Amplify Fusion Single Sign On using Microsoft Entra ID

This guide will describe how to configure Amplify Fusion to enable log on via Single Sign-On (SSO) using Microsoft Entra ID. The guide was created using Amplify Fusion 1.11.2

The basic steps are:

1. Configure a new SAML 2.0 application
2. Configure Single Sign On in the Amplify Fusion Manager module by importing the SAML Metadata XML file
3. Test the SSO Integration as Follows

Configure an Enterprise Application in Microsoft Entra

1. Navigate to the Microsoft Entra admin center at entra.microsoft.com
   
2. Select Enterprise apps and then click New application
   
   
   
3. Click Create your own, fill in the name, for example Amplify Fusion, choose Integrate any other application you don't find in the gallery (Non-gallery) and click Create
   
   
   
4. Click on 2. Set up single sign on
   
   
   
5. Choose SAML as the sign-on method
   
6. Click on Edit in the Basic SAML Configuration section to fill in the required information
7. Click Add identifier and fill in https://tenant.domain/api/saml2/service-provider-metadata/default, then click Add reply URL and fill in
   

8. After clicking save your configuration should look like below
   
9. Download the Federation Metadata XML, we’ll import it into Fusion later
   
10. Go back to the Overview page and click Assign users and groups and select the users or groups you wish to grant access to the application

Configure Amplify Fusion Single Sign On

1. Click on Manager -> Single Sign On
   
2. Enter a name and optionally a description, then click Choose File and select the federation metadata XML file you downloaded earlier, this will populate several of the form fields
   
3. Scroll down to the Attribute Mapping section and enter the following in the Attribute Name part of the fields
   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for Email Address
   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname for First Name
   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname for Last Name
     
4. Enable Provision New Users and set the Default Roles and Teams
   

Sign on to Amplify Integration using SSO

1. At this point single sign on may be tested. Sign out of Amplify Fusion and click on the Login SSO button
   
2. You will be redirected to the Microsoft Sign in page to enter your credentials
   
3. Complete the authentication by fulfilling the MFA criteria, in the example below you must enter the number in Microsoft Authenticator
   
4. You will now be logged in Amplify Fusion. If the user does not already exist, it will be created with the default roles and teams from single sign page as previously configured
   
5. You can check the roles and teams by clicking the account name in the top right corner and clicking settings
6. User account should also be visible to super administrators