Related Links

Single Sign-On with Azure AD


Administrators can use Single Sign-On (SSO) to access their accounts by choosing a SAML 2.0 identity provider (IdP). SSO eliminates the need to remember additional passwords, simplifying the sign-in experience.

To setup Single Sign-On (SSO) with Azure AD, the admin needs to:



Create an app on Azure AD console

If the IDrive360 application was previously downloaded in your Azure directory for SSO, you must delete the existing app and create a new application.

To use Azure AD as an identity provider for SSO, you need to create an app on Azure AD console.

To create the app,

  1. Login to the Azure AD console using your Azure AD account credentials and click on 'Enterprise applications'.
  2. Select the 'Overview' tab from the LHS menu, and click 'New application'.
  3. Click 'Create your own application'.
  4. Enter the application name under 'What's the name of your app?'.
  5. Select 'Integrate any other application you don't find in the gallery (Non-gallery)' and click 'Create'.
  6. Now, your IDrive 360 app is added to the Microsoft Azure Active Directory.

Configure roles

App roles are defined in the Microsoft Entra admin center during the app registration process. When a user signs in to the application, Microsoft Entra ID emits a roles claim for each assigned role, enabling claim-based authorization.

Note: The default roles created by Azure must be deleted. To remove unsupported roles, first assign a value, disable the role, and then delete it.

To create an app role,

  1. Navigate to Home.
  2. Go to 'Microsoft Entra ID' > 'Manage' > 'App registrations'.
  3. Search for your recently added app in the 'All applications' tab and click 'App roles'.
  4. Click 'Create app role' and fill in the following information:
    • Display name: Account Owner
    • Allowed member types: Users/Groups
    • Value: 1
    • Description: MSP Admin
  5. Click 'Apply' to save your changes.

Repeat the above steps to create roles for Company Administrator, Backup Administrator, Restore User, Backup User, Backup and Restore User.

User RolesValues
Account Owner1
Company Administrator2
Backup Administrator3
Restore User4
Backup User5
Backup and Restore User6

Note: The role values must exactly match the corresponding roles defined in the application's code.


Configure SSO

To configure SSO,

  1. Go back to the 'Microsoft Entra ID' > 'Enterprise application'.
  2. Search for the recently added application and click on it.
  3. Navigate to 'Manage' > 'Single-sign on'.
  4. Choose 'SAML' as the preferred single sign-on method.
  5. Under the 'Setup Single Sign-On with SAML' screen that appears,
    1. Click 'Edit' corresponding to the 'Basic SAML Configuration' and enter the URLs as given below:
      • Identifier (Entity ID): https://webapp.idrive360.com/api/sso/metadata
      • Reply URL (Assertion Consumer Service URL): https://webapp.idrive360.com/api/sso/process
      • Logout URL: https://webapp.idrive360.com/api/v1/logout
    2. From the 'SAML Certificate' section, click 'Download' and save the x509 certificate (Base64).
    3. Copy the 'Login URL' and '‘Microsoft Entra Identifier URL', and configure it with your cloud backup account.

Configure the cloud backup account for Single Sign-On (SSO)

Admin needs to provide the received SAML 2.0 URLs and Certificate from Azure AD in the Single Sign-On configuration form in the Management Console.

To configure SSO,

  1. Sign in to the cloud backup account and click 'Go To Management Console'.
  2. Navigate to 'Settings' > 'Single Sign-On (SSO)'.
  3. Enter the 'IDP Issuer URL', 'Single Sign-On Login URL' and upload the 'X.509 Certificate (Base64)' received from your newly created app on Azure AD console.
    1. Issuer URL - Microsoft Entra Identifier
    2. SSO Endpoint - Login URL
  4. Click 'Configure Single Sign-On'.

Configure Provisioning in Microsoft Azure AD

To enable provisioning, follow the steps below,

  1. Go to 'Provisioning' from the left navigation panel.
  2. Navigate to 'Manage > Provisioning'.
  3. Select the 'Provisioning Mode' to Automatic.
  4. Provide the following information:
    Tenant URL: https://webapp.idrive360.com/api/scim/v2/?aadOptscim062020
    Secret Token: Token generated in the IDrive360 app.
  5. Click 'Test Connection' to ensure connection between the Azure AD and the IDrive 360 app.
  6. In the 'Settings' section,
  7. In the 'Notification Email' field,
    1. Enter the email address of the person who should receive provisioning error notifications.
    2. Tick the checkbox for 'Send an email notification when a failure occurs'.
    3. Enter the value for 'Accidental deletion threshold' according to your company policy.
    4. Select 'Sync only assigned users and groups' for the 'Scope' field.
  8. In the 'Mappings' section,
    1. Select 'Provision Azure Active Directory Groups', toggle enabled checkbox as No and Click 'Save'.
    2. Select 'Provision Azure Active Directory Users'.

      Note: IDrive 360 currently does not support groups.

    3. Keep the fields unchanged.
    4. Click 'Show advanced options'.
    5. Under 'Supported Attributes', select 'Edit attribute list for customappsso'.
    6. In the attribute list, add an attribute named 'roles', select the type as string, and check the box for required.
    7. Click 'Save'.
    8. Click 'Yes' in the confirmation popup.
    9. Go back to the 'Attribute Mapping' section.
    10. Click 'Add new mapping'.
    11. Select 'Expression' as the mapping type.
    12. Specify the expression value as,
      'AppRoleAssignmentsComplex([appRoleAssignments])'.
    13. Select 'Roles' as the target attribute.
    14. Select 'No' for 'Match object using the attribute'.
    15. Choose when to apply this mapping, and then select 'Always'.
    16. Click 'Ok'.
    17. You can find the recently added attribute mapping under 'Attribute mappings'.

    After configuring the provisioning settings, you can assign any user that you want to provision into IDrive 360.


    Assign users to your application

    To enable SSO for user accounts, admin needs to assign users to the app created on Azure AD console.

    To assign users to the Azure AD app,

    1. From the newly created app in the Azure AD admin console, navigate to the 'Users and groups' and click 'Add user'.
    2. Select the users you want to assign to the app.
    3. Choose a role from the dropdown menu and click 'Select'.

      Note: Admins can assign any role to the selected users.

    4. Click 'Assign' to complete the process.

      Note: In Azure, the automatic provisioning cycle happens every 40 minutes.