Audience: System Administrators
Before Choosing SSO
Contract Eagle supports Microsoft Azure Active Directory for its identity infrastructure. No other providers are supported at this time.
SSO is a licenced feature. To check if this feature is enabled, navigate to the Admin > System Preferences screen and select the Integrations tab. If enabled, the Single Sign On – Azure Active Directory section will display “Single Sign On via Microsoft Azure Active Directory is available for your subscription.”
If this feature is not enabled please contact Contract Eagle support (support@contracteagle.com).
If SSO authentication is enabled all users must login to Contract Eagle using SSO.
If you are switching an existing installation of Contract Eagle to SSO, all active users must have a UPN populated in Contract Eagle (refer Enabling SSO for an existing installation below).
Changes to the User Login Experience
When you have completed integration with Azure AD SSO, you will notice the following changes to the Contract Eagle user interface:
When navigating to the Contract Eagle URL, users will no longer be prompted to enter a username and password. They will instead be presented with a sign-on screen with a single button which states:
Sign On via Microsoft
If the user has not previously logged in, this button will redirect the user to Microsoft’s Azure sign on interface to authenticate using your organization-wide credentials.
The Sign Out button will end the user’s Contract Eagle session and redirect them through to Microsoft Azure to log out.
When creating a user within Contract Eagle, the Email Address is used as the primary login identifier. If a user’s UPN does not match their Email Address, the UPN must be recorded in the Additional Login ID field.
Pre-Requisites
Before commencing SSO configuration please verify the following:
Know the Microsoft Azure Portal access details for an account within your organization which has “Global Administrator” permissions.
Know the Microsoft Azure sign-on details for an account within your organization (preferably the same as the account above) which:
uses the same email address as your Contract Eagle account email address.
Know the Contract Eagle sign on details for the administrator account that you will use to enable SSO. You will need these credentials to recover access to Contract Eagle if you ever elect to disable SSO integration.
You can successfully log in to Contract Eagle with Forms (username and password) Authentication.
Enabling SSO for an existing installation
Under SSO, a user’s login ID is matched to the Email Address field or to the (Additional) Login ID field recorded for the user.
If user’s Email Addresses at your organization are always the same as their UPN:
The Login ID field can remain set to their existing login ID.
You should ensure that the Email Address field (i.e. the user's UPN format account name) is populated for all active users prior to enabling SSO.
If user’s email addresses differ to their UPN:
We recommend that a User Data Export is run and saved before updating users in order that a snapshot of login details is readily available.
The user’s Login ID must be updated once SSO has been successfully enabled by replacing their login account name in the Additional Login ID field with their UPN.
Contract Eagle Connection
To connect Contract Eagle to Azure AD, the Contract Eagle email address of the logged in user must be the account with Azure AD “Global Administrator” permissions identified in the Pre-Requisites section.
In Contract Eagle, navigate to the Admin > System Preferences screen and select the Integrations tab. Scroll down to the Single Sign On - Azure Active Directory section and click on the Activate SSO via Azure AD button.
In the pop-up, ensure that the correct email address / UPN is displayed.
Click the Confirm button.
You will be redirected to the Microsoft login page.
On completing the sign-in, you will be redirected back to System Preferences page.
If successful, the Status field should now display “Active”.
Test SSO
In a new browser session, navigate to the Contract Eagle Web URL (e.g.: http://acme.contracteagle.com). You should now see a login screen like the following:
Click the Sign-On button and login via the Microsoft login window using your organization credentials. If successful, you will be redirected back to Contract Eagle and logged in.