Configure SAML authentication

The IAM Authentication page contains read-only fields for Entity ID, Assertion Consumer Service URL, Metadata URL, and Service Provider Initiated Sign-On URL that are unique to your organization's tenant account. These fields are visible if you select the Enable IAM External Authentication Entity (Company Login) check box under Service Provider. It's important that you know the location of these fields if you are configuring an external IdP.

Calabrio ONE integrates with IdPs that support SAML 2.0 authentication (see Set up IAM authentication for the list of supported IdPs). The following general parameters apply when configuring the SAML assertion in an IdP.

Prerequisites

You need to set up an application for Calabrio IAM (identity and access management) in your IdP. The following list contains values required to setup this application.

1. Assertion Consumer Service URL. After you successfully authenticate with your IdP, the user is redirected to this URL with the SAML response. The URL varies depending on your organization. Use the domain for your region in the list below or the Assertion Consumer Service URL value located on the IAM Authentication page if your organization uses a subdomain-based URL after October 14th 2025.
   

   IAM Domain Names
   Australia	https://id-aus.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   Canada	https://id-ca.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   European Union	https://id-eu.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   United Kingdom	https://id-uk.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   United States	https://id.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   Singapore	https://id-sgp.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

2. Service Provider Entity ID:
• Your Service Provider Entity ID is a unique value if you are configuring your IdP after September 30th 2025. To locate and copy your Service Provider Entity ID, navigate to Application Management > IAM Authentication > Service Provider Settings > Entity ID.
• Your Service Provider Entity ID is calabriosp if your IdP was configured prior to October 14th 2025.
3. The email address must be passed in an attribute named "mail".

4. If the SAML request needs to be signed, the signing certificate for it can be found in the Calabrio Identity and Access Management (IAM) Service Provider metadata for your region that’s detailed below or in the read-only Metadata URL field on the IAM Authentication page in Application Management if you use a subdomain-based log in URL after October 14th 2025.

   IAM Service Provider Metadata
   Australia	https://id-aus.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
   Canada	https://id-ca.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
   European Union	https://id-eu.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
   United Kingdom	https://id-uk.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
   United States	https://id.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
   Singapore	https://id-sgp.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

5. (Optional) Service Provider initiated Sign-on URL. When a user opens this URL, the service provider, Calabrio, redirects to your IdP to authenticate and sign on the user. This is not required for most IdPs.

   Use the Calabrio IAM Service for your region, or use the read-only Service Provider Initiated Sign-On URL field on the IAM Authentication page in Application Management if you use a subdomain-based log in URL after October 14th 2025.

   IAM Service
   Australia	https://id-aus.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
   Canada	https://id-ca.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
   European Union	https://id-eu.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
   United Kingdom	https://id-uk.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
   United States	https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
   Singapore	https://id-sgp.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

   EXAMPLE   In this example for the United States IAM service, <https://www.example.com/123> is the IDP entity ID that becomes <https%3A%2F%2Fwww.example.com%2F123> when the URL is encoded.
   
   https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=https%3A%2F%2Fwww.example.com%2F123

6. You need to assign users or groups who need access to Calabrio ONE to this application.

The following is an overview of how to configure Okta as your IdP:

1. Create an Okta app.
2. Configure the Okta app.

After you configure Okta, you have to download a metadata file and save the metadata file (see Export SAML Metadata). Afterward, follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Create an app in Okta

1. Log in to Okta.

   NOTE   You must be a Super Administrator in Okta to create and configure an app.

2. Navigate to Applications > Applications.
3. Click Add Application.
4. Click Create New App.

5. In the Create New Application Integration dialog box, configure the fields as follows.

   Field	Configuration
   Platform	Select Web.
   Sign on method	Select SAML 2.0.

Configure the Okta app

1. In the General Settings tab, configure the fields as follows.

   Field	Configuration
   App name	Enter a unique name for Calabrio ONE.
   App logo	(Optional) Upload an image to identify Calabrio ONE in Okta.
   App visibility	(Optional) Limit who can see the image in Okta.

2. Click Next.

3. On the Configure SAML tab, configure the fields as follows.

   NOTE   If Advanced Settings is hidden, click Show Advanced Settings.

   Field	Configuration
   General
   Single sign on URL	Copy and paste the Assertion Consumer Service URL that was listed as a prerequisite. Leave the Use this for Recipient URL and Destination URL check box selected (default).
   Audience URI (SP Entity ID)	Copy and paste your Service Provider Entity ID that was listed as a prerequisite.
   Name ID format	Select EmailAddress.
   Application username	Select Email.
   Response	Select Signed.
   Assertion Signature	Select Signed.
   Signature Algorithm	Select either RSA-SHA1 or RSA-SHA256.
   Digest Algorithm	Select either RSA-SHA1 or RSA-SHA256.
   Assertion Encryption	Select Unencrypted.
   Enable Single Logout	Leave the Allow application to initiate Single Logout check box cleared (default).
   Authentication context class	Select PasswordProtectedTransport.
   Honor Force Authentication	Select Yes.
   SAML Issuer ID	Leave blank.
   Attribute Statements
   Name	Enter mail. NOTE   This allows a user’s email address to be properly mapped for SAML assertion.
   Name format	Select Unspecified.
   Value	Select user.email.

   NOTE   You do not need to configure any attributes in the Group Attribute Statements section.

4. Click Next.

5. In the Feedback tab, select the Feedback option that is appropriate to your company’s use of Okta.

   NOTE   Your choice does not affect the ability of Calabrio ONE to use Okta as an IdP.

6. In the Assignments tab, assign the groups and users that will have access to Calabrio ONE.
7. Click Finish.

The following procedure details how to integrate your OneLogin IdP for Calabrio ONE Identity and Access Management (IAM) Service Provider (SP).

Configure OneLogin

1. Log in to OneLogin as an administrator.
2. From the menu bar, go to Applications.
3. Click Add App.
4. In the App Listing search for the Calabrio ONE app.
5. Save your changes.

This section details how to integrate your Active Directory Federation Services (AD FS) IdP for Calabrio ONE Identity and Access Management (IAM) Service Provider (SP).

The following is an overview of how to configure single sign-on for Active Directory Federation Services (AD FS):

1. Configure a Global Authentication Policy.
2. Configure Relying Party Trust for your identity provider.
3. Configure the LDAP email claim rule for the Calabrio ONE trust.
4. Configure the incoming claim transform email address custom rule for the Calabrio ONE trust.
5. Configure the incoming claim add mail attribute custom rule for the Calabrio ONE trust.
6. Extract your Calabrio ONE service provider certificate.
7. Configure the secure hash algorithm and import your Calabrio ONE service provider certificate.
8. Assign users and/or groups to Active Directory for the AD FS.
9. Save your AD FS Federation Metadata XML file.
10. Follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Configure Global Authentication Policy

1. Open the Windows Server AD FS Management Console.
2. Select the Authentication Policies folder.
3. Under Global Settings in Primary Authentication, click Edit. The Edit Global Authentication Policy window appears.
4. Under the Intranet section in the Primary tab, select the Forms Authentication check box and the Windows Authentication check box. If the check boxes are already selected, click Cancel.

Configure Relying Party Trust for your identity provider

Configuring Relying Party Trust for your identity provider is a multistep procedure.

First, begin the Add Relying Party Trust Wizard.

1. Open the Windows Server AD FS Management Console.
2. Expand the Trust Relationships folder.
3. Right-click the Relying Party Trusts folder, and then click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
4. Click Start.

Next, configure Relying Party Trust with the Add Relying Party Trust Wizard.

1. Choose Enter data about the relying party manually, and then click Next.
2. Enter “Calabrio ONE” in the Display name field, and then click Next.
3. Choose AD FS profile, and then click Next.
4. Click Next on the “Configure Certificate” step. You do not need to specify an optional token encryption certificate.
5. On the “Configure URL” step, click the Enable support for the SAML 2.0 WebSSO protocol check box.
6. Under Relying party SAML 2.0 SSO service URL, enter the Assertion Consumer Service URL (listed as a prerequisite) in the text field, and then click Next.
7. On the “Configure Identifiers” step, enter the Entity ID (listed as a prerequisite) in the Relying party trust identifier text field, click Add, and then click Next.
8. On the “Configure Multi-factor Authentication Now?” step, click the I do not want to configure multi-factor authentication settings for this relying party trust at this time check box, and then click Next.
9. On the “Choose Issuance Authorization Rules” step, click Permit all users to access this relying party check box, and then click Next.
10. On the “Ready to Add Trust” step, click Next.
11. On the “Finish” step, click the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box.
12. Click Close. The Edit Claim Rules for Calabrio ONE window appears.

Configure the LDAP email claim rule for the Calabrio ONE trust

1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
2. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and then click Next.
3. Enter “LDAP Email Address” in the Claim rule name field.
4. Select Active Directory from the Attribute store drop-down list.
5. Select E-Mail Addresses from the LDAP Attribute drop-down list.
6. Select E-Mail Address from the Outgoing Claim Type drop-down list.
7. Click Finish to complete configuration of this claim rule and add the incoming claim transform rule.

Configure the incoming claim transform email address custom rule for the Calabrio ONE trust

1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
3. Enter “Transform Email Address” in the Claim rule name field.

4. Enter the following in the Custom rule field.

   NOTE   In the following example, calabriosp is the Entity ID; however, the entity ID value you see may be unique to your organization. Refer to the prerequisites section for details on how to identity your entity ID.

   Copy

   c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
   => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "calabriosp");

5. Click Finish to complete configuration of this claim rule.

Configure the incoming claim add mail attribute custom rule for the Calabrio ONE trust

1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
3. Enter “Add mail Attribute” in the Claim rule name field.

4. Enter the following in Custom rule field.

   Copy

   c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
   => issue(Type = "mail", Value = c.Value);

5. Click Finish to complete configuration of this claim rule.
6. Click OK to finish editing claim rules and close the Edit Claim Rules window.

Extract Calabrio ONE service provider certificate

1. In an internet browser, navigate to the IAM Service Provider Metadata URL (listed as a prerequisite).

2. Copy the contents of “X509Certificate” from under SPSSODescriptor > KeyDescriptor use=”signing”> to a file with .cer extension such as EUSigningCert.cer on the AD FS server.

   

Configure the secure hash algorithm and import Calabrio ONE service provider certificate

1. Open the Windows Server AD FS Management Console.
2. Open the Calabrio ONE trust you created in one of the previous procedures to open the Calabrio ONE Properties window.
3. Click the Advanced tab and select SHA-1 from the Secure hash algorithm drop-down list.

4. Click the Signature tab, and then click Add.... Select the Calabrio ONE service provider certificate created in the previous procedure.

   NOTE   If the Calabrio ONE service provider certificate is not listed, you might need to select All files (*.*) in the file-type filter in the lower right corner of the window next to the File name text field.

5. Click OK to finish editing the trust properties and close the Calabrio ONE Properties window.

Assign users and groups to Active Directory used for AD FS

Add desired user(s) and group(s) to the Active Directory used for AD FS to grant them access to Calabrio ONE via AD FS. A user’s email address must match the email address configured for the user in Calabrio ONE exactly.

Save your AD FS Federation Metadata XML file

Where in the below URL, <ADFS Hostname> is your ADFS hostname.

https://<ADFS Hostname>/FederationMetadata/2007-06/FederationMetadata.xml

AD FS Identity Provider-Initiated Single Sign-On

1. Navigate to the following unique URL in an internet browser.

   https://<ADFS Hostname>/adfs/ls/idpinitiatedsignon.aspx
   Where in the above URL, <ADFS Hostname> is your ADFS hostname.

2. Click Sign in to one of the following sites, and select Calabrio ONE from the drop-down list.
3. Enter your user credentials in the text fields, and then click Sign in. You are redirected and logged in to the Calabrio ONE site.

NOTE   You can follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Troubleshooting procedures

AD FS event errors

The Event Viewer window displays logs of AD FS authentication issues. You can check past events to investigate errors.

1. Navigate to Event Viewer > Applications and Services Logs > AD FS > Admin.
2. Click the desired event in the Admin list for more details.

NameId Format in SAMLRequest issue

The NameId Format in SAMLRequest is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

If issues occur, update the Name ID Format field on the IAM Authentication page. See Set up IAM authentication for more information.

NOTE   In the following example, calabriosp is the Entity ID; however, the entity ID value you see may be unique to your organization. Refer to the prerequisites section for details on how to identity your entity ID.

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
calabriosp 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: calabriosp. Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier:  SPNameQualifier: , SPProvidedId: .
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
calabriosp 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: calabriosp. Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier:  SPNameQualifier: , SPProvidedId: .
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Missing SPNameQualifier of your Entity ID

If you see the following error message, attempt the Configure the incoming claim transform email address custom rule for the Calabrio ONE trust procedure again.

NOTE   In the following example, calabriosp is the Entity ID; however, the entity ID value you see may be unique to your organization. Refer to the prerequisites section for details on how to identity your entity ID.

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
calabriosp 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: calabriosp. Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier:  SPNameQualifier: , SPProvidedId: .
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Follow these procedures to integrate your Azure AD IdP with Calabrio ONE Identity and Access Management (IAM) Service Provider (SP).

Set up Azure AD IDP

1. Sign into your Azure portal.
2. On the left navigation panel, click on Azure Active Directory.
3. In the Azure Active Directory pane, click on Enterprise applications.
4. In the Enterprise applications pane, click on New application.
5. Click Non-gallery application.
6. Enter a name for the Calabrio ONE application and click Add. The name you enter for Calabrio ONE is referred to as Calabrio ONE <Application Name> in these procedures.
7. After the application is saved and loaded, click Single sign-on in the left-hand menu and then click SAML.
8. In the setup screen, click the pencil icon in the Basic SAML Configuration box.

9. Enter the following values into the fields.

   • Identifier (Entity ID) - listed as a prerequisite.
   • Reply URL (Assertion Consumer Service URL) - listed as a prerequisite.

   Do not enter any data into any other fields.

10. If the Sign on URL is marked as a required field, instead of an optional field, then copy and paste the Service Provider initiated Sign-on URL that was listed as a prerequisite.

    • The Azure AD Identifier for the Calabrio ONE application in Azure AD is in the Set up <Calabrio ONE Application Name> box in the setup screen. You can use a URL encoder to decode it.

      EXAMPLE   In this example for United States IAM, https://www.example.com/123 is the Azure AD Identifier that becomes https%3A%2F%2Fwww.example.com%2F123 when the URL is encoded.

      NOTE   For IdP-Initiated SAML, the Sign on URL field in the app in Azure AD must be empty.

11. Click Save.
12. Navigate to the setup screen.
13. Click the pencil icon in the User Attributes & Claims box.
14. Click ... the (ellipsis symbol) to edit the claim for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress under Additional claims.
15. Enter mail in the Name field.
16. Delete the pre-populated text in the Namespace field.
17. Ensure the Attribute button is selected as the Source (default).
18. Ensure user.mail is selected from the Source attribute drop-down list (default).
19. Click Save.
20. In the left-hand menu click Users and groups.
21. Click Add user.
22. In the Add Assignment pane, click Users and groups.
23. Select the user or group you want to assign to the application for access to Calabrio ONE. Click Select.
24. Click Assign to assign the user or group.
25. In the setup screen, click the pencil icon in the SAML Signing Certificate box.
26. Enter a notification email in Notification Email field for the certificate expiry reminders.
27. Click Save.
28. Click Download for Federation Metadata XML.
29. Save the metadata file. Then follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Troubleshoot single sign-on

After Calabrio ONE IAM has been configured to use the application for Calabrio ONE in Azure AD, you can test the settings to see if single sign-on works for your account. This can be done using the Calabrio ONE URL provided by Calabrio Professional Services Account Representative.

You can test single sign-on from Azure AD.

1. Sign into your Azure portal.
2. In the left navigation panel, click Azure Active Directory.
3. In the Azure Active Directory pane, click Enterprise applications.
4. In the Enterprise applications pane, click on the Calabrio ONE application.
5. Click Single sign-on in the left-hand menu.
6. Click the Test button in the Test Single Sign-on with <Calabrio ONE Application Name> box to check if single sign-on is working. You can test using the user who is currently signed in or another user.

Troubleshoot error messages

If an error message appears follow the steps below.

1. Copy and paste the specifics from the error message into the What does the error look like? box.
2. Click Get resolution guidance.
3. Read the guidance to fix the issue.

Related Content

For more information on Microsoft Azure AD see the reference material linked below.

• Single Sign-On SAML protocol
• Application management documentation
• Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant
• Understand SAML-based single sign-on
• Debug SAML-based single sign-on to applications in Azure Active Directory

After SAML authentication is configured for your IdP, the metadata needs to be downloaded and exported. Then follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Download Okta SAML Metadata

1. Navigate to Applications > Sign On tab.
2. Click Identity Provider metadata to start the metadata download.

Download SAML Metadata for other IdPs

Most identity providers allow users to download metadata. To do so, follow the steps detailed below.

1. Navigate to your identity provider’s page.

2. Find the button that allows you to download your IdP’s metadata.

   NOTE   The name of the IdP metadata download button may vary depending on your IdP.
   

3. Save the metadata file then follow the procedure detailed in Set up IAM authentication to connect your IdP to Calabrio ONE.

Not all IdPs or IdP configurations require service provider certificates.

If your IdP or IdP configuration requires a service provider certificate to integrate with Calabrio ONE, use the signing certificate listed in the prerequisite.