Setting up Single Sign-On (SSO) with Azure

Objective

The purpose of this article is to provide guidance in setting up Single Sign On with Azure for Outreach.

• During this procedure, you will have to navigate between the Azure and Outreach applications several times. It is recommended to have each open in separate browser tabs for convenience.

Applies To

• Outreach Admins
• Azure Admins
• SSO

Before You Begin

Requirements

In order to set up Azure SSO with Outreach, first ensure you:

1. Have Admin privileges in Outreach
2. Have Admin privileges in Microsoft Azure to setup Enterprise Applications

Need to just update expiring or expired certificates?

1. On the existing enterprise application, go to Manage > Single sign-on.
2. On step 3: SAML Certificates > Edit.
3. Create the certificate and set it as active.
4. Download the Certificate (base64).
5. Upload the active certificate on the Outreach side (Step 5: Enable SSO inside Outreach settings in the procedure below).

Procedure

Setting up Azure

1. As a Azure admin, go to https://portal.azure.com.
2. Within Azure Service, select Enterprise Applications. Alternatively, you can search for Enterprise applications within the search bar.
   
3. Click New application.
4. Select Create your own application.
5. Input a name such as Outreach_SSO.
6. Select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create.
   
   
8. Once a application is created, you should be directed to the application's page. Select Single sign-On > SAML.
9. Within the Basic SAML Configuration, click Edit. Input the below placeholder values and select Save.
   • For Identifier (Entity ID): _placeholder_ 
     • You will update this later.
   • Reply URL (Assertion Consumer Service URL): https://placeholder.com 
     • You will update this later.
10. Within the Attributes & Claims, select Edit. Click on Unique User Identifier Name (Name ID) and ensure it's formatted as below. If not, then modify and select "Save" under Manage Claim.   
    • Name identifier format: Email address
    • Source: Attribute
    • Source Attribute: user.userprincipalname
11. Within 3. SAML Certificates Download and save the Certificate (Base64) to your computer. You will need to upload this within Outreach settings later.
    
12. Within 4. Set up Outreach_SSO
    • Login URL
      
      • Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
    • Microsoft Entra Identifier/Azure AD Identifier
      • Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.

Setting up Outreach 

1. Log in to Outreach.
2. Click Administration > User management > Sign-in.
3. Navigate to Sign-in and password options.
4. Click Edit.
5. Click Add Identity Provider.
6. Add the requested identity information that was retrieved from Azure.
   • Name: This can be Azure_SSO.
   • Sign In URL: This is the Login URL from Step 12.
   • Issuer (Identity Provider Entity ID): This is the Microsoft Entra Identifier/Azure AD Identifier from Step 12.
   • Certificate: This is the certificate (Base64) you downloaded from Step 11.
     • Choose File and select the downloaded file.
     • Note: The above screenshot contains two advanced settings: "Use NameId Instead of Email" and "Enable just-in-time new user provision". We do NOT recommend checking these options unless the functions of each are understood and needed by your organization. You can read more on these advanced settings in Advanced Settings For Identity Provider (SSO).
7. You should be redirected back to SSO Settings. Click Edit.
8. Now find the Setup Info section. There are two important fields you will need to copy later in Step 3 (ideally you should have this tab open as you go through to Step 3).
   • Assertion Consumer Service (ACS) URL
     • Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.
   • Service Provider Entity ID / Audience URI
     • Copy this into a Google Doc or notepad so you may paste this into Outreach settings later.  
       

Update Azure Application

1. Go back to the newly created application's settings. If you don't have the application already open in Azure, you can search within Enterprise Applications and select it. 
2. Navigate to Single sign-on again and then select edit on 1. Basic SAML Configuration. Replace placeholder values. 
   • For Identifier (Entity ID): This will be the Service Provider Entity ID / Audience URI retrieve from Step 5.
   • Reply URL (Assertion Consumer Service URL): This will be the Assertion Consumer Service (ACS) URL retrieved from Step 5.
     
     
3. Depending on your organization's security Azure policies, you will likely need to assign users and groups to the application. Select Users and groups and assign users and groups that utilize Outreach. If you are the Outreach Admin who is setting the SSO up, you will need to assign yourself to test out the connection in Step 4. 

Enable SSO inside Outreach Settings 

1. Return to Outreach's SSO settings. 
2. Select Single Sign On  > Edit. Here, double check all your settings are properly configured. Please confirm the below values are matching respectively in Outreach:  
   • Sign In URL: Matches the values from Azure.
   • Issuer (Identity Provider Entity ID): Matches the values from from Azure. 
     • Certificate: Confirm it is the same downloaded certificate from Azure.
   • Assertion Consumer Service (ACS) URL: Pasted and saved within Azure settings
   • Service Provider Entity ID / Audience URI: Pasted and saved within Azure settings 
     
3. Once you have confirmed all values are matching, then go back within Outreach's SSO Settings, and select Enable.
   • Important Note: It is required to enable to test out the setup. 
     • Your users will not be instantly signed out. 
     • You should have already assigned yourself to the application
     • You should receive {"success":true} 
     • In the event of a the failure of go back to this page to uncheck enable.
4. Select Test and a new tab should popup with {"success":true}. This indicates the SSO connection works and the setup was successful. 

Congrats! SSO is now enabled!

Additional Information

• For the Azure Tenant URL, you will want to reach out to Azure support, as Outreach won't be able to provide that on our end.
• For automatic SCIM provisioning, Outreach currently does not support a gallery app for Azure; however, we provide a SCIM API via OAuth. Refer to this article: Outreach SCIM Protocol