Managed Search Single Sign-On (SSO) Azure AD


The SearchStax Managed Search service now offers the ability for customers to set up Single Sign-On (SSO) to let their users log into SearchStax apps with a single ID and password that works across multiple software systems.

We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). We use Microsoft Azure Active Directory to implement SSO for SearchStax.

SSO is an add-on SearchStax feature that is purchased separately as part of the Security Pack. If you are interested in the Security Pack, please contact Sales.

The following steps explain how it can be set up for Microsoft Azure Active Directory.

Instructions

Once SSO is enabled by SearchStax for your account, the owner and/or admin can see options to set it up. The options to set up SSO are in the User Preferences screen of the Managed Search Dashboard:

The first option is the Single Sign-On subdomain. This is a label like mycompany, which the system will use to build a URL such as mycompany.searchstax.com.

Click Next to view the next page of SSO parameters.

The “direct Sign-In URL” is the URL that your team can use for signing into Managed Search. The other two URLs are discussed below.

  1. Go to Azure Active Directory. Select Enterprise Applications, and then click on “New Application.” Searchstax Single Sign-On
  2. Now Click on “Create your own application.”Searchstax Single Sign-On
  3. Enter a name for SearchStax application – say “SearchStaxManagedSolr”, and select the last dropdown “Integrate any application you don’t find in the gallery” and then click on the “Create” button. Searchstax Single Sign-On
  4. This creates a new Enterprise Application. In the screen that appears, click on the link for Step 1 > Assign Users and Groups. Here you can assign which Users/Groups have permission to SearchStaxManagedSolr Enterprise Application. Searchstax Single Sign-On
  5. Click on “Add user/group” and then follow up to add all the users of groups that you would like to grant access to. Searchstax Single Sign-On
  6. Once you are done with Step 1, click on the “Get started” link for Step 2. Setup single sign on. Searchstax Single Sign-On
  7. Now select the single sign-on method as “SAML.” Searchstax Single Sign-On
  8. It now shows the screen to configure the SAML endpoints: Searchstax Single Sign-On
  9. Click on Edit on Step 3, and change Signing Option as “Sign SAML assertion” and click “Save.” Searchstax Single Sign-OnThe option can be anything else too, but the same setting should then also be chosen in the Managed Search Dashboard in the SSO settings.
  10. Click on Edit button for Step 1 > Basic SAML Configuration.
    1. Enter the “Metadata URL” that shows on your https://app.searchstax.com/admin/sso/configure/saml2/ page as Identifier (Entity ID). Remove any extra entries and make sure the “default” checkbox is checked.
    2. Enter the Assertion Consumer Service URL as the “Reply URL” as shown below.
    3. Click “Save.” Searchstax Single Sign-On
  11. Set up Step 2 > User Attributes & Claims. Click on Edit. Searchstax Single Sign-On
  12. Managed Search has roles defined. If your active directory has a field containing a mapping for those roles, click on “Add new claim” and assign “role”. If you do not have a mapping for Managed Search roles, you can leave it as it, and the users will get created with Team Member as the role by default. Those can always be changed later from the Managed Search Dashboard.

    As just an example, we are mapping user.jobtitle field as the “role” as shown below.

    The Unique User Identifier (Name ID) should be mapped to your active directory field that is the email for the users that will use Managed Search. In our case, the default user.userprincipalname contained the information.Searchstax Single Sign-On
  13. Now back on the Managed Search dashboard…
    1. Set the “Metadata url” as the “App Federation Metadata Url” shown in Step 3.
    2. Set the “Login Url” as the “Login URL” shown in Step 4.
    3. Set the “Logout Url” as the “Logout URL” shown in Step 4.
    4. Set the “Idp Entity Url” as the “Azure AD Identifier” shown in Step 4.

Login Using SSO

https://app.searchstax.com/ now provides a button at the bottom for SSO – “Sign-In With your ID Provider.” Click this button.

Enter the domain that was set up for the client.

Click Continue. This takes you to Azure Sign-in page. After you authenticate, it brings you back to your Managed Search Dashboard.

Alternately, you can directly go to https://<Subdomain>.searchstax.com to login, and clicking on the “Sign-In With your ID Provider” will take you directly to Azure Sign In.

SSO + Two-factor Authentication

A User can have SSO and Two-Factor authentication both setup. The 2FA settings for a user will apply to all accounts that the user has access to.

However, for the account that has SSO Setup, while logging in, SearchStax 2FA settings will not apply. In that case, 2FA should be set up at the SSO Provider.

Questions?

Do not hesitate to contact the SearchStax Support Desk.