Configure SSO with Azure AD

This guide is intended for Admins setting up SSO SAML with Azure AD.

When you configure Single Sign-on (SSO) with Azure AD, your users will be able to create and sign into their Baserow accounts using Azure AD.

If you are looking for information on setting up SSO with other providers:

• Configure OneLogin for SAML SSO
• Configure Okta for SAML SSO
• Configure Facebook for OAuth 2 SSO
• Configure GitHub for OAuth 2 SSO
• Configure GitLab for OAuth 2 SSO
• Configure Google for OAuth 2 SSO
• Configure OpenID Connect for OAuth 2 SSO

Instance-wide admin panel, SSO, Payment by invoice, Signup rules, and Audit logs are features only available for Baserow paid plans. Get in touch with us here if you’re interested in learning more about paid pricing.

Here’s how to set up Azure AD to sign in to your Baserow account.

Prerequisites

To set up SSO SAML with Azure AD in Baserow, you need:

• A Baserow user account. If you don’t already have one, you can create an account.
• Instance admin access to the entire Baserow self-hosted instance.
• An Azure AD user account with Global Administrator, Cloud Application Administrator, or Application Administrator role.

Create an Azure application and set up SAML SSO

1. To add an enterprise application to your Azure AD tenant, sign in to the Azure Active Directory Admin Center.

2. In the Azure portal, select Azure Active Directory > Enterprise applications and select New application. Then click + Create your own application.

3. Enter the display name for your new application, select Integrate any other application you don’t find in the gallery, and then select Create to add the application.

   

4. In the left menu of the app’s Overview page, select Single sign-on.

5. Select SAML as the single sign-on method.

   

6. The Set Up Single Sign-On with SAML page will then open.

Get your Baserow SSO URLs

1. In a new tab, visit your Baserow server and log in as an instance-wide admin.
2. Open the Admin section in the Baserow sidebar.
3. Click the Authentication page.
4. Click the Add Provider button in the top right.
5. Select SSO SAML provider.
6. In the Add a new SSO SAML provider modal that has opened, copy the Single Sign on URL.

Configure SAML URLs in Azure

1. Go back to Azure and the Set Up Single Sign-On with SAML page.

2. In the first section titled Basic SAML Configuration, click the Edit button.

3. Paste the Single Sign on URL you copied from Baserow into the top three fields:

   1. Identifier (Entity ID)
   2. Reply URL (Assertion Consumer Service URL)
   3. Sign on URL

4. Go back to Baserow and the previously opened Add a new SSO SAML provider modal and now copy the Default Relay State URL.

5. Go back to Azure and paste the Default Relay State URL from Baserow into the Relay State field in Azure.

6. Leave the Logout URL empty as Baserow does not yet support single sign out.

7. Finally, click Save in Azure, your end result should look something like the following screenshot:

   

Setup Azure Attributes & Claims

1. Go to the second section in Azure titled Attributes & Claims, then click the Edit button

2. On the new Attributes & Claims page click Add New Claim.

   1. Type ‘user.email’ in the Name field

   2. In the Source attribute dropdown, select user.mail

   3. Click Save

      

3. Click Add New Claim again

   1. Type ‘user.first_name’ in the Name field

   2. Select user.givenname from the Source attribute dropdown.

   3. Click Save

      

4. The end result of your Attributes & Claims page in Azure should now look something like this:

   

5. Click the X close button in the top right of the Attributes & Claims page in Azure to get back to the Set Up Single Sign-On with SAML page.

Fix and install Azure SAML metadata in Baserow

1. Next in the third section titled SAML Certificates next to Federation Metadata XML click Download.

   

2. Open the download XML file in a text editor.

   1. By default, Microsoft includes both SAML 2.0 and Web Services Federation configuration in this XML file. Baserow only supports SAML 2.0 and so you will now need to delete the redundant Web Services Federation configuration from this file, if you do not Baserow will not accept the metadata.
   2. To fix this open up the downloaded XML metadata file in a text editor.
   3. Edit the file by deleting the text starting from and including <RoleDescriptor all the way up to and including the very last </RoleDescriptor> in the metadata file.

      1. For example, given the following example metadata file

         <ExampleMetaDataHere><SomeOtherData/><RoleDescriptor...>..</RoleDescriptor><RoleDescriptor...>.</RoleDescriptor></ExampleMetaDataHere>
         

      2. The end result should look like the below, without any RoleDescriptor sections.

         <ExampleMetaDataHere><SomeOtherData/></ExampleMetaDataHere>
         

      3. If you are having trouble with this step please ask for help by asking your Baserow sales rep.

   4. Copy the resulting metadata which has had the RoleDescriptor sections removed.

3. Go back to Baserow and the previously opened Add a new SSO SAML provider modal. Paste the contents of the edited file you just copied into the metadata box and click Save.

   

4. Go back to Azure and in the left sidebar click User and workspaces.

5. Click Add user/workspace and on the Add Assignment page that opens select all users and workspaces you wish to be able to login to your Baserow server, then click Assign.

Testing SSO In Baserow

You should be able to log in with Azure AD after completing these steps by visiting your Baserow servers login page. Your users will now be taken to an Azure AD sign-in flow when they attempt to log into Baserow. After logging in with their Azure AD credentials, they will be redirected to the app.

If you’re looking for something else, please feel free to make recommendations or ask us questions in our online community —we’re ready to assist you!