Note on product naming: As of 2022, Bananatag is Staffbase's Employee Email product.
Your organization’s Microsoft Entra ID (previously Azure AD) can be configured to allow Single Sign-On (SSO) with Employee Email, enabling employees to sign in with the same Microsoft credentials that they use to access their main Outlook 365 work email account as well as their other cloud-based Office platforms. Depending on your company and IT requirements, employees may also be using the same credentials to sign into their work laptops or desktop devices.
To help your organization plan for this type of integration, share this support article with your IT team and/or Microsoft Entra administrators.
Prerequisites
- You have access to your organization’s Microsoft Entra ID with the proper permissions to add and configure a new enterprise application.
- You have access to Employee Email with Parent Admin permissions.
Only SP-initiated SSO requests are supported, not IdP-initiated requests. Access needs to take place through one of the following domains:
- North American customers - app.bananatag.com
-
European customers - app.de.bananatag.com
Multi-domain configurations are not supported.
Additional domain users will be required to sign in with their username and password.
Create an Enterprise Application
- Open Microsoft Entra ID.
- Navigate to Enterprise applications.
-
Click New application.
- Click Create your own application.
- Enter a name under What’s the name of your app?
Make sure that it will be easy to recognize later, for example, "Employee Email". - Select Integrate any other application you don’t find in the gallery (Non-gallery).
- Click Create.
It takes about a minute to create the application.
Configure SAML for Your Enterprise Application
- From the application details screen, navigate to Single sign-on.
- Click SAML.
-
Click Edit and enter the required values for Basic SAML Configuration.
Identifier (Entity ID) = urn:bananatag
Reply URL
US Hosting = https://login-service.bananatag.com/sso/acs/<customerDomain>
EU Hosting = https://login-service.prod-eu-c1.bananatag.com/sso/acs/<customerDomain>
Sign on URL
US Hosting = https://login.bananatag.com
EU Hosting = https://login.de.bananatag.com
Relay State (Optional) = <blank>
Logout URL (Optional) = <blank> -
Confirm the required values for Attributes & Claims.
givenname or firstname = user.givenname or user.firstname
surname or lastname = user.surname or user.lastname
emailaddress = user.mail
name = user.userprincipalname
Unique User Identifier = user.mail
The Unique User Identifier claim may differ if your tenant manages multiple domains.For example, user.userprincipalname instead of user.mailRemove namespace from each claim. -
Download the Federation Metadata XML file.
You will need this XML download for the next steps that you complete in Employee Email.
Assign Users to Your Enterprise Application
- From the application details screen, navigate to Users and groups.
- Click Add user/group.
- Search for all users who currently have access to Employee Email, then add and assign them.
Upload Your Federation Metadata XML File
Take the Federation Metadata XML file that you downloaded from Azure Active Directory when configuring SAML and upload it to Employee Email.
Different SSO Identity Providers (IdPs) other than Azure can produce the same type of file and be integrated with Employee Email using the same process.
Multi-domain configurations are not supported.
Additional domain users will be required to sign in with their username and password.
Comments
0 comments
Please sign in to leave a comment.