What you'll learn in this article: If your company uses Azure as an identity provider under SAML 2.0, you can easily set up SSO on your own.
Setting up a new SSO integration for Azure with SAML
- You need to have admin rights in both TravelPerk and Azure to be able to set this up
- Both TravelPerk and Azure need to be open and accessible to finalize the integration
To configure a new SSO integration, follow these steps:
- Go to Company settings > Integrations > SSO
- Click on Set up
- Click on SAML and create a New integration
Once you've created a New integration, you'll need to configure it:
- Open Azure and go to Active directory → Enterprise Applications → New Application → Search for TravelPerk
- Get TravelPerk from Azure's apps gallery
- Inside the just installed app, there will be a Getting Started section. Enable SSO (Single sign-on) - Step 2 - with SAML.
From TravelPerk to Azure:
- Copy SP entity URL (TravelPerk) and paste it in Reply URL (Assertion Consumer Service URL) (Azure)
- Copy SP entity ID (TravelPerk) and paste it in Identifier (Entity ID) (Azure)
- In Sign on URL write your TravelPerk subdomain with the following p https://<COMPANY>.travelperk.com/ where <COMPANY> is the name of your company.
- TravelPerk expects Emailaddress to be mapped with user.userprincipalname, so you need to edit the attribute mapping by clicking on the Edit icon and changing the attribute mapping if it is not the correct one.
To choose what attribute you want to change just click on it (example: the case of email address)
Once these steps are completed, the interface from Azure will generate the IdP x509 certificate
From Azure to TravelPerk:
- Copy the Azure AD Identifier (Section 4 in Azure) and paste it in IdP entity ID (TravelPerk)
- Copy the Login URL (Section 4 in Azure) and paste it in the IdP SSO service URL (TravelPerk)
- Copy the URL from App Federation Metadata Url in Step 3. SAML Sign In certificate and paste it in your browser. Look for <X509Certificate></X509Certificate> and copy the text in between. This is your certificate. Once copied, paste it in Idp x509 cert
In the browser, it will look similar to (we don't need the <X509Certificate></X509Certificate> tags):
You'll finish setting it up once you press Create integration.
Remember! You need to let users sign in to TravelPerk by adding them to Azure's application.
In the Azure app's overview page, find the Manage section, and select Users and groups.
Select Add user, then select Users and groups in the Add Assignment dialog.
In the Users and groups dialog, select the user you want to give access to TravelPerk from the Users list, then click the Select button at the bottom of the screen.
If you have doubts about how to assign users to TravelPerk from Azure, follow this guide.
Optional next steps
There are other features you can take advantage of when enabling SSO for your company. You will find the configuration screen once you have clicked on Create integration and the integration was created successfully:
- Create users when they sign in. If you ever wonder if all your employees have access to TravelPerk, turn this on and we will create the user on the fly. We won't create a user if the person doesn't have access to the app from Azure.
- Update users when they sign in. We'll match TravelPerk's information to the information received by the IdP.
- Customize your sign in button
- Additionally, you can automate the provisioning and management of the users from Azure: it is possible to create, manage, edit or delete users automatically from Azure. Follow these guidelines for more information!
Test your set up
- Open your browser in an incognito window
- Go to your TravelPerk subdomain: https://<COMPANY>.travelperk.com/ where <COMPANY> is the name of your company.
- If you are able to sign in with SSO through Azure, your application was successfully set up 🎉