Description: The purpose of this article is to guide you through the process of configuring the Ooma / Microsoft 365 SSO integration.
This user guide provided below assumes that you meet certain prerequisites: you should be familiar with the Ooma Enterprise interface, have a Microsoft 365 admin account, created a Microsoft 365 user, created a managed domain in Azure AD, and have already added the Ooma app to Azure AD as a non-gallery application.
To enable SSO integration with third-party apps acting as Service Providers (SPs), Microsoft 365 uses Azure Active Directory (Azure AD) as the Identity Provider (IdP).
Azure AD is a dedicated platform developed by Microsoft specifically for this purpose. It serves as the central identity and access management service within the Microsoft 365 ecosystem, allowing seamless authentication and authorization for users across various applications and services.
To simplify the integration process, which involves navigating between two applications and performing specific actions, the following steps will be provided. Each step will be performed within a specific app, allowing for a clearer and more manageable process.
Step 1
To initiate the configuration process for SSO integration, you need to access two specific pages. You can organize them as two neighboring tabs in your web browser.
Firstly, open the "IdP and SSO" tab on your company account page in the Phone System App of the Ooma Admin Portal.
Secondly, open the SAML parameters page within the SSO section of the managed domain in Azure AD that is designated for Ooma.
Step 2
In this step, you will begin the configuration process in Azure AD by setting up the SAML parameters within the SSO section of the managed domain intended for Ooma. Navigate to the parameter card №4.
In this parameter card, you will need the Login URL of the managed domain. Simply click on the "Copy" badge next to the link to copy it to your clipboard.
Step 3
Go to the Ooma Admin Portal page in your web browser and press the "Set Up Identity Provider" button.
Microsoft 365/Azure operates in a distinct manner compared to other IdPs, characterized by the following:
1. It does not support simultaneous enabling of both PostRequests=true and SignRequests=true. Instead, it functions when either one of these features is enabled.
2. While most IdPs require a public key when SignRequests=true, Microsoft 365/Azure has an additional requirement of a certificate alongside the public key.
We should take both of these points into account when configuring the SSO integration.
This dialog form will appear.
Paste the URL from the clipboard into the SSO URL field on this form.
Step 4
There is a circular dependency issue when setting up an IdP in the Ooma Admin Portal and completing the configuration of the SP. An X.509 certificate is required, but Azure AD generates this certificate only after the SP configuration is finalized.
However, there is a trick to overcome this issue: You can create a "placeholder" X.509 certificate, which will enable you to finalize the SP configuration and input the SP's data into Azure AD. This will generate a real X.509 certificate that can then be uploaded to the IdP configuration in the Ooma Admin Portal.
You have the flexibility to choose the method for creating the "placeholder" X.509 certificate. Here are a few examples of how to do it:
1. Use the console to generate the certificate via OpenSSL (link).
2. Use any suitable online tool (link)
Press the "Upload File" button and upload the "placeholder" X.509 certificate.
Step 5
Find the "Email Claim" field on this dialog form.
This value should be entered into this field:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
After finishing the given actions, make sure to click the "Save" button to save the changes you have made.
After that, the interface of the "IdP and SSO" tab of the Ooma Admin Portal will be updated accordingly.
Step 6
On the updated "IdP and SSO" tab of the Ooma Admin Portal, you will require two URLs: Callback URL (ACS) and Issuer.
Prepare to copy these URLs to the clipboard and paste them in the following steps of this guide.
Step 7
Go to the Azure AD page in your web browser, find the parameter card №1, and press the "Edit" button.
After clicking this button, a side menu will appear.
There are two mandatory fields you need to provide information for:
- Identifier (Entity ID): the default identifier will be the audience of the SAML response for identity provider-initiated single sign-on.
You should input here the Issuer URL, which can be found on the updated "IdP and SSO" tab of the Ooma Admin Portal. Please navigate back to that browser tab and copy and paste the URL into this field.
- Reply URL (Assertion Consumer Service URL): the default reply URL will be the destination in the SAML response for identity provider-initiated single sign-on.
You should input here the Callback URL (ACS), which can be found on the updated "IdP and SSO" tab of the Ooma Admin Portal. Please navigate back to that browser tab and copy and paste the URL into this field.
Once you have entered the required information in both fields, click the "Save" button to save and apply the changes you made.
Step 8
Proceed to parameter card №3 and press the "Download" button to download the Certificate (Base64).
This certificate contains the X.509 certificate that contains a configuration with both the SP and IdP data.
Step 9
Go to the updated "IdP and SSO" tab of the Ooma Admin Portal and press the "Edit Identity Provider Information" button.
In the opened dialog form, delete the existing "placeholder" X.509 certificate by clicking on the Trash Bin badge next to it. Then, upload the correct certificate by clicking the "Upload File" button once it becomes active again.
After finishing the given actions, make sure to click the "Save" button to save the changes you have made.
Step 10
On the updated "IdP and SSO" tab of the Ooma Admin Portal, toggle the "Enable" switch in order to activate the SSO integration between the Ooma (SP) and Azure AD (IdP).
From this point onwards, the SSO integration is considered complete and expected to function properly.
In scenarios where signature verification is necessary, it is advised to enable the "Sign Request" feature and consult the official Microsoft manual provided for guidance.
To further validate the integration, you can click the "Test" button located on parameter card №5 within the Azure AD SSO section of the managed domain designated for Ooma. It is important to note that this user guide does not cover troubleshooting steps.
If you require further assistance with this matter, please contact our customer support team.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article