In this tutorial, we will configure Azure AD using the metadata provided by the Udemy for Business team or the metadata downloaded from PingOne.
If you don’t have the metadata from the Udemy for Business team, or you’re not sure how to download it, please refer to this article .
Create a New Application in Azure
Log in to the Azure portal and click on Azure Active Directory.
Next, click on Enterprise applications
and then + New application
Select Non-gallery application
Set the name for the application and click on Add
Click on Configure single sign-on
On Single Sign-on Mode, select SAML-based Sign-on
As Identifier use the value PingConnect.
As Reply URL use the value https://sso.connect.pingidentity.com/sso/sp/ACS.saml2
Click on Show advanced URL settings to show the Sign on URL and use the value
Select user.email on the select box User Identifier.
Click on the box View and edit all other user attributes to configure the attributes that will be sent in SAML assertion.
The Udemy for Business instance of PingOne supports the following attributes:
SCIM.email: the unique email of the user
SCIM.name.givenName: the given (or first) name of the user
SCIM.name.middleName: the middle name (if any) of the user
SCIM.name.familyName: the family (or last) name of the user
SCIM.name.formatted: the fully formatted name of the user
groups: the list of groups to which user belongs
externalID: the user ID specified by the customer
All attributes are case sensitive.
To change each attribute, click on the respective row.
Add the name as described in the provided table, select the compatible value and click on Ok.
Do not forget to remove the Namespace value.
To add more attributes to your SAML assertion, click on Add attribute.
Click on Save to finish configuring.
Click on the link Metadata XML to export the metadata xml file.
To give users access to the new application, click one more time on Azure Active Directory
Then on Enterprise applications
Then on your newly created application
Then on Users and groups
And on + Add user, for each user.
Only added users would be able to use SSO.