Configure SSO Authentication With Microsoft Azure

Here are the steps to configure Azure with Devolutions Hub Business for SSO authentication and user provisioning.

An Azure AD account with the appropriate rights is required.

Configure Single Sign-On (SSO)

In Devolutions Hub Business

  1. Go to Administration – Authentication .
  2. In Single Sign-On (SSO) , click on Configure Single Sign-On (SSO) .
    Administration – Authentication – Single Sign-On (SSO) – Configure Single Sign-On (SSO)
    Administration – Authentication – Single Sign-On (SSO) – Configure Single Sign-On (SSO)

A configuration window will open.

Configure Single Sign-On (SSO)
Configure Single Sign-On (SSO)

Do not close this setup window, as the following steps will show you where to find the information to enter in these fields.

In Azure AD Portal

  1. In a new web browser page, open your Microsoft Azure AD Portal and sign in to your account.
  2. Select Azure Active Directory in the Azure services section. If you do not see it, click on More services to make other services appear.
    Azure Active Directory Service
    Azure Active Directory Service
  3. In Overview , click Add , then select Enterprise application .
    Add an Enterprise application
    Add an Enterprise application
  4. Click on Create your own application .
    Create your own application
    Create your own application
  5. Enter the name of this new application, then click on Create .

We recommend including either “Devolutions“ or “ Hub “ in the name.

Application Name
Application Name

  1. In the Properties , set the Assignment required? setting as needed. To learn more about this setting, hover over the information icon next to it with your cursor.
    Properties – Assignment required
    Properties – Assignment required
  2. Save your changes if applicable using the Save button at the top.
  3. Staying in Properties , click on application registration in the text at the top.
    Properties – application registration
    Properties – application registration
  4. Select Authentication in the left side menu, then click on Add a platform .
    Authentication – Add a platform
    Authentication – Add a platform
  5. In Configure platforms , select Web .
    Configure platforms – Web
    Configure platforms – Web

In Devolutions Hub Business

  1. Back in the Configure Single Sign-On (SSO) window, copy the Callback URL at the bottom by clicking on the Copy to Clipboard icon next to it.
    Copy the Callback URL
    Copy the Callback URL

In Azure AD Portal

  1. Back in Azure, paste the Callback URL in the Redirect URIs field, then click Configure at the bottom.
    Redirect URIs
    Redirect URIs
  2. Select Token configuration in the left side menu, then click on Add optional claim .
    Token configuration – Add optional claim
    Token configuration – Add optional claim
  3. Under Token type , select ID . Then, in the list, select the following claims:
  • email
  • family_name
  • given_name
  • upn
  • xms_pl
  • xms_tpl
    Add optional claim
    Add optional claim
  1. Click Add .
  2. When prompted, enable Turn on the Microsoft Graph email , then click Add .
    Turn on the Microsoft Graph email
    Turn on the Microsoft Graph email
  3. Select Overview in the left side menu, then copy the Application (client) ID by clicking on the Copy to clipboard icon next to it.
    Copy the Application (client) ID
    Copy the Application (client) ID

In Devolutions Hub Business

  1. Back in the Configure Single Sign-On (SSO) window, paste the Application (client) ID from the last step in the Client ID field.
    Client ID
    Client ID

In Azure AD Portal

  1. Back in Azure, select Certificates & secrets in the left side menu, then, in the Client secrets tab, click on New client secret .
    Certificates & secrets – Client secrets – New client secret
    Certificates & secrets – Client secrets – New client secret
  2. In the Add a client secret window, enter a Description (for example, the name of your Enterprise app) and select an expiration date for this client secret, as per your best internal security practices.

Note that when the client secret expires, no one will be able to connect to the associated Hub . You will then need to create a new client secret. We recommend that you set yourself a task reminder before the expiration date.

Add a client secret
Add a client secret

  1. Click Add .
  2. Copy the Value of this new client secret by clicking on the Copy to clipboard icon next to it.
    Copy the client secret value
    Copy the client secret value

In Devolutions Hub Business

  1. Back in the Configure Single Sign-On (SSO) window, paste the client secret Value from the last step in the Client secret field.
    Client secret
    Client secret

In Azure AD Portal

  1. Back in Azure, select Overview in the left side menu, then click on the Endpoints tab.
    Overview – Endpoints
    Overview – Endpoints
  2. In the Endpoints window, copy the OpenID Connect metadata document URL by clicking on the Copy to clipboard icon next to it.
    Copy the OpenID Connect metadata document URL
    Copy the OpenID Connect metadata document URL

In Devolutions Hub Business

  1. Back in the Configure Single Sign-On (SSO) window, paste the URL from the last step in the Discovery URL field.
    Discovery URL
    Discovery URL
  2. In the User Scopes field, enter “User.Read“.
    User Scopes
    User Scopes
  3. Test the connection to make sure this configuration is done correctly. If it is, your account will connect with Azure AD.
  4. Click Save at the bottom.

Provisioning Configuration

To synchronize your users and user groups from your providers to the Devolutions Hub Business, follow the next steps.

In Devolutions Hub Business

  1. Go to Administration – Authentication .
  2. In Provisioning , click on Generate SCIM Token .
    Administration – Authentication – Provisioning – Generate SCIM Token
    Administration – Authentication – Provisioning – Generate SCIM Token

Note that this SCIM Token will expire in 365 days following its generation. When it expires, the provisioning will stop working. You will then need to regenerate a new SCIM Token . We recommend that you set yourself a task reminder before the expiration date.

  1. In the Generate a SCIM Secret Token window, copy the Tenant URL by clicking on the Copy to Clipboard icon next to it.
    Copy the Tenant URL
    Copy the Tenant URL

In Azure AD Portal

  1. In the management of your Enterprise app, go to Provisioning and click on Get started .
    Provisioning – Get started
    Provisioning – Get started
  2. In the Provisioning Mode drop-down list, select Automatic . Then, paste the Tenant URL from [step 3]( in the Secret Token field.
    Provisioning Mode and Tenant URL
    Provisioning Mode and Tenant URL

In Devolutions Hub Business

  1. Copy the Secret Token by clicking on the Copy to Clipboard icon next to it.
    Copy the Secret Token
    Copy the Secret Token

In Azure AD Portal

  1. Paste the token from the previous step in the Secret Token field.
    Secret Token
    Secret Token
  2. Test the connection to make sure that it works, then click Save .

Add a user/group

In this section, you will add your users and user groups to your Enterprise app.

You need to have an Azure Enterprise license to be able to synchronize user groups.

Nested groups are not supported, meaning that Azure provisioning will not synchronize the users member of the nested group.

In Azure AD Portal

  1. Select Users and groups in the left side menu, then click Add user/group .
    Users and groups – Add user/group
    Users and groups – Add user/group
  2. Under Add Assignment , click on None selected .
    Add Assignment
    Add Assignment
  3. Manually search for users and groups or use the Search bar. Click on Select when you have finished your selection.
    Users and groups selection
    Users and groups selection
  4. Click Assign when your selection is complete.
    Assign users and groups
    Assign users and groups
  5. Select Provisioning in the left side menu, then click Start provisioning .
    Start provisioning
    Start provisioning

Synchronization between Azure and Hub

In Devolutions Hub Business

  1. Go to Administration – Authentication .
  2. In Provisioning , Enable the synchronization .
    Administration – Authentication – Provisioning – Enable the synchronization
    Administration – Authentication – Provisioning – Enable the synchronization

Azure 's provisioning frequency is at most 40 minutes. The user groups, including their members, will synchronize within this Azure provisioning time. We recommend that you to verify the first provisioning results.

In Administration – User Groups , the Azure user groups will be added. They are recognizable by the Is sync group icon next to the group name.

Synced User Groups
Synced User Groups

In Administration – Users , all users in the Azure user group who are already part of your Devolutions Hub will be flagged as synced with the Is sync icon next to their name. All new users part of the synchronized Azure user group who are not part of the Devolutions Hub will be suggested as new invitations in Invitations required .

Invitations required & Synced Users
Invitations required & Synced Users

All users who already had a Devolutions Account will see both login options: the Devolutions Account method and the Microsoft method.

Sign in with your Devolutions Account or with Microsoft
Sign in with your Devolutions Account or with Microsoft