This guide is only available in English and explains how to create and configure a non-gallery SAML2 enterprise application in Microsoft Entra ID (formerly Azure AD) to enable Single Sign-On (SSO) with iChemistry.
1. Prerequisites
Before you begin, make sure that:
- You have Microsoft Entra admin rights (Global or Application Admin role).
- You know your organization domain used for user logins (e.g. @company.com).
- You have the following iChemistry SSO information:
Setting | Value |
Entity ID | iChemistrySSO |
Login URL (Identifier/Entity) | Your Login link to iChemistry |
Reply URL (Assertion Consumer Service URL) | https://ichemistry.intersolia.com/SingleSignOn/Login |
2. Create a New Enterprise Application
- Go to https://entra.microsoft.com and log in as an admin.
- Navigate to Microsoft Entra ID → Enterprise Applications.
- Click “+ New application”.
- Select “Create your own application” (top of the page).
- Enter a name, e.g. iChemistry SSO.
- Select “Integrate any other application you don’t find in the gallery (Non-gallery)”.
- Click Create.
It will take a few seconds to create the app.
3. Configure Single Sign-On (SAML)
- Open your new app (iChemistry SSO) from the Enterprise Applications list.
- In the left-hand menu, choose Single Sign-On.
- Select SAML as the SSO method.
- You will now see a 4-step wizard — follow the steps below carefully.
4. Basic SAML Configuration
Click Edit on the “Basic SAML Configuration” section and fill in as follows:
Field | Value |
Identifier (Entity ID) | iChemistrySSO |
Reply URL (Assertion Consumer Service URL) | https://ichemistry.intersolia.com/SingleSignOn/Login |
Sign-on URL (optional) | Your Login link to iChemistry https://ichemistry.intersolia.com/main/<customer> |
Click Save when done.
5. User Attributes & Claims
Click Edit in the Attributes & Claims section and make sure to add exactly the following claims (case-sensitive):
Name | Source attribute | Required |
userEmail | user.mail | Yes |
userFullName | user.displayName | Yes |
userId | user.employeeId or other employee number | No |
departmentId | constant value (e.g. “SSO”) or blank | No |
userRole | constant value (e.g. “Read-only user”) | Yes |
Tip:
- For any attribute your directory does not provide, click “Add new claim” → choose “Source: Constant” and set a value (like "SSO").
- Make sure Namespace is left blank (not required for iChemistry).
6. Download SAML Metadata
- In the SAML Signing Certificate section, find the link “Federation Metadata XML”.
- Click Download to save the XML file.
- Send this file to your Intersolia contact (or reply to the SSO onboarding email).
This allows iChemistry to complete the setup on their side.
7. Assign Users or Groups
To control who can log in to iChemistry via SSO:
- Go to your app → Users and groups.
- Click Add user/group.
- Select the users or Azure AD groups who should have access.
- Click Assign.
8. Test SSO Connection
- Go to the Single Sign-On tab again.
- Click “Test this application” → “Sign in as current user”.
- If the login succeeds, you should be redirected to iChemistry and automatically signed in.
If not, check:
- That claims are spelled correctly (userEmail, userFullName, userRole, departmentId).
- That you assigned the user to the app.
- That the correct Reply URL is used.
9. Common Issues & Notes
Issue | Resolution |
Error ID in iChemistry | One or more of required attributes are missing |
Empty attribute values | Some IdPs do not include empty claims. Use a constant value like "SSO" instead. |
User role not applied | Ensure userRole has a valid constant (e.g. “Read-only user”). |
Access to specific department | Use a departmentId claim value matching your iChemistry department ID (found under Basic Data → Department Information). |
10. What Happens Next
Once Intersolia receives your metadata XML, the integration will be completed on our end.
We’ll confirm when SSO is enabled, after which:
- Local iChemistry login is disabled for your domain.
- Users will be redirected to your Entra login automatically.