Integrating Marq with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP
Configure the SAML Integration for Marq via Azure Portal
- Add the Marq Enterprise application to your Azure instance.
- In Marq, navigate to the Identity Management section of your Admin panel by clicking Admin > Identity Management. Check the box next to Allow SAML authentication, then click Save Changes
If you would like to set SAML as the default authentication method for users on your account (i.e. what they encounter when they click “next” after typing their email address into the log in page), you can do so in the Default authentication dropdown below.
- On the same page, click Configure to navigate to your SAML activation page in Marq.
- Under Marq Sign in URL, enter your Domain name, then click Save Changes.
- In the Azure Marq Enterprise Application, navigate to Single Sign-on > Configure Single sign-on.
- Under Single Sign-on Mode, select SAML-based Sign on.
- Your Basic SAML Configuration settings in Azure should look like the below.
SP identifier/entityID/audience restriction: marq.com Sign on URL: https://www.marq.com/saml/sso/<yourdomain> ACS/Reply URL primary Index = 0: https://marq.com/saml/sso/<yourdomain> ACS/Reply URL secondary Index =1: (this is only needed for accounts that use federated SAML metadata) https://www.marq.com/saml/sso/<yourdomain> SSO Service Binding: We default to POST, but can work with REDIRECT (please contact us if you are using REDIRECT) Digest Algorithm: SHA-256 nameID: We prefer working with email, but can work with other values
- Confirm that user.userprincipalname is the User Identifier. All basic attributes and claims should be set up already by default.
- Click Save at the top of the page.
- Select Metadata XML under the SAML Signing Certificate to download the IDP metadata. You will upload this file to Marq in the next step..
- Back in Lucid, scroll down in the SAML Activation page of Marq and click Add Identity Provider. Upload the .xml file that you downloaded from Azure in the previous step.
- Click Test SAML connection to verify that Marq is properly communicating with Azure. Note: The connection will only work if the Marq app has been assigned to your test user in Azure. You can assign the app to users in the Assignments section of the app page.
Adding a Marq Linked Enterprise Application via Azure Portal
While we will rely on the Marq Enterprise Application in Azure to authenticate your users into Marq, should you want your users to see a Gallery Enterprise Application, please follow the following steps. Please note all steps take place within Azure AD.
- Open the Enterprise Application section of the AzureAD portal. Click the + Application button at the top of your application list.
- Choose the “Non-gallery application” option, naming it Marq and adding it.
- Select “Set Up Single Sign on”
- Add the sign-on URL from your Marq application and paste it into the “sign-on URL” text box.
- Navigate to the Properties tab after downloading the Marq logo here. There you can upload the image as an Application icon.
- Make sure you assign any users you want to see the app in their Gallery. Note, SAML access is determined by the Marq app, so users must have both apps assigned to them even if that user just uses Marq.
Create Users Upon Log-In with SAML
Once you have configured SAML with Azure for your Marq account, you can set up Just-In-Time provisioning so that users assigned Marq access in Azure who do not have a Marq account will have an account created for them upon their first log-in.
To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Marq application page within Azure. From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Marq application.
You can then set up Just-In-Time provisioning in the Licensing Settings section of your Marq admin panel.
- If you would like all users to come onto your Marq team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
- If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
Configure SCIM for Marq with Azure
You can enable SCIM with Azure by following the steps below. Please note that the Marq app for Azure supports auto-provisioning with SCIM but not auto-licensing. This means that you can use SCIM to create Marq users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only). Please see the Auto-Provisioning and Auto-Licensing article for more information about this distinction.
Before configuring SCIM, you will need to do the following:
- Confirm that you are on an Enterprise account with an up-to-date pricing plan.
- Contact your Marq Customer Success Manager so that they can enable SCIM for your account.
Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!
Once you have followed the pre-configuration steps listed above, you can configure SCIM for Marq in Azure by following these steps:
- In Marq, go to Admin > App Integration > SCIM.
- Click “generate token.” Marq will populate the “Bearer Token” text field with a unique code for you to share with Azure.
- In Azure, go to the Provisioning tab and use the Marq Base URL and Bearer token to configure SCIM for the Marq Azure app.
What is the difference between Microsoft SSO and Azure SAML Sign-On?
Microsoft SSO and Azure SAML Sign-On are both managed from the Azure portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).