SSO set up steps for Microsoft Entra ID (Azure)

Microsoft Entra ID is the new name for Azure AD. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID.

Set up steps

1. Log in to your Entra admin portal.
2. Browse to Identity > Applications > Enterprise applications.
3. Select New application and then Create your own application.
4. Enter the name "StoryBox Hub" and choose "Integrate any other application you don’t find in the gallery" then click Create.
5. In the Overview page, select Set up Single Sign-On and then SAML.
6. Select Edit in Basic SAML Configuration.
7. In a separate browser tab or window, log in to your StoryBox Account Settings as the Account Holder.
8. Still in StoryBox Hub, scroll down to Other Account Actions on the right hand side and click Configure SSO details.
9. For Identity provider choose "Microsoft Entra ID (Azure)".
10. Type some dummy text into the following fields, we'll come back to edit them properly later (we’re looking into changing how this works). For example:
    • IdP Entity ID or Issuer: tbc
    • SAML Login URL: https://storyboxhub.com
    • X.509 Certificate: tbc
    • User name attribute: tbc
11. Click the Update button at the bottom of the page.
12. This will generate a new section called Metadata to configure the IDP. Save these values into the Basic SAML Configuration section back in Entra:
    • Copy the SP-EntityID / Issuer URL and paste it into the Identifier (Entity ID) field in Entra. It usually starts with https://auth.storyboxhub.com/saml2/ and ends with /metadata
    • Copy the ACS (AssertionConsumer Service) URL/Issuer URL and paste it into the Reply URL (Assertion Consumer Service URL) field in Entra. It usually starts with https://auth.storyboxhub.com/saml2/ and ends with /acs
13. Click Save.
14. Still in the Entra admin portal, click Edit in the Attributes & Claims section.
15. If you don't see any Claim name URLs, you might have to add them first. When you've done this, copy the Claim name URLs in Entra into the Attribute Mapping section in your StoryBox Hub SSO settings. The defaults are usually as follows:
    • User name attribute (required): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - this is not displayed anywhere but is used as a unique identifier for the sub-account that gets created during an SSO user's first log in. As such it is required, or individual sub-accounts cannot be created.
    • Email attribute (optional): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • First name attribute (optional): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - if this is mapped it will appear in the top right corner when an SSO user is logged in, in the dropdown menu that takes them to their account settings. If it isn't mapped the organisation name will appear here instead.
    • Last name attribute (optional): http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    • (Role and Group name attributes are optional and not currently utilised but may be used for personalised functionality in the future.)
16. In the Entra admin portal, look for the SAML Certificates section. Download the Certificate (Base64) file, open it, and copy its contents into the X.509 Certificate field in StoryBox Hub.
17. In the Entra admin portal, look for the Set up SAML App section. Copy these values into the Configure Service Provider section in your StoryBox Hub SSO settings:
    • Copy the Login URL and paste it into SAML Login URL field in StoryBox Hub. This usually starts with https://login.microsoftonline.com/ and ends with /saml2 (no slash at the very end).
    • Copy the Microsoft Entra / Azure AD Identifier URL and paste it into the IdP Entity ID or Issuer field in StoryBox Hub. This usually starts with https://sts.windows.net/ and ends with a slash / at the end.
18. In your StoryBox Hub SSO settings, click the Update button. You should now be ready to test the connection.

Testing steps

1. Log out of your StoryBox Hub Account Holder settings.
2. While still on the StoryBox Hub homepage, click the LOG IN button in the top right corner.
3. Click SSO.
4. Find your Organisation Name in the dropdown box. (You can edit the name that shows here in your Account Holder settings.)
5. Click LOG IN.
6. Submit user credentials for your organisation.
7. You should be redirected back to StoryBox Hub and be logged in when the page loads. If you've mapped the attributes correctly and you included a First Name attribute, you should see the first name of the user you logged in as in the top right hand corner.

Direct login page link

If you can log in successfully, you can use this URL format as a direct link to your organisation's StoryBox Hub login page:

https://storyboxhub.com/login?sso_id=XXXX

Replace XXXX with the same number you see in your StoryBox Hub Entity ID and ASC URLs.

If a user visits that page and they’re already logged in to Entra in the same browser session, they should be logged straight in to StoryBox Hub after clicking the LOG IN button.

Troubleshooting

If you follow the steps above and experience any issues, please contact our support team with these details:

• Your identity provider's name
• Screenshots of your SAML configuration from your IdP’s admin portal
• Screenshots of any error messages
• A set of test user credentials