We have added the ability to create a single sign-on system for Bitrix24 enterprise plans.
Now you can quickly add all colleagues to Bitrix24 account and manage their access from Microsoft Azure Active Directory. Employees will log in to Bitrix24 without entering a password.
To connect single sign-on, you need to perform several steps.
First, the administrator needs to run the setup in Bitrix24, register the application with Azure AD, and configure SSO and SCIM.
After that, employees will be able to use their Azure AD accounts to log in to Bitrix24.
What is Microsoft Azure Active Directory, SSO and SCIM:
Microsoft Azure Active Directory (Azure AD) is a system for managing access to applications and services in the cloud. You can set up a single sign-on entry point for users so that they can access multiple applications and services from a single account.
Single sign-on (SSO) is a technology that allows users to log in to several different applications or sites. Employees do not need to remember passwords for each application. They can quickly access services using just one name and one password.
System for Cross-domain Identity Management (SCIM) is a standard protocol that allows you to manage user accounts and their access to resources in applications and systems. With SCIM, administrators can quickly and easily create, modify, and delete user accounts and manage access to resources in applications and systems.
We will consider all the steps to set up single sign-on:
- Configure single sign-on for employees
- Create a SAML application in the Microsoft Azure and configure ACS URL/SP Entity ID
- Enter the service URL and run validation
- Validate employee email domain
- Configure mobile platforms: iOS and Android
- Test single sign-on and enable it for all employees
Configure single sign-on for employees
Open Bitrix24 profile and click the Security tab - SSO and SCIM - Configure now.
Only the Bitrix24 administrator can configure a single sign-on. Ensure your account administrators either are Bitrix24 partners or have a corporate email on Azure Active Directory.
When a user is deactivated, it signifies their dismissal from your account. Activating a user corresponds to hiring them in Bitrix24. If you dismiss an administrator, they will lose their admin rights. You will need to re-grant them if you decide to rehire this user.
Create a SAML application in the Microsoft Azure and configure ACS URL / SP Entity ID
Go to your Microsoft Azure account or create a new one. Open the Azure Active Directory section.
Go to the Enterprise applications and click New Application.
Create your own application, specify a name, select the Integrate any other application you don't find in the gallery (Non-gallery) option and click Create.
When the application is created, go to the Assign users and groups section.
Click Add user/group and specify yourself as a user.
Open your profile and make sure that you have your email address listed in the Contact info section. Otherwise, you may have problems logging in to the account.
Then go to the single sign-on section.
Select the SAML single sign-on method.
Click Edit in the SAML Basic Configuration block.
Then open the Bitrix24 account and copy the ACS URL and SP Entity ID fields.
Go back to Microsoft Azure and add the ACS URL value into the Reply URL (Assertion Consumer Service URL) field and SP Entity ID into the Identifier (Entity ID) field. Then click Save.
Then go back to the Bitrix24 account and click Continue.
Enter the service URL and run validation
Copy the App Federation Metadata URL field on the Microsoft Azure side.
Enter the App Federation Metadata URL for Bitrix24 to synchronize all data for proper SSO operation and click the Check now button.
The Connection established message will appear. If you configure SSO and SCIM in the incognito mode or in a different browser, you will need to re-enter Microsoft Azure.
You cannot log in
If you get this error during the check, make sure that you have added yourself as an application user.
Checking employee email domains
You should configure synchronization of users from Microsoft Azure. Copy the Microsoft Azure service link and the Unique Token.
Open the Provision User Accounts tab in the app.
Select Automatic Provisioning Mode and enter the administrator credentials.
After that, click the Test Connection button and Save the settings.
Select Edit attribute mappings in the Manage provisioning section.
Disable Provision Azure Active Directory Groups and enable Provision Azure Active Directory Users in the Mappings section.
Remove unnecessary fields in the user settings.
Click the Add New Mapping button to add a new objectId field.
Save the changes.
Return to the Provision User Accounts section and click the Start Provisioning button to enable synchronization and automatically add new users to the account.
Go back to the Bitrix24 account, enter domains to check and start checking.
Domains should be corporate, and employees should be linked to them. You can view the primary domain in Microsoft Azure on the main service page. If some emails do not have the corporate domain, such users will not be able to log in to the account when single sign-on is enabled.
You may see a notification that some employees have emails not in the corporate domain. In this case, you need to tell employees in advance about the new single sign-on system and correct emails. To do this, click the View button.
You will see a list of all employees who need to correct their emails. Click Edit to open the profile and edit the email. Click the Allow button, if you are sure that this employee no longer works with you and does not need access to the account.
When you change the email domain, click Next.
Select a department to add new employees to when you create new profiles in Microsoft Azure.
Configure mobile platforms: iOS and Android
At this step, you need to configure the ability to log in to Bitrix24 via the mobile application. First, copy the Bundle ID field.
Then go back to Microsoft Azure, open the App registrations section - All Applications, and open your app.
Go to the Authentication section, click Add a platform, and select iOS or macOS.
Fill in the Bundle ID field and click Configure.
Then copy the Redirect URI.
Go back to the Bitrix24 account, fill in the Redirect URI field and click Continue.
Copy the Package name and Signature hash fields. Open Microsoft Azure and repeat the steps to configure the Android app.
Fill in the Packet name and Signature hash fields with data from Bitrix24 and click Configure.
Copy the MSAL Configuration field.
Go back to the Bitrix24 account and paste the data from AzureAD into the MSAL Configuration field.
Test single sign-on and enable it for all employees
To make sure that the single sign-on works correctly, perform a self-check in your browser according to the instructions.
First, open the link in the incognito mode.
Note that Bitrix24 has been migrated to SSO and log in with the new data. You will see a message that the test was successful.
You can enable single sign-on for all employees or cancel the setting.
Once you enable SSO, you cannot disable it on your own. So if you need to disable SSO, we recommend that you contact technical support for help.