sign-in page. After you authenticate, you'll return to your Site Search Dashboard.

Alternatively, you can go directly to https://.searchstax.com to log in. Clicking "Sign-In With your ID Provider" takes you directly to Azure AD.

SSO + Two-Factor Authentication

A user can have both SSO and Two-Factor Authentication set up. The 2FA settings for a user apply to all accounts that user can access.

However, for accounts with SSO enabled, SearchStax 2FA settings won't apply. In that case, set up 2FA at the SSO Provider instead.

Articles in this section