Configure Azure AD SSO
Add the Azure AD SAML Toolkit application
From Home, click on Enterprise applications
Add a new application and Search for Azure AD SAML Toolkit and create it after giving it an explicit name (Cloudi-Fi Administrators, for instance)
Configure Single Sign-On
Once you have the Azure AD SAML Toolkit application, click on it and go to Single Sign-On and On the Select a single sign-on method page, select SAML.
On Set up Single Sign-On with SAML Page
On the Basic SAML Configuration page, enter the values for the following fields :
-
Identifier (Entity ID) : https://admin.cloudi-fi.net/ ( From Cloudi-Fi = Marked A click on copy icon )
-
Reply URL (Assertion Consumer Service URL): Copy and paste the linkback URL or type https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin// ( From Cloudi-Fi = Marked B click on copy icon )
-
Sign-on URL : https://admin.cloudi-fi.net/sso/ ( From Cloudi-Fi = Marked C click on copy icon )
The company hash is visible on your Cloudi-Fi account; go to Setting Company Account Cloudi-Fi Public Key

On Cloudi-Fi Side
Go to Settings Auth modes SAML For Administrators, enter the values for the following fields :
-
Entity Id: Azure AD Identifier (Marked 2)
-
Binding Method: Post or Redirect
-
Login Endpoint: Login URL (Marked 1)

-
Logout Binding Method (Optional) : Post or Redirect
-
IdP Signing Certificate (x509 format) : Download the raw Certificate and Past it here (without "Begin Certificate" and "End certificate" markers)

-
Email Attribute name: Claim name corresponding to the Mail value ( Marked 1 )

( Optional )
Enable Administrator auto-provisioning
Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Azure AD group to which they belong.
( Optional )
On Azure AD Side, once the groups are created and the members allocated, the next step is the SSO SAML configuration with the creation and management of the "Attributes & Claims". In addition to the information on the user, i.e., the name, the first name, and the email address, we need to assign a profile to this user by creating an Additional claims.
The configuration is done as follows:

-
Click on Add a new claim
-
Give it a name (profile, for instance)
-
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
-
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
-
User type: Members or Any
-
Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
-
Source: Attribute
-
Value: Profile value (Lobby, ReadOnly, or Admin, for instance)
-
On Cloudi-Fi Side, Configure or finalize the SAML configuration
Go to Settings Auth modes SAML for Administrators. Enable Administrator auto-provisioning and type the Claim name corresponding to the profile in the SAML Profile Attribute field.

You can also assign a Default profile if no profile is received in the SAML response.
Useful Links
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml
Troubleshooting