Configuring Microsoft Entra ID with SAML Federation

Configuring Microsoft Entra ID federation for SAML overview

This document is intended to help network administrators configure Microsoft Entra ID for Security Assertion Markup Language (SAML) federation with the Lexmark Cloud platform. For more information, contact the Lexmark Professional Services team.

Prerequisites

Before you begin, make sure that you have administrator access to the following portals:

Understanding the user experience for CIAM organization

After federation with SAML is complete, first-time users must provide their email address in the Lexmark Cloud Services portal. Then they are redirected to their identity provider to complete the login process.

If the user has never signed into their identity provider, they are prompted for their username and password. On completing that sign-in process, the user is then redirected back to the Lexmark Cloud Services portal.

Configuring Microsoft Entra ID

The screenshots may vary depending on the latest release

Creating an enterprise application

  1. Log in to the Microsoft Azure portal.

  2. Select Microsoft Azure.

    A screenshot showing the home page of the Microsoft Azure portal.

  3. Select Microsoft Entra ID.

    A screenshot showing the navigation to the Microsoft Entra ID.

  4. In the Manage section, click Enterprise applications > New application.

    A screenshot showing navigation to the Enterprise applications.
    A screenshot showing navigation to the All applications page.

  5. Click Create your own application.

    A screenshot showing the Browse Microsoft Entra ID Gallery page.

  6. On the Create your own application window, in the What’s the name of your app? field, type the name of your new enterprise application.

  7. Select Integrate any other application you don’t find in the gallery (Non-gallery).

  8. Click Create.

    A screenshot showing the Create your own application window.

Setting up basic SAML configuration

The screenshots may vary depending on the latest release

  1. Select Microsoft Azure.

  2. Select Microsoft Entra ID.

  3. In the Manage section, click Enterprise applications.

  4. Select the application that you have created.

    A screenshot showing the All applications page.

  5. On the application overview page, in the Getting Started section, select Set up single sign on.

    A screenshot showing the Overview page.

  6. Select SAML.

    A screenshot showing the Single sign-on page.

  7. In the Basic SAML Configuration section, click Edit.

    A screenshot showing the Basic SAML Configuration section.

  8. In the Basic SAML Configuration window, do the following:

    A screenshot showing the Basic SAML configuration window.

    1. In the Identifier (Entity ID) section, click Add Identifier.

    2. In the Add identifier field, depending on your location, type either of the following entity IDs:

      • For EU: https://lexmarkb2ceu.b2clogin.com/LexmarkB2CEU.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

      • For US: https://lexmarkb2c.b2clogin.com/LexmarkB2C.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

    3. In the Reply URL (Assertion Consumer Service URL) section, click Add reply URL.

    4. In the Add reply URL field, depending on your location, type either of the following reply URLs:

      • For EU: https://lexmarkb2ceu.b2clogin.com/LexmarkB2CEU.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam/samlp/sso/assertionconsumer

      • For US: https://lexmarkb2c.b2clogin.com/LexmarkB2C.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam/samlp/sso/assertionconsumer

    5. Click Save.

      A screenshot showing the save option on the Basic SAML Configuration window.
A screenshot showing the Basic SAML Configuration section with all the required data.

Setting up attributes and claims

The screenshots may vary depending on the latest release

  1. On the SAML-based Sign-on page, in the Attributes & Claims section, click Edit.

    A screenshot showing the Attributes and Claims section.

  2. Click Add new claim.

    A screenshot showing the Attributes and Claims page.

  3. Configure the following:

    • Unique User Identifier (Name ID)—user.userprincipalname

      Note: This claim is required in Entra ID.

    • Email—user.mail

    • Givenname—user.givenname

    • Surname—user.surname

    Note: These claims are required by Lexmark Cloud Services.
Setting up optional attributes and claims

  1. On the Attributes & Claims page, click Add new claim.

  2. On the Manage claim page, do the following:

    A screenshot showing the Manage claim page.

    1. In the Name field, type the name of the claim.

      Note: The value does not need to be a strict URI pattern, based on the SAML specification. If you need a URI pattern, then you type it in the Namespace field.

    2. Select the source from where the claim retrieves the value.

      Note: You can either select a user attribute or apply a transformation to the user attribute before setting it as a claim.

Lexmark Cloud Services supports the following optional claims:

Downloading certificates and copying URLs

The screenshots may vary depending on the latest release.

After adding your claims, do the following steps:

  1. On the SAML-based Sign-on page, in the SAML Certificates section, click Download to download the Certificate (Base64).

  2. Copy and retain the App Federation Metadata Url.

  3. In the application setup section, copy and retain the values for Login URL and Logout URL.

    A screenshot showing the SAML-based Sign-on page.
    4. Note: The App Federation Metadata Url, Login URL, and Logout URL are required for configuring the Lexmark Cloud Services portal.

Assigning groups and users

The screenshots may vary depending on the latest release

Depending on the Azure configuration, you are required to either assign users to the new enterprise application, or specify that user assignment is not required.

  1. Select Microsoft Azure.

  2. Select Microsoft Entra ID.

  3. In the Manage section, click Enterprise applications.

  4. Select the application that you created.

  5. On the application overview page, in the Getting Started section, select Assign users and groups.

    A screenshot showing the application overview page.

  6. In the Manage menu, select Properties.

    A screenshot showing the Users and groups page.

  7. On the Properties page, in the Assignment required? section, select Yes or No.

    A screenshot showing the Properties page.

Configuring Lexmark Cloud Services

The screenshots may vary depending on the latest release.

  1. Log in to Lexmark Cloud Services.

    A screenshot showing the Lexmark Cloud Services portal login page.

  2. From the navigation menu on the right side of the screen, select Account Management.

    A screenshot showing the navigation menu for the Lexmark Cloud Services portal.

  3. If necessary, select your organization, and then click Next.

    A screenshot showing the Select Organization page.

  4. From the Organization menu, select Authentication Provider.

    A screenshot showing the Organization menu.

  5. Click Configure on Authentication Provider.

    A screenshot showing the Configure on Authentication Provider button.

  6. From the Authentication Provider Type menu, select SAML.

    A screenshot showing the Authentication Provider Type menu.
    Note: The Domains field allows Lexmark Cloud Services to establish a new user account after the user logs in. Listing each organization domain is not required. If no domain is set, then the new users must be manually added to the organization before they log in.

  7. In the SAML Authentication Provider section, select either With Metadata URL or Without Metadata URL.

    Note: We recommend selecting With Metadata URL for a shorter process.
    With Metadata URL

    1. In the SAML Authentication Provider section, select With Metadata URL.

      A screenshot showing the SAML Authentication Provider section with metadata URL.

    2. In the SAML Metadata URL (Required) field, paste the App Federation Metadata Url that you have previously copied and retained.

      Note: For more information on App Federation Metadata Url, see Downloading certificates and copying URLs.

    3. Click Configure Authentication Provider.

    Without Metadata URL

    1. In the SAML Authentication Provider section, select Without Metadata URL.

      A screenshot of the SAML Authentication Provider section without metadata URL.

    2. In the Identity provider entity ID (Required) field, depending on your location, type either of the following:

      • For EU: https://lexmarkb2ceu.b2clogin.com/LexmarkB2CEU.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

      • For US: https://lexmarkb2c.b2clogin.com/LexmarkB2C.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

        • Note: The URLs must be same to the URLs entered in Microsoft Entra ID.

    3. Enter the required information copied from Azure AD:

      • SSO target URL (Required)

      • SSO Logout URL (Required)

      • Certificate (Required)

        Note: Make sure that you include the header and the footer for the certificate.

    4. Click Configure Authentication Provider.

Note: Make sure that you do not exit the Lexmark Cloud Services portal or allow the portal to time out. It is time to test your SAML connection, and you may be unable to log in to correct any problems discovered during testing. For more information on testing the federation, see Testing a federation.

Testing a federation

The screenshots may vary depending on the latest release.

Note: Do not log out or close the current browser until the federation is successfully set up.

  1. From the same workstation, open a new browser window.

    Note: The browser should be opened in either private or incognito mode.

  2. From a different workstation, open a new browser window.

  3. Log in to Lexmark Cloud Services from either workstation.

    A screenshot of the Lexmark Cloud Services login page from the Azure perspective.

  4. Depending on your location, use either of these URLs:

    • For EU: https://lexmarkb2ceu.b2clogin.com/LexmarkB2CEU.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

    • For US: https://lexmarkb2c.b2clogin.com/LexmarkB2C.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam

    Note: The user is prompted to log in to Azure rather than to Lexmark Cloud Services.

  5. Check their My Account page to verify the details.