|
| 1 | +--- |
| 2 | +title: 'Tutorial: Azure Active Directory integration with MobileIron | Microsoft Docs' |
| 3 | +description: Learn how to configure single sign-on between Azure Active Directory and MobileIron. |
| 4 | +services: active-directory |
| 5 | +documentationCenter: na |
| 6 | +author: jeevansd |
| 7 | +manager: femila |
| 8 | +ms.reviewer: joflore |
| 9 | + |
| 10 | +ms.assetid: 3e4bbd5b-290e-4951-971b-ec0c1c11aaa2 |
| 11 | +ms.service: active-directory |
| 12 | +ms.workload: identity |
| 13 | +ms.tgt_pltfrm: na |
| 14 | +ms.devlang: na |
| 15 | +ms.topic: article |
| 16 | +ms.date: 10/2/2017 |
| 17 | +ms.author: jeedes |
| 18 | + |
| 19 | +--- |
| 20 | +# Tutorial: Azure Active Directory integration with MobileIron |
| 21 | + |
| 22 | +In this tutorial, you learn how to integrate MobileIron with Azure Active Directory (Azure AD). |
| 23 | + |
| 24 | +Integrating MobileIron with Azure AD provides you with the following benefits: |
| 25 | + |
| 26 | +- You can control in Azure AD who has access to MobileIron. |
| 27 | +- You can enable your users to automatically get signed-on to MobileIron (Single Sign-On) with their Azure AD accounts. |
| 28 | +- You can manage your accounts in one central location - the Azure portal. |
| 29 | + |
| 30 | +If you want to know more details about SaaS app integration with Azure AD, see [what is application access and single sign-on with Azure Active Directory](active-directory-appssoaccess-whatis.md). |
| 31 | + |
| 32 | +## Prerequisites |
| 33 | + |
| 34 | +To configure Azure AD integration with MobileIron, you need the following items: |
| 35 | + |
| 36 | +- An Azure AD subscription |
| 37 | +- A MobileIron single sign-on enabled subscription |
| 38 | + |
| 39 | +> [!NOTE] |
| 40 | +> To test the steps in this tutorial, we do not recommend using a production environment. |
| 41 | +
|
| 42 | +To test the steps in this tutorial, you should follow these recommendations: |
| 43 | + |
| 44 | +- Do not use your production environment, unless it is necessary. |
| 45 | +- If you don't have an Azure AD trial environment, you can [get a one-month trial](https://azure.microsoft.com/pricing/free-trial/). |
| 46 | + |
| 47 | +## Scenario description |
| 48 | +In this tutorial, you test Azure AD single sign-on in a test environment. |
| 49 | +The scenario outlined in this tutorial consists of two main building blocks: |
| 50 | + |
| 51 | +1. Adding MobileIron from the gallery |
| 52 | +2. Configuring and testing Azure AD single sign-on |
| 53 | + |
| 54 | +## Adding MobileIron from the gallery |
| 55 | +To configure the integration of MobileIron into Azure AD, you need to add MobileIron from the gallery to your list of managed SaaS apps. |
| 56 | + |
| 57 | +**To add MobileIron from the gallery, perform the following steps:** |
| 58 | + |
| 59 | +1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon. |
| 60 | + |
| 61 | + ![The Azure Active Directory button][1] |
| 62 | + |
| 63 | +2. Navigate to **Enterprise applications**. Then go to **All applications**. |
| 64 | + |
| 65 | + ![The Enterprise applications blade][2] |
| 66 | + |
| 67 | +3. To add new application, click **New application** button on the top of dialog. |
| 68 | + |
| 69 | + ![The New application button][3] |
| 70 | + |
| 71 | +4. In the search box, type **MobileIron**, select **MobileIron** from result panel then click **Add** button to add the application. |
| 72 | + |
| 73 | +  |
| 74 | + |
| 75 | +## Configure and test Azure AD single sign-on |
| 76 | + |
| 77 | +In this section, you configure and test Azure AD single sign-on with MobileIron based on a test user called "Britta Simon." |
| 78 | + |
| 79 | +For single sign-on to work, Azure AD needs to know what the counterpart user in MobileIron is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in MobileIron needs to be established. |
| 80 | + |
| 81 | +In MobileIron, assign the value of the **user name** in Azure AD as the value of the **Username** to establish the link relationship. |
| 82 | + |
| 83 | +To configure and test Azure AD single sign-on with MobileIron, you need to complete the following building blocks: |
| 84 | + |
| 85 | +1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. |
| 86 | +2. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. |
| 87 | +3. **[Create a MobileIron test user](#create-a-mobileiron-test-user)** - to have a counterpart of Britta Simon in MobileIron that is linked to the Azure AD representation of user. |
| 88 | +4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on. |
| 89 | +5. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. |
| 90 | + |
| 91 | +### Configure Azure AD single sign-on |
| 92 | + |
| 93 | +In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your MobileIron application. |
| 94 | + |
| 95 | +**To configure Azure AD single sign-on with MobileIron, perform the following steps:** |
| 96 | + |
| 97 | +1. In the Azure portal, on the **MobileIron** application integration page, click **Single sign-on**. |
| 98 | + |
| 99 | + ![Configure single sign-on link][4] |
| 100 | + |
| 101 | +2. On the **Single sign-on** dialog, select **Mode** as **SAML-based Sign-on** to enable single sign-on. |
| 102 | + |
| 103 | +  |
| 104 | + |
| 105 | +3. On the **MobileIron Domain and URLs** section, perform the following steps if you wish to configure the application in **IDP** initiated mode: |
| 106 | + |
| 107 | +  |
| 108 | + |
| 109 | + a. In the **Identifier** textbox, type a URL using the following pattern: `https://www.mobileiron.com/<key>` |
| 110 | + |
| 111 | + b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<host>.mobileiron.com/saml/SSO/alias/<key>` |
| 112 | + |
| 113 | +4. Check **Show advanced URL settings** and perform the following step if you wish to configure the application in **SP** initiated mode: |
| 114 | + |
| 115 | +  |
| 116 | + |
| 117 | + In the **Sign-on URL** textbox, type a URL using the following pattern: `https://<host>.mobileiron.com/user/login.html` |
| 118 | + |
| 119 | + > [!NOTE] |
| 120 | + > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. You will get the values of key and host from the administrative portal of MobileIron which is explained later in the tutorial. |
| 121 | + |
| 122 | +5. On the **SAML Signing Certificate** section, click **Metadata XML** and then save the metadata file on your computer. |
| 123 | + |
| 124 | +  |
| 125 | + |
| 126 | +6. Click **Save** button. |
| 127 | + |
| 128 | +  |
| 129 | + |
| 130 | +7. In a different web browser window, log in to your MobileIron company site as an administrator. |
| 131 | + |
| 132 | +8. Go to **Admin** > **Identity**. |
| 133 | + |
| 134 | + a. Select **AAD** option in the **Info on Cloud IDP Setup** field. |
| 135 | + |
| 136 | +  |
| 137 | + |
| 138 | +9. Copy the values of **Key** and **Host** and paste them to complete the URLs in the **MobileIron Domain and URLs** section in Azure portal. |
| 139 | + |
| 140 | +  |
| 141 | + |
| 142 | +10. In the **Export metadata file from AAD and import to MobileIron Cloud Field** click **Choose File** to upload the downloaded metadata from Azure portal. Click **Done** once uploaded. |
| 143 | + |
| 144 | +  |
| 145 | + |
| 146 | +> [!TIP] |
| 147 | +> You can now read a concise version of these instructions inside the [Azure portal](https://portal.azure.com), while you are setting up the app! After adding this app from the **Active Directory > Enterprise Applications** section, simply click the **Single Sign-On** tab and access the embedded documentation through the **Configuration** section at the bottom. You can read more about the embedded documentation feature here: [Azure AD embedded documentation]( https://go.microsoft.com/fwlink/?linkid=845985) |
| 148 | +
|
| 149 | +### Create an Azure AD test user |
| 150 | + |
| 151 | +The objective of this section is to create a test user in the Azure portal called Britta Simon. |
| 152 | + |
| 153 | + ![Create an Azure AD test user][100] |
| 154 | + |
| 155 | +**To create a test user in Azure AD, perform the following steps:** |
| 156 | + |
| 157 | +1. In the Azure portal, in the left pane, click the **Azure Active Directory** button. |
| 158 | + |
| 159 | +  |
| 160 | + |
| 161 | +2. To display the list of users, go to **Users and groups**, and then click **All users**. |
| 162 | + |
| 163 | +  |
| 164 | + |
| 165 | +3. To open the **User** dialog box, click **Add** at the top of the **All Users** dialog box. |
| 166 | + |
| 167 | +  |
| 168 | + |
| 169 | +4. In the **User** dialog box, perform the following steps: |
| 170 | + |
| 171 | +  |
| 172 | + |
| 173 | + a. In the **Name** box, type **BrittaSimon**. |
| 174 | + |
| 175 | + b. In the **User name** box, type the email address of user Britta Simon. |
| 176 | + |
| 177 | + c. Select the **Show Password** check box, and then write down the value that's displayed in the **Password** box. |
| 178 | + |
| 179 | + d. Click **Create**. |
| 180 | + |
| 181 | +### Create a MobileIron test user |
| 182 | + |
| 183 | +To enable Azure AD users to log in to MobileIron, they must be provisioned into MobileIron. |
| 184 | +In the case of MobileIron, provisioning is a manual task. |
| 185 | + |
| 186 | +**To provision a user account, perform the following steps:** |
| 187 | + |
| 188 | +1. Log in to your MobileIron company site as an administrator. |
| 189 | + |
| 190 | +2. Go to **Users** and Click on **Add** > **Single User**. |
| 191 | + |
| 192 | +  |
| 193 | + |
| 194 | +3. On the **“Single User”** dialog page, perform the following steps: |
| 195 | + |
| 196 | +  |
| 197 | + |
| 198 | + a. In **E-mail Address** text box, enter the email of user like [email protected]. |
| 199 | + |
| 200 | + b. In **First Name** text box, enter the first name of user like Britta. |
| 201 | + |
| 202 | + c. In **Last Name** text box, enter the last name of user like Simon. |
| 203 | + |
| 204 | + e. Click **Done**. |
| 205 | + |
| 206 | +### Assign the Azure AD test user |
| 207 | + |
| 208 | +In this section, you enable Britta Simon to use Azure single sign-on by granting access to MobileIron. |
| 209 | + |
| 210 | +![Assign the user role][200] |
| 211 | + |
| 212 | +**To assign Britta Simon to MobileIron, perform the following steps:** |
| 213 | + |
| 214 | +1. In the Azure portal, open the applications view, and then navigate to the directory view and go to **Enterprise applications** then click **All applications**. |
| 215 | + |
| 216 | + ![Assign User][201] |
| 217 | + |
| 218 | +2. In the applications list, select **MobileIron**. |
| 219 | + |
| 220 | +  |
| 221 | + |
| 222 | +3. In the menu on the left, click **Users and groups**. |
| 223 | + |
| 224 | + ![The "Users and groups" link][202] |
| 225 | + |
| 226 | +4. Click **Add** button. Then select **Users and groups** on **Add Assignment** dialog. |
| 227 | + |
| 228 | + ![The Add Assignment pane][203] |
| 229 | + |
| 230 | +5. On **Users and groups** dialog, select **Britta Simon** in the Users list. |
| 231 | + |
| 232 | +6. Click **Select** button on **Users and groups** dialog. |
| 233 | + |
| 234 | +7. Click **Assign** button on **Add Assignment** dialog. |
| 235 | + |
| 236 | +### Test single sign-on |
| 237 | + |
| 238 | +In this section, you test your Azure AD single sign-on configuration using the Access Panel. |
| 239 | + |
| 240 | +When you click the MobileIron tile in the Access Panel, you should get automatically signed-on to your MobileIron application. |
| 241 | +For more information about the Access Panel, see [Introduction to the Access Panel](active-directory-saas-access-panel-introduction.md). |
| 242 | + |
| 243 | +## Additional resources |
| 244 | + |
| 245 | +* [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](active-directory-saas-tutorial-list.md) |
| 246 | +* [What is application access and single sign-on with Azure Active Directory?](active-directory-appssoaccess-whatis.md) |
| 247 | + |
| 248 | + |
| 249 | +<!--Image references--> |
| 250 | + |
| 251 | +[1]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_01.png |
| 252 | +[2]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_02.png |
| 253 | +[3]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_03.png |
| 254 | +[4]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_04.png |
| 255 | + |
| 256 | +[100]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_100.png |
| 257 | + |
| 258 | +[200]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_200.png |
| 259 | +[201]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_201.png |
| 260 | +[202]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_202.png |
| 261 | +[203]: ./media/active-directory-saas-mobileiron-tutorial/tutorial_general_203.png |
| 262 | + |
0 commit comments