This document is intended to help network administrators configure Microsoft Entra ID for Security Assertion Markup Language (SAML) federation with the Lexmark Cloud platform. For more information, contact the Lexmark Professional Services team.
Before you begin, make sure that you have administrator access to the following portals:
Microsoft Azure portal
Lexmark Cloud Services
After federation with SAML is complete, first-time users must provide their email address in the Lexmark Cloud Services portal. Then they are redirected to their identity provider to complete the login process.
If the user has never signed into their identity provider, they are prompted for their username and password. On completing that sign-in process, the user is then redirected back to the Lexmark Cloud Services portal.
The screenshots may vary depending on the latest release
Log in to the Microsoft Azure portal.
Select Microsoft Azure.
Select Microsoft Entra ID.
In the Manage section, click Enterprise applications > New application.
Click Create your own application.
On the Create your own application window, in the What’s the name of your app? field, type the name of your new enterprise application.
Select Integrate any other application you don’t find in the gallery (Non-gallery).
Click Create.
The screenshots may vary depending on the latest release
Select Microsoft Azure.
Select Microsoft Entra ID.
In the Manage section, click Enterprise applications.
Select the application that you have created.
On the application overview page, in the Getting Started section, select Set up single sign on.
Select SAML.
In the Basic SAML Configuration section, click Edit.
In the Basic SAML Configuration window, do the following:
In the Identifier (Entity ID) section, click Add Identifier.
In the Add identifier field, depending on your location, type either of the following entity IDs:
For EU:
For US:
In the Reply URL (Assertion Consumer Service URL) section, click Add reply URL.
In the Add reply URL field, depending on your location, type either of the following reply URLs:
For EU:
For US:
Click Save.
The screenshots may vary depending on the latest release
On the SAML-based Sign-on page, in the Attributes & Claims section, click Edit.
Click Add new claim.
Configure the following:
Unique User Identifier (Name ID)—user.userprincipalname
Email—user.mail
Givenname—user.givenname
Surname—user.surname
On the Attributes & Claims page, click Add new claim.
On the Manage claim page, do the following:
In the Name field, type the name of the claim.
Select the source from where the claim retrieves the value.
Lexmark Cloud Services supports the following optional claims:
Department
Cost Center
Badge
PIN
The screenshots may vary depending on the latest release.
After adding your claims, do the following steps:
On the SAML-based Sign-on page, in the SAML Certificates section, click Download to download the Certificate (Base64).
Copy and retain the App Federation Metadata Url.
In the application setup section, copy and retain the values for Login URL and Logout URL.
The screenshots may vary depending on the latest release
Depending on the Azure configuration, you are required to either assign users to the new enterprise application, or specify that user assignment is not required.
Select Microsoft Azure.
Select Microsoft Entra ID.
In the Manage section, click Enterprise applications.
Select the application that you created.
On the application overview page, in the Getting Started section, select Assign users and groups.
In the Manage menu, select Properties.
On the Properties page, in the Assignment required? section, select Yes or No.
The screenshots may vary depending on the latest release.
Log in to Lexmark Cloud Services.
From the navigation menu on the right side of the screen, select Account Management.
If necessary, select your organization, and then click Next.
From the Organization menu, select Authentication Provider.
Click Configure on Authentication Provider.
From the Authentication Provider Type menu, select SAML.
In the SAML Authentication Provider section, select either With Metadata URL or Without Metadata URL.
In the SAML Authentication Provider section, select With Metadata URL.
In the SAML Metadata URL (Required) field, paste the App Federation Metadata Url that you have previously copied and retained.
Click Configure Authentication Provider.
In the SAML Authentication Provider section, select Without Metadata URL.
In the Identity provider entity ID (Required) field, depending on your location, type either of the following:
For EU: https://lexmarkb2ceu.b2clogin.com/LexmarkB2CEU.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam
For US: https://lexmarkb2c.b2clogin.com/LexmarkB2C.onmicrosoft.com/B2C_1A_TrustFrameworkBase_ciam
Enter the required information copied from Azure AD:
SSO target URL (Required)
SSO Logout URL (Required)
Certificate (Required)
Click Configure Authentication Provider.
The screenshots may vary depending on the latest release.
From the same workstation, open a new browser window.
From a different workstation, open a new browser window.
Log in to Lexmark Cloud Services from either workstation.
Depending on your location, use either of these URLs:
For EU:
For US:
Check their My Account page to verify the details.