How to configure Ooma Enterprise as the Service Provider

Description: The purpose of this article is to guide you through the process of setting up Ooma Enterprise as the Service Provider (SP) for a Single Sign-On (SSO) integration with Azure AD.

As mentioned in this article, configuring SSO requires settings on both the Service Provider (SP) and Identity Provider (IdP) sides. In this specific article, we will provide an overview of how to configure Ooma Enterprise as the SP.

Overview of the "IdP and SSO" tab

After accessing your company account page in the Phone System App of the Ooma Admin Portal, navigate to the "IdP and SSO" tab. You will then be presented with this interface.

When you click on the "Set Up Identity Provider" button, this dialog form will be displayed.

Here you can find a list of nine parameters, which includes both required and optional ones:

• SSO URL: it is the specific endpoint or address that is used for the SSO integration between the IdP and the SP. This URL is provided by the IdP. and you can find the relevant URL for your IdP in one of the corresponding articles available here.
• NameID Format: here you can find the predefined format used for representing the user's identity in the SAML response. The format determines how the user's identifier is structured and presented. 

Please note that this field is automatically set by the system and cannot be modified.

• X509 Certificate: by selecting the "Upload File" button, you have the option to upload the X509 certificate issued by your IdP. 

An X509 certificate is a digital certificate that adheres to the X.509 standard, which specifies the format for public key certificates. It is widely used for securing communication and verifying the identities of entities in various systems and protocols. 

In the SSO integration context, the IdP uses the X509 certificate to sign the SAML assertions or tokens it generates during the authentication process. This X509 certificate serves as a digital signature that can be verified by the SP.

Once you have successfully uploaded the X509 certificate obtained during the IdP configuration, the "Upload File" button will become disabled, and an additional line will appear describing the uploaded file. 

If you wish to delete the uploaded file and upload a different one, you can do so by clicking on the Trash Bin badge located next to the file description.

• Unique ID Claim: in this field, you can specify the name of the claim that will be included in the SAML response, and it will contain the unique ID of the user.
• USE NameID For Email: enabling this parameter instructs Ooma to use the Subject/NameID XML elements from the SAML response for retrieving the user's email address. When this toggle switch is turned on, the "Email claim" field will be hidden, but it's important to note that the "Username Claim" field becomes mandatory and must be filled out.

Caution: when filling out the "Username Claim" field, entering incorrect data and activating the SSO feature may result in the inability to log in to the Admin Portal without the assistance of technical support.

• Email Claim: within this field, you can specify the name of the claim included in the SAML response, which carries the user's email address information.
• Username Claim: here you can define the name of the claim present in the SAML response, which contains the user's username information.
• USE POST Method Sign Requests: by enabling this toggle switch, the authentication request will use the HTTP POST binding with the identity provider, instead of the default Redirect binding that employs the HTTP GET method.
• Sign Requests: by enabling this feature, you can sign the authentication request that is sent to the identity provider. 

By enabling this toggle switch, you will gain access to the option of downloading both the public key and verification certificate on the following page.

Instructions for filling out these fields depend on the specific IdP you are using. You can find a list of corresponding articles below that provide guidance on how to complete these fields based on your IdP.

After completing the configuration of all the provided parameters, make sure to click the "Save" button to save the changes you have made.

Updated "IdP and SSO" tab

After filling out all the mandatory fields and pressing the "Save" button, the interface of the "IdP and SSO" tab will be updated accordingly.

Please take note that our system supports SSO integration with only one IdP for company accounts.

The data present on this web page can be categorized into two sections:

• Set Up Identity Provider: here you can find three URLs and one button.
  • URLs: all of these URLs are system-generated and cannot be modified. You will need these URLs during the IdP configuring process. To easily copy any URL, simply click on the two-sheets badge next to it.

If you have enabled the "Sign Request" feature when configuring the parameters of Ooma as the SP, you will notice the appearance of two additional lines in this section.

If necessary, an IdP might require the upload of a public key and/or a verification certificate. In such cases, you can conveniently download these files from this location.

• The "Edit Identity Provider Information" button: upon clicking this button, you will be redirected back to the dialog form mentioned earlier, where you can modify the previously set parameters for the SP. The interface will include an additional "Delete" button, which enables you to remove the saved configuration if needed.

After clicking the "Delete" button, a pop-up window will appear over the web page, and you will need to confirm your action in this window.

• Single Sign-On: within this section, you can find the toggle switch that enables the SSO feature for this account.

If you have enabled the "USE NameID For Email" switch, double-check the data entered in the "Username Claim". Activating the SSO feature with incorrect data may render you unable to log in to the Admin Portal without the assistance of technical support.

After toggling the "Enable" switch and observing a brief spinner animation, the SSO feature will be successfully activated for your SP through the IdP.

If you wish to deactivate the SSO feature for any reason, simply click on the toggle switch again and confirm your action in a new pop-up window that will be displayed on top of the web page.

Configuring IdPs

Below, you will find a compilation of links to articles that provide detailed instructions on how to configure different third-party IdPs for seamless SSO integration with Ooma.

Azure Active Directory

• Microsoft Azure Registration.
• How to Create and Configure an Azure AD DS managed domain.
• How to add Ooma (SP) to Azure AD.
• Configuring the Ooma / Azure AD SSO Integration.

Okta

• Configuring the Ooma / Okta SSO Integration. 

Auth0

• Configuring the Ooma / Auth0 SSO Integration. 

Google

• Configuring the Ooma / Google SSO Integration. 

Microsoft 365

• How to create a user in Microsoft 365.
• Microsoft Azure Registration.
• How to Create and Configure an Azure AD DS managed domain.
• How to add Ooma (SP) to Azure AD.
• Configuring the Ooma / Microsoft 365 SSO Integration.