R1 LearningR1 DiscoverV1 API Docs

Azure AD SSO & User Provisioning

An overview of the technical implementation of Azure AD SSO and User Provisioning.

Architecture Overview

R1 Discover's Azure AD integration implements SAML 2.0 protocol for authentication and supports JIT (Just-In-Time) user provisioning. The system architecture consists of:

  • Identity Provider (IdP): Azure Active Directory

  • Service Provider (SP): R1 Discover platform

  • Authentication Protocol: SAML 2.0

  • Provisioning Method: Just-In-Time provisioning via SAML assertions

Authentication Flow

  1. User attempts to access R1 Discover

  2. User is redirected to Azure AD for authentication

  3. Azure AD authenticates user and generates SAML assertion

  4. SAML assertion is sent to R1 Discover's Assertion Consumer Service (ACS) endpoint

  5. R1 Discover validates the SAML assertion and authenticates the user

  6. If user doesn't exist, provisioning process is triggered

SAML Configuration Details

Required Azure AD Configuration

  • Authentication Method: SAML-based Sign-on

  • Identifier (Entity ID): Must match R1 Discover Entity ID

  • Reply URL: Must match R1 Discover ACS URL

  • Sign-on URL: URL where users start the login process

  • Sign Out URL: Must match R1 Discover SLO URL

  • User Attributes & Claims:

    • Name identifier format: Email/UPN

    • Additional required attributes: See User Provisioning section

User Provisioning Details

Provisioning Mechanism

R1 Discover supports automated user provisioning through:

  1. Just-In-Time (JIT) Provisioning: Users are automatically created in R1 Discover when they first authenticate via Azure AD

  2. SAML Attribute Mapping: User properties are extracted from SAML assertion attributes

Required SAML Attributes for User Provisioning

Azure AD Attribute

R1 Discover Field

Required

Description

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

email

Yes

Unique identifier for the user, typically email address

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

firstName

Yes

User's first name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

lastName

Yes

User's last name

http://schemas.microsoft.com/identity/claims/displayname

displayName

No

User's full name

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

roles

No

Azure AD group memberships

Role Mapping and Authorization

By default, all provisioned accounts receive basic permissions in R1 Discover. Further role configuration options:

  1. Manual Role Assignment: Assign additional roles post-provisioning through R1 Discover admin interface

Account Lifecycle Management

  • Account Creation: Automatic on first authentication

  • Account Updates: User attributes are updated during each authentication if they've changed in Azure AD

  • Account Deactivation: Access is revoked immediately when user is disabled in Azure AD

  • Account Deletion: Currently not automated; deactivated accounts remain in the system but inaccessible

User Provisioning Limitations

  • Custom attributes beyond standard SAML attributes require additional configuration

  • Role management beyond basic permissions requires either group mapping configuration or manual assignment

Security Considerations

  • SAML responses must be signed with organization's X.509 certificate

  • SAML assertions are encrypted using AES-256

  • Token expiration time: 1 hour (configurable)

  • Sessions automatically terminate after 8 hours of inactivity

  • All authentication events are logged for audit purposes

  • SSO integration undergoes annual penetration testing

Implementation Requirements

  • Azure AD Premium P1 or higher license for custom SAML applications

  • Ability to create and manage Enterprise Applications in Azure AD

  • X.509 certificate for SAML signing

  • Admin rights in R1 Discover to configure SSO settings

Technical Support Contact

For implementation assistance or troubleshooting, contact:

PreviousAdditional Notes and Considerations

Last updated