Integrate with Azure (SAML) – ML Schedules

Users with the Manage District Settings user permission can set up single sign-on with Azure. The SAML Azure integration is the recommended SSO option for Microsoft users.

This integration creates user accounts as users log in the first time. It gives users the option to 'Login with Microsoft'.

This is a three-step process:

Step 1: In Azure, add a new SAML application.
Step 2: In Facilities Schedules, set up your Identity Provider.
Step 3: Set default roles for Facilities Schedules users who log in via SAML.

Important: Because of the technical knowledge required, your district's IT administrator will most likely need to perform this procedure.

Step 1: In Azure, add a new SSO Connection.

In Azure (https://portal.azure.com/), you will add a new SSO Connection. A few things to take note of while setting up Azure:

Fields are case sensitive.
In Microsoft Entra ID, you need to create your own application (under Add > Enterprise application):
- Enter a name that identifies it as Facilities Schedules.
- You must select Integrate any other application you don't find in the gallery (Non-gallery).
Set up single sign-on for SAML.
- Edit the Basic SAML Configuration. Add an Identifier (Entity ID) and Reply URL.
  
  Note: The Identifier and Reply URL should be https://XXXXX.mlschedules.com/MLSAMLConnect.aspx. Replace “XXXXX” with your custom Schedules subdomain.
Edit the Attributes & Claims.
- You need to map four new attributes. Add a new claim, and enter the text exactly as follows:
  - Name: FirstName
    Source attribute: user.givenname
  - Name: LastName
    Source attribute:user.surname
  - Name: Email
    Source attribute: user.mail
- Add a group claim. Either add all groups or groups assigned to the application.
  
  Note: These are the groups you will pass to Schedules. This will then allow you to automatically assign users role(s) in Schedules.
  - Ensure the Source attribute is Group ID.
  - In Advanced options, click Customize the name of the group claim, and enter the Name as Group. Select either all or a specific group to pass through to Roles in Schedules.
Edit the SAML Certificate for Schedules. Next to the active certificate, download the Base64 certificate.
Assign users and groups that you want to have access to Schedules.

Note: Azure’s interface and field names may have changed since this was written. Use these steps as a general guide, and select the closest matching options in your Azure portal.

Step 2: In Facilities Schedules, set up your Identity Provider

In Facilities Schedules, select Admin > Single Sign On > SAML Configuration. The SAML Integration Admin page appears.
Next to Azure, click . A pop-up appears.
Do the following:
1. Under Issuer, enter the Microsoft Entra Identifier.
2. Enter the Login Link, if desired. Enter the User Access URL from the Azure Properties.
3. Under Certificate, enter the IDP Certificate.
  Notes:
  
  You download this certificate from Azure. Enter it here.
  
  On the certificate, remove ---Begin Certificate--- and ---End Certificate---.
4. Select the Classification for Users Group.
5. Click Generate Metadata XML file.
  
  Note: You will enter this in Azure.
Click Save.

Step 3: Set default roles for Facilities Schedules users who log in via Azure

Note: You can create as many SAML groups as you want. When a user first logs in, they are assigned the role based on the group they belong to. You can also manage additional roles in Schedules, but cannot remove these default roles.

Select Admin > Single Sign On > SAML Group Settings. The Manage SAML Groups page appears.

Click +Add SAML Group. A pop-up appears.

Do any of the following:
1. Enter a Group Name.
  
  Note: This is the Object ID specific to the Azure group you are setting up.
2. Select the desired Roles.
3. Select the desired Sites.
  
  Note: To select All Sites, select the checkbox.

Click Save.
Repeat steps 2-4 for each group you want to add.

Related articles