This guide is intended for IT technicians requiring further assistance with the initial set up in Microsoft Entra ID (SAML). If you require a Microsoft Entra ID set up, please refer to this guide.
You can refer to the in-platform instructions for setting up single sign-on using SAML in Plexus. This guide will specifically focus on the steps to follow whilst you are logged into Microsoft Entra ID as an administrator.
Creating an application
Log into the Microsoft Entra Admin Centre as at least a Cloud Application Administrator and integrate Plexus as a “Non-gallery” application. Please consult Microsoft’s Entra ID application management documentation for guidance on this step.
Configure your SAML settings
While logged in to your organisation’s Microsoft Entra Admin Centre as at least a Cloud Application Administrator, enable single sign-on for the Plexus application you created in the previous step and select SAML as your SSO method. Please consult Microsoft’s Entra ID Enable single sign-on for an enterprise application documentation for guidance on this step.
Edit Basic SAML configuration
Follow the instructions in this guide to Copy the following fields from the Plexus Single sign-on tab, into the Microsoft Entra ID Basic SAML Configuration section. The relevant fields to copy from Plexus are:
Single sign-on URL → Reply URL (Assertion Consumer Service URL)
Audience URI (SP Entity ID) → Identifier (Entity ID)
As in the previous step, please consult Microsoft’s Entra ID Enable single sign-on for an enterprise application documentation for guidance on this step.
Leave all the other optional fields blank, then click Save.
Mapping the attributes
On the same SAML page, review the settings under Attributes & Claims.
You'll then need to map the app attributes available in Plexus to the Source attributes on this page. These Names are provided in Plexus, and the Source attributes are the Microsoft attributes to match with, as follows:
The Name first_name field will map to the Source attribute user.givenname
The Name last_name field will map to the Source Attribute user.surname
The Name email field will map to the Source Attribute user.mail
The Name name field will map to the Transformation field, Join (user.givenname, “ “, user.surname)
Click to Save your changes. For additional guidance on this step, please consult Microsoft’s Entra ID Customize SAML token claims documentation.
Finalising the configuration
Follow these instructions for filling out the below fields from your Microsoft Entra ID SAML page into the Plexus SAML configuration page to finalise your set up:
On the Microsoft Entra ID SAML page, copy the value from the Login URL field, and paste to the Identity provider single sign-on URL field in the Plexus Single sign-on configuration page.
On the Microsoft Entra ID SAML page, Click on Download Certificate (Base64) to generate your signing certificate as a .cer file. Upload this file into the allocated area to Upload certificate in the Plexus SAML configuration page as highlighted in this guide.
Click Save to finalise your changes.
Enforcing a user's location and permissions
Plexus currently offers user authentication, providing users access to Plexus using their single sign-on credentials. The ability to enforce a user's unit (their location) and role (their permissions) is managed in Plexus and is not facilitated by single sign-on.
Once single sign-on is configured, users can sign straight into the platform and will be given access to the default unit with the default role. This will allow your users to access the platform and use the apps straight away.
The designated platform admins will receive an email notification to assign the new users to their correct units and provision the correct roles. Any documents uploaded during this time will move with the user to their correct unit.
Need further assistance? Reach out to [email protected] for further guidance.