SAML SSO with Azure Active Directory

Microsoft teams, please defer to your process.

Prequisites

  • An Azure AD Subscription
  • A plan that includes SAML Single Sign-On
  • A UserVoice account and admin login

1. Adding UserVoice from the Gallery

To configure the integration of UserVoice into Azure AD, you need to add UserVoice from the gallery to your list of managed SaaS Apps.

To add UserVoice from the gallery, follow these steps:

  1. In the Azure Portal, on the left navigation panel, click Azure Active Directory icon.
  2. Navigate to Enterprise applications, then click All applications.
  3. Click the +Add button, at the top of the dialog.
  4. Click on All to expand the search. In the Add from the gallery box, search for UserVoice.
  5. In the results panel, select UserVoice, and then click Add.

There will be a short wait, and then you will see a confirmation message that the application has been added.

2. Configure Azure AD Single sign-on

In this section, you will enable Azure AD single sign-on in the Azure Portal and configure single sign-on in your UserVoice application.

To configure Azure AD single sign-on with UserVoice, perform these steps:

  1. In the Azure Portal, on the UserVoice application integration page, click Single sign-on.
  2. On the Single sign-on dialog, select Single Sign-On Mode as SAML-based Sign-on to enable single sign-on.
  3. On the UserVoice Domain and URLs section, perform the following steps:
    1. In the Sign-on URL textbox, type the value using the following pattern: https://<subdomain>.uservoice.com (if you copy and paste the URL, remove the ‘/’ from the end)
    2. In the Identifier textbox, type the value using the following pattern: .uservoice.com
    3. Click Show advanced URL settings, and in the Reply URL textbox, type the value using the following pattern: https://<subdomain>.uservoice.com/saml/consume
  4. UserVoice expects SAML assertions in a specific format, and also requires a number of attributes outlined in the below steps:
    1. Set the User Identifier to user.mail (email).
    2. Click the View and edit all other attributes check box.
    3. UserVoice requires an email is sent, and you can optionally send a display name and GUID. Complete the following steps to create a preferred configuration:
      1. Delete givenname = user.givenname by clicking the three dots … and click Delete.
      2. Delete surname = user.surname by clicking the three dots … and click Delete.
      3. Confirm emailaddress = user.mail.
      4. Confirm name = user.displayname.
    4. To add edit an attribute click the attribute you want to edit
      1. In the Name textbox, type the attribute name (e.g. name).
      2. From the Value list, select the attribute value (as user.displayname).
      3. Click Ok.
  5. On the SAML Signing Certificate section, in the download column, download the certificate by clicking Certificate (Raw). You will need the UserVoice.cer file.
  6. Check the Make new certificate active box.
  7. On the UserVoice Configuration section, click Configure UserVoice to open the Configure sign-on window. Disregard the instructions and scroll down to the bottom. Here you will find the Quick Reference section. Copy the Azure AD Single Sign-On Service URL, and the Azure AD Sign Out URL. Close that dialog.
  8. Click the Save button at the top (if you’re prompted to confirm ‘rollover’ click Accept). When you see that the configuration has been saved, move on to the next step.
  9. In a new browser tab/window, log in to your UserVoice Admin Portal.
  10. Once logged in, click the Settings Cog in the bottom-left corner.
  11. Click on the Web Portal tab, navigate to User authentication and click Edit…
  12. On the Edit User Authentication dialog page, perform the following steps:
    1. Check the Single Sign-On (SSO) radio box.
    2. Paste the Azure AD Single Sign-On Service URL value into the SSO REMOTE SIGN-IN URL textbox.
    3. (Optional) Paste the Azure AD Sign Out URL value into the SSO REMOTE SIGN-OUT URL textbox.
    4. In the SAML SINGLE SIGN ON section, upload a new token signing certificate file. Click Choose File. Navigate to the UserVoice.cer file you downloaded earlier, and select it. Click Save.

Test

To test Azure AD UserVoice SSO implementation, you must first have users assigned to the application. See HOW-TO Assign Users to UserVoice Application if you have not. Once the above steps have been completed, to begin testing your SSO implementation, follow these steps:

  1. Open an Incognito Browser Window (or sign out of UserVoice and your Azure Directory and open a new window).
  2. Go to your UserVoice Forum Portal (e.g. https://<subdomain>.uservoice.com).
  3. If you are not immediately presented with an Azure login page, click Sign in (top-right corner). A popup window should appear. Enter the email address and password of a user that has been assigned to the UserVoice Application. Click Sign In.
  4. If successful, you should be granted access, and taken to the home page. You have successfully setup Azure AD Single Sign-On for UserVoice.

If you are unsuccessful, reread this guide, verify your configuration and test again. If you are still unsuccessful, see Troubleshooting.

How to Assign Users to UserVoice Application

  1. In the Azure Portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
  2. In the applications list, select UserVoice.
  3. In the menu on the left, click Users and groups.
  4. Click Add button. Then select Users and groups on Add Assignment dialog.
  5. On Users and groups dialog, select the user(s) you would like to assign to UserVoice, and Click the Select button.
  6. Click Assign button on Add Assignment dialog.

Troubleshooting

  • If you get the following error when signing in “Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.” Remove trailing slashes (‘/’) from URLs in your AAD UserVoice application Single sign-on > UserVoice Domain and URLs settings.
  • Check your SSO logs in the UserVoice Admin Portal.
    • Navigate to https://<subdomain>.uservoice.com/admin/settings/portal/logs/failures. Here you will see logs with error information.
    • For more info, click Details…
    • You can find some common errors and their resolutions here.
  • If errors persist you can contact the UserVoice Support Team with the following:
    • Your UserVoice account URL i.e. xxx.uservoice.com.
    • The error you are seeing
    • Things you have already tried to resolve the issue.
  • Note: you may need to connect the UserVoice support agent with the AAD team to help you resolve the issue, but the support agent will let you know if that’s required.

Common errors

Error Message Explanation Action
Fingerprint mismatch The certificate used to sign a SAML assertion didn’t match with the uploaded certificate. Make sure you uploaded the correct certificate.
Current time is on or after NotOnOrAfter condition The SAML assertion has a NotOnOrAfter timestamp that is earlier than the clock of the SP (UserVoice). Ensure the time and timezone settings are accurate in your Identity Provider. Also, make sure the SAML assertion is fresh and that the NotOnOrAfter timestamp is not set to be too early in the future.
Current time is earlier than NotBefore condition The SAML assertion has a NotBefore timestamp that is later than the clock of the SP (UserVoice). Ensure the time and timezone settings are accurate in your Identity Provider and also make sure the NotBefore timestamp is not set in the future.
SAML Remote endpoint not set The SSO Remote Sign-In URL is not configured. Set the SAML sign-in URL of your Identity Provider as explained in step 2.
SAML certificate fingerprint not set The SAML token signing certificate fingerprint is not set. Upload the token signing certificate of your Identity Provider as explained in step 2.

Acknowledgements

Microsoft Azure Tutorial - A good starting point with well worded instructions.