Skip to main content
OpenEye Knowledge Base

Azure AD Integration Instructions

Enable Azure AD Integration
Add Identity Management Integration

As a web services Administrator,

  1. Go to Management > Integrations.
  2. Click Add New Integration.

Add New Integration Button.png

  1. Select Azure AD.

Azure AD Add New Integration.png

  1. Click Next.
  2. Ensure Enable Azure AD integration is checked in General Settings.
  3. Select Identity Management.
  4. Check Enable Third Party Authentication.

NOTE: Keep this page open on a browser tab while you perform the next step.

Azure AD Identity Management.png

Configure Azure AD for WS Access (Azure AD)

NOTE: You'll be alternating between OWS and Azure AD in order to perform this integration.

From Azure Active Directory:

  1. Go to Enterprise applications.
  2. Choose New application if you see this option (otherwise, go to the next step).

Azure AD Enterprise application.png

  1. Choose Create your own application.

Azure AD Create Application.png

  1. Choose Integrate any other application you don't find in the gallery and pick a name (e.g. OWS).

Azure AD Name Your Application.png

  1. Click Create.
  2. Go to Manage > Single sign-on.
  3. Choose SAML.
Basic SAML Configuration

Under BASIC SAML Configuration:

  1. Click Edit.

Azure AD SAML Configuration.JPG

  1. On the WS side, grab the Audience URI (SP Entity ID) URL and copy it to the Identifier (Entity ID) field in Azure AD.
  2. On the WS side, grab the Single sign on URL (ACS URL) URL and copy it to the Reply URL (Assertion Consumer Service URL) field in Azure AD.

Azure AD Identity Provider Metadata.png

  1. Click Save.
User Attributes and Claims Configuration

This may be left as-is with this consideration:

  • User Unique Identifier (Name ID) must be the intended unique user email address that will be utilized in OWS. This may be user.userpincipalname or user.mail depending on how your Azure AD is administered.
  • If JITP is enabled then groups must also be added (in addition to Name ID, Surname, and Given Name) by Edit:
  1. Click Add a group claim.

Azure AD Add Group Claim.JPG

  1. Check Security groups.
  2. Leave Group ID as the default for Source Attribute.
  3. Click Save.
SAML Signing Certificate Configuration

Download the Federation Metadata XML file here and copy the contents into the Identity Provider Metadata field in OWS and click Save on the OWS side.

Single Sign-On (SSO) Complete

Single sign-on setup is now complete minus provisioning. Some form of provisioning will likely be required. Both JITP and Automatic Azure AD Provisioning (recommended, see below) are supported.

Azure AD Automatic Provisioning Configuration

To configure provisioning via Azure AD, remain on the same setup page in OWS as per the SSO setup instructions and do the following:

  1. In Azure AD, go to Manage > Provisioning.
  2. Click Get started.
  3. Choose Automatic for Provisioning mode.

Azure AD Provisioning Setup.JPG

  1. For Tenant URL put in the URL found in OWS under Base URL (SCIM v2 API) (e.g.
  2. For Secret Token put in the value found in OWS under API Token (SCIM v2 API). Generate this token if necessary via SCIM API Token button.


  1. Click Save.
  2. Go back to the main page of the Enterprise Application that you are managing and go to Manage > Provisioning.
  3. Click Start provisioning to initiate the provisioning process. There may be a delay of up to 40 minutes for provisioning updates but the initial provisioning cycle usually begins in less than 5 minutes.

Azure AD Start Provisioning.JPG

Enable Azure AD Integration

Follow these instructions to Enable an Identity Management Integration.

Using Just in Time Provisioning (JITP) 

Follow these instructions to Enable Just-in-Time Provisioning (JITP).

  • Was this article helpful?