Go back to general SAML configuration for Kimai.
SAML authentication with Azure accounts has proven to work. It requires four phases to get SAML configured. We will call them:
Note: The Azure AD is a part of the Microsoft Cloud offerings; you will likely need either a Microsoft Cloud license or an Office 365 license associated with your domain. But it also works with a “Usage based Microsoft Azure Plan” account in which Azure AD can be used free of charge.
Please check the following steps to set up an enterprise application using the SAML toolkit. This documentation is available in other languages as well in the Microsoft documentation
Setting | Value |
---|---|
Identifier (Entity ID) | https://timetracking.example.com/auth/saml/metadata |
Reply URL (Assertion Consumer Service URL) | https://timetracking.example.com/auth/saml/acs |
Sign on URL | https://timetracking.example.com/ |
Logout Url | https://timetracking.example.com/auth/saml/logout |
Please copy & paste the entire SAML configuration. Adjust the following keys with your Azure / App specific settings:
kimai:
saml:
activate: true
title: Login with Azure AD
mapping:
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: username }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, kimai: alias }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname, kimai: title }
roles:
resetOnLogin: true
attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
mapping:
- { saml: xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx, kimai: ROLE_ADMIN }
- { saml: Azure-Group-Object-Id, kimai: ROLE_TEAMLEAD }
connection:
idp:
entityId: 'https://sts.windows.net/****-****-***/'
singleSignOnService:
url: 'https://login.microsoftonline.com/****-****-***/saml2'
x509cert: 'ADD YOUR CERTIFICATE HERE'
sp:
entityId: 'https://timetracking.example.com/auth/saml/metadata'
assertionConsumerService:
url: 'https://timetracking.example.com/auth/saml/acs'
singleLogoutService:
url: 'https://timetracking.example.com/auth/saml/logout'
security:
requestedAuthnContext: false
title: Login with Azure
entityId: 'https://sts.windows.net/****-****-***/' # Azure AD Identifier
singleSignOnService:
url: 'https://login.microsoftonline.com/****-****-***/saml2' # Login URL
entityId: 'https://timetracking.example.com/auth/saml/metadata'
assertionConsumerService:
url: 'https://timetracking.example.com/auth/saml/acs'
singleLogoutService:
url: 'https://timetracking.example.com/auth/saml/logout'
x509cert: 'REALLY LONG SET OF CHARACTERS'
You should now be able to test the Login by visiting your Kimai URL and clicking on the title of the SAML method, you defined earlier.
This is not a standard attribute in Azure AD. But if you want to sync a unique “Employee ID”, you could add a field mapping for the account number:
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid, kimai: accountNumber }
The example values for the group mapping from above:
- { saml: xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxx, kimai: ROLE_ADMIN }
- { saml: Azure-Group-Object-Id, kimai: ROLE_TEAMLEAD }
would lead with this Azure configuration
to this configuration:
- { saml: 7f9597ed-8b67-45d7-bd5b-70d2659ad429, kimai: ROLE_ADMIN }
- { saml: 998e116b-f8a1-4314-871c-045e92f82ce8, kimai: ROLE_TEAMLEAD }
The Kimai System-Admin
group is not used in this example, but you would configure it in your local.yaml.