https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial Make sure you have permission like Application Administrator to add or manage applications in Azure AD

Configure SAML with the following information, you may change the server name (www.ryarc.net) correspondingly.

Include the users into the whitelist

According to the Roles returned from Azure AD, we create different roles with the same name in CMService, and assign them with different permissions. For example, ‘VPN-Users’ from Active Directory will automatically be granted the CMService role ‘VPN-Users’ .

Download and copy Metadata XML from the link in the last screenshot into folder “C:\Program Files (x86)\Ryarc CampaignManager 7\Ryarc CM Service\CMService\App_Data”

Rename the XML as ‘SSO-xxxx.xxx.xml’. ‘xxxx.xxx’ is the corporate email suffix.

Add key value pair under AppSettings in CMService web.config

The key name should be ‘SSO-xxxx.xxx’, ‘xxxx.xxx’ is the corporate email suffix. So it is as same as the filename of the XML The value is the Azure AD identifier as shown in the last screenshot.

Login Realm and configure the domain using the Azure AD with its identifier. It is the value of the key just added in web.config.

Login using your company’s email address.

If you are entitled to access the CMService, you will be signed in with your corresponding user and role in CMService.

In case login failed, we can debug the messaging by using SAML extension in Chrome, the detailed Role info can be found under the SAML tab.

As seen in the following screenshots, it has multiple roles under claim http://schemas.microsoft.com/ws/2008/06/identity/claims/role like IDs and ‘Digital Operations Support Team’, and it has extra role from newly added claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/cmsrole with value ‘Song’. CMService will match these roles returned from Azure AD with the ones in the CMService domain to grant user corresponding permissions in the application.

The previously successful login is always remembered, so next time, user can login by clicking the following button without retyping the email.

CMService logs the detailed error from SSO log attempt. Here are some frequently seen issues.

The latest certificate has to exist in the folder ‘App_Data’ folder as metadata file SSO-xxx.xxx.xml

“InvalidSignatureException: The signing algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 is weaker than the minimum accepted http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. If you want to allow this signing algorithm, use the minIncomingSigningAlgorithm configuration attribute.”

:CMS - SSO-I: AuthenticateCoreAsync errorSustainsys.Saml2.Exceptions.BadFormatSamlResponseException: The SAML response contains incorrect XML —> System.Xml.XmlException: ID3061: The given element ('Audience','urn:oasis:names:tc:SAML:2.0:assertion') is empty.