Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Start from and navigate to Enterprise Applications

    • this can be done by searching for Enterprise Applications in the search box on the top of the screen
    • or by selecting All Services from the top-left corner menu, and then selecting Identity, and then Enterprise Applications
  2. From the Enterprise Applications screen, click New Application.

  3. You will be presented with a list of pre-configured applications.

    • Do not select from the list, instead, click

    • Create your own Application

    • and then select  3rd option

    Integrate with app you are working on  ) ... and if asked, select SAML

    When asked, enter:

    • Name: <Your organisation> Tuakiri Login
    • Logo (optionally, may not be shown): upload your organisation's logo as the app icon
    • Identifier (Entity ID): entityID as per above
    • Reply URL (Assertion Consumer Service URL): ACS URL as per above
    • User Attributes and Claims: select all available information - this should at the very least include:
      • givenname
      • surname
      • emailaddress
      • name
    • And if

      : Integrate any other application (Non-Gallery)

    • and enter a Name - e.g., Tuakiri Login TEST (for TEST) or Tuakiri Login (for PROD)

  4. At this point, the Application gets created and gets an Application ID and Object ID assigned
  5. Assign Users and Groups (as appropriate)
    • Ideally, you'd assign a group representing all users to the application (allow access to all users)
    • Or it might be a group representing just Staff
    • Or, if Azure AD licensing does not permit use of groups, select individual users
  6. Navigate back to the just-created Application via breadcrumbs at the top
  7. Select Setup Single Sign On, select SAML
  8. On the Set up Single Sign-on with SAML  page
    • Edit Basic SAML Configuration: EntityID, Assertion Consumer Service (ACS) as per above
    • Leave blank Sign on URL, Relay State, Logout URL
    • User Attributes and Claims: the attributes selected by default are OK for minimum viable set of attributes
      • Assuming these include givenname, surname, emailaddress, name
      • If available and desired, include also other attributes that map to Tuakiri Attributes - such as phoneNumber and address.
    • Select principalName(or email address) as Unique User Identifier
    • Once the service is created, download the metadata for your AzureAD instance - the Download link should be under Federation Metadata XML
    On the Attribute Mapping page, select all available information - this
    You also need to Enable the app for your users.
    • Under the listing of your application, navigate to Users and groups .
    • Add a group representing all users (all users who should have access).Federation Metadata XML from SAML Signing Certificate section

Once the registration is complete, confirm this to Tuakiri support and send through your IdP metadata - alongside with other information required on the Tuakiri Hosted IdP page.