Installation Help
Installation / Using Single Sign-on Authentication
In This Topic
    Using Single Sign-on Authentication
    In This Topic

    IMPORTANT! You must have administrator permissions to set up single sign-on authentication.

    There are two methods of using single sign-on authentication to log into the My Transoft account:

    1. SAML (Security Assertion Markup Language) 2.0 single sign-on (preferred method)
    2. Azure AD (Active Directory) single sign-on

    Using SAML (Security Assertion Markup Language) 2.0 Single Sign-on Authentication

    The procedure below describes using Microsoft Azure AD (Active Directory), but it is supposed to work for most other identity providers as well.

    Setting up SAML single sign-on authentication involves three stages:

    1. Creating the enterprise application
    2. Setting up SAML 2.0 single sign-on authentication
    3. Setting up user provisioning

    To Create the Enterprise Application:

    1. In Azure AD, under Manage, click Enterprise applications.
    2. Click New application. The Browse Azure AD Gallery page displays.
    3. Click Create your own application.
    4. In the What's the name of your app box, type a name for your application: MyTransoft, and then click to select Integrate any other application you don’t find in the gallery (Non-gallery).
    5. Click Create.

    To Set Up SAML 2.0 Single Sign-on Authentication:

    1. In Azure AD, under Manage, click Enterprise Applications, and then select your enterprise application (MyTransoft).
    2. Click Assign Users and Groups, then click Add user/group, and then add the user that will be associated with the enterprise application and that will administer the licenses in the My Transoft portal (https://my.transoftsolutions.com/login). Note: A user with the same email address must be already registered in the My Transoft portal with administrator privileges. This is necessary because the user who sets up the single sign-on in the My Transoft portal must be able to log in using the single sign-on before it is applied to the entire account.
    3. Return to the enterprise application page, and then, under Set up single sign on, click Get Started.
    4. Under Select a single sign-on method, click SAML.
    5. Under Set up Single Sign-On with SAML, next to Basic SAML Configuration, click Edit.
    6. Under Identifier (Entity ID), click Add identifier, then type a unique identifier for the SAML settings (MyTransoft), and then, in the My Transoft portal, in the SAML Entity ID / Issuer ID box, type the same identifier.
    7. In the My Transoft portal, in the SAML Reply (Assertion Consumer Service) URL box, click the Copy button, and then, in Azure AD, paste the address into the Reply URL (Assertion Consumer Service URL) box. Ignore the Sign on URL (Optional), Relay State (Optional), and Logout URL (Optional) options.
    8. To save the settings, in Azure AD and My Transoft portal, click Save.
    9. In Azure AD, under SAML Signing Certificate, next to Certificate (Base64), click Download. Open the downloaded file in your default text editor (e.g. Microsoft® Notepad), and then select and copy the body of the certificate (i.e. the text between the BEGIN CERTIFICATE and END CERTIFICATE lines).
    10. Paste the copied text into the SAML Certificate (Base64) box in the My Transoft portal, and then click Save.
    11. In Azure AD, under Set up MyTransoft, in the Login URL box, click the Copy button, then, in the My Transoft portal, paste the address into the Identity Provider Login URL box, and then click Save.
    12. In the My Transoft portal, click Enable SAML SSO to turn on the SAML single sign-on. You will be prompted to log into single sign-on. If your login is successful, it means that the single sign-on is now enabled for the entire account.

    To Set Up User Provisioning:

    Note: User provisioning makes it possible to add users through your Azure AD and have them automatically synchronized to the My Transoft portal.

    1. In Azure AD, in your enterprise application, under Provision User Accounts, click Get Started.
    2. In the Provisioning Mode list, click Automatic.
    3. In the My Transoft portal, under Admin, click Settings, then, in the SCIM Tenant URL box, click the Copy button, and then, in Azure AD, in the Provisioning page, paste the address into the Tenant URL box.
    4. In the My Transoft portal, under Admin, click Settings, then, in the SCIM Secret Token box, click the Copy button, and then, in Azure AD, in the Provisioning page, paste the token key value into the Secret Token box.
    5. In the My Transoft portal, click Enable SCIM 2.0 User Provisioning to turn on user provisioning.
    6. In Azure AD, click Test Connection, and, if the test ends successfully, click Save.
    7. In Azure AD, click Mappings, and then click Provision Azure Active Directory Users.
    8. In the customappsso Attribute column, delete all the columns except the following ones:
      1. username
      2. active
      3. displayName
      4. emails[type eq “work”].value
      5. name.givenName
      6. name.familyName
    9. Click Save, and then close the page to return to the main Provisioning page.
    10. Under Provisioning Status, click On, and then click Save.

    The user provisioning setup is now complete. The information about the users that was added to the enterprise application will be synchronized with the My Transoft portal.

    Note:

    Using Azure AD (Active Directory) Single Sign-on Authentication

    Note: This method requires that all users within the My Transoft portal account (including you) authenticate with a Work or School account from Microsoft. This includes businesses that use Microsoft Office 365.

    To Enable Azure AD Single Sign-on:

    1. In the My Transoft portal, under Admin, click Settings, and, in the Account Settings pane, under Single Sign On (Quick Method for Azure AD), click Enable Azure AD SSO to turn on Azure AD single sign-on.
    2. Before Azure AD single sign-on gets enabled, you will be required to validate your Azure AD account to make sure you will be able to log in after Azure AD single sign-on is enabled.

    Authenticating with Azure AD Single Sign-on

    Once Azure AD single sign-on has been enabled for your My Transoft portal account, the users will be redirected through the Azure AD single sign-on authentication workflow when they specify their user name on the My Transoft portal login page. If the user is already signed into their Azure AD organizational account for Office 365 in the web client, they will be redirected back to the My Transoft portal and logged in. Otherwise, they will be required to sign in.

    As long as the Microsoft session stays active in the web client, the users will not have to re-authenticate the MyTransoft application. On the first access only, the users will be required to give the MyTransoft Azure AD application the permission to sign in and read the user profile which is the minimum access required to authenticate the user access token with Azure AD and to access the account email to determine which user is being authenticated.

    IMPORTANT! The Azure AD user name must match the email used for the My Transoft portal to authenticate the user. If the user has an active Microsoft session on the web client that is intended for a different Microsoft organizational account (i.e. Work or School), they will be returned to the login screen and notified that the Azure AD account used for authentication does not match the My Transoft portal user. In this case, the user must log out of the Microsoft session and log in again with an appropriate Azure AD account.

    Using the Share Via Link Feature for Registration and Assignment of User Subscriptions

    The Share via Link feature is the preferred way to register and assign user subscriptions for a large organization. This method will create a unique link for a user subscription license that can be distributed to an organization's users via email or on a company intranet site.

    The administrator can generate a link from the license page in the My Transoft portal and choose whether each user should be approved individually, or all users that access the link should be approved automatically. Each user that accesses the link will be registered for a Transoft account and assigned the related subscription.

    The software installation can be deployed on as many workstations as required through Active Directory. Only the users that have been assigned a subscription will be able to use the software.

    Share Via Link Registration Procedure:

    1. The user is required to authenticate with Azure AD.
    2. The user should confirm their account details to ensure that they are using the correct Microsoft organization (Work or School) account.
    3. The My Transoft portal user profile is created based on the user data from Azure AD.
    4. The My Transoft portal user is assigned the license.
    5. Depending on the settings configured by the administrator in the My Transoft portal, the user is auto-approved or assigned an awaiting approval status.

    © 2023, Transoft Solutions Inc.

    info@transoftsolutions.com