Skip to main content

Setting up SAML-SSO with Microsoft Azure

  • Updated

If you're looking for general instructions to link your SAML to Float's SSO feature please refer to the 'Setting up SAML Single Sign-On (SSO)' article.

 

This feature is available to customers on Float's Professional or Enterprise Plans. View detailed plan information at floatfinancial.com/pricing and contact us via support@floatfinancial.com if you'd like to upgrade!

 

Float's Azure integration allows companies to onboard their employees through Float's secure SAML-SSO service! 

  •  

Float - Azure SAML integration guide

  1. Log into the Azure AD Admin Center.

     

  2. Navigate to 'Enterprise Applications' > 'New Application' > 'Create your application'.
     
  3. In the sidebar name the application "Float". Select 'Integrate any other application you don't find in the gallery (Non-gallery)' under the 'What are you looking to do with your application?' section. 

    DO NOT select any of the existing options under 'We found the following application that may match your entry.'
     
  4. Click 'Create'. You will now be redirected to the application overview page for the "Float" app you've just created.
     
  5. In the sidebar, under 'Manage' > 'Properties', and add the image below as the app icon for "Float".

    Screen_Shot_2022-09-14_at_5.27.45_PM.png
     
  6. Head back to 'Manage' > 'Single Sign-On' and select "SAML" as your single sign-on method.
     
  7. In the sidebar under “Manage” click “Single sign-on”. Then select “SAML” as your single sign on method.
     
  8. Click “Edit” under “Basic SAML Configuration”. Under “Identifier (Entity ID)” click “Add identifier” and enter the Entity ID that is provided in the “Service Provider Configuration Info” section of the Float SAML page. Under “Reply URL (Assertion Consumer Service URL)” click “Add reply URL” and enter the ACS URL provided in the “Service Provider Configuration Info” Section of the Float SAML Page.

Then hit “Save” in the top corner, and close the page.


If you do not use Microsoft as your email provider, skip to step 13. If you use Microsoft as your email provider, continue to step 9. 

 

9. Click “Edit” in the “Attributes & Claims” section.
Screen_Shot_2022-09-23_at_3.06.58_PM.png

10. Under additional claims, click the claim with “Claim Name” “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”.

11. Change “Source Attribute” to “user.userprincipalname”.

12. Click “Save” and exit the page. 

13. Under “SAML Signing Certificate”, click “Download” next to “Federation Metadata XML”. Please upload this file in the “Identity Provider Configuration Info” section in the Float SAML page using the “XML file” option.

Screen_Shot_2022-09-23_at_2.55.43_PM.png

14. Assign users to your application by clicking “Users and groups” in the “Manage” section of the sidebar.

15. Go back to the Float SAML page. Press the “Test” button to test signing in via SAML. This will redirect you to your IdP to sign in. If the sign in is completed successfully, you should see the status change to “Tested”.

Screen_Shot_2022-09-23_at_3.09.24_PM.png

If the status does not change, then there is an issue with your configuration in your IdP. Once you have successfully tested, you can then enable the SAML configuration for everyone in your organization.

Note: Float will redirect users to use your SAML sign in page based off of the domain of the user’s email - this is why we require your users email domain. If you add a user that does not belong to one of the domains you added, then that user will be authenticated via username and password.

 

Important Notes for SSO Configuration in Multi-Entity Businesses:

If your organization uses multiple entities in Float and all users share the same email domain, there are a few important requirements when configuring SAML/SSO.

Why users must exist in the main SSO entity

When SAML is configured in Float, your email domain is linked to a single SSO configuration. During login:

  1. Float checks the domain of the email address entered

  2. That domain automatically redirects the user to your Identity Provider (IdP) (e.g., Okta, Azure AD)

  3. After authentication, the IdP sends the user back to the Float entity where SSO is configured

Because of this domain-based routing, only one Float entity can be associated with a SAML configuration for a given domain.

If a user exists only in a secondary entity, Float cannot log them in because authentication returns to the primary SSO entity, where their user profile does not exist.

To prevent login errors, users must therefore exist in the main SSO entity first, even if they primarily work in another entity.

Required setup for multi-entity SSO

If your entities share the same email domain:

  1. Configure SAML/SSO in your primary Float entity

  2. Provision users in your Identity Provider (IdP) so they can authenticate via SSO

  3. Ensure each user exists in the primary SSO entity

  4. Add the user to any additional entities they need to access

This allows users to authenticate successfully through SSO and access the entities they work in.

Please note: Just-in-Time (JIT) provisioning will automatically create users only in the primary entity where SAML is configured.

Setting a default entity after login

Once users have access to multiple entities, they can set their preferred one as their default.

  1. Sign in to Float using SSO

  2. Click the business name in the top-left corner

  3. Select the entity you want to use

  4. Click the ⋮ (three dots) beside the entity

  5. Select Set as default business

 

Related articles