# Azure AD SSO & User Provisioning

## Architecture Overview

R1 Discover's Azure AD integration implements SAML 2.0 protocol for authentication and supports JIT (Just-In-Time) user provisioning. The system architecture consists of:

* **Identity Provider (IdP)**: Azure Active Directory
* **Service Provider (SP)**: R1 Discover platform
* **Authentication Protocol**: SAML 2.0
* **Provisioning Method**: Just-In-Time provisioning via SAML assertions

## Authentication Flow

1. User attempts to access R1 Discover
2. User is redirected to Azure AD for authentication
3. Azure AD authenticates user and generates SAML assertion
4. SAML assertion is sent to R1 Discover's Assertion Consumer Service (ACS) endpoint
5. R1 Discover validates the SAML assertion and authenticates the user
6. If user doesn't exist, provisioning process is triggered

## SAML Configuration Details

### Required Azure AD Configuration

* **Authentication Method**: SAML-based Sign-on
* **Identifier (Entity ID)**: Must match R1 Discover Entity ID
* **Reply URL**: Must match R1 Discover ACS URL
* **Sign-on URL**: URL where users start the login process
* **Sign Out URL**: Must match R1 Discover SLO URL
* **User Attributes & Claims**:
  * Name identifier format: Email/UPN
  * Additional required attributes: See User Provisioning section

## User Provisioning Details

### Provisioning Mechanism

R1 Discover supports automated user provisioning through:

1. **Just-In-Time (JIT) Provisioning**: Users are automatically created in R1 Discover when they first authenticate via Azure AD
2. **SAML Attribute Mapping**: User properties are extracted from SAML assertion attributes

### Required SAML Attributes for User Provisioning

<table data-header-hidden><thead><tr><th width="263.6666259765625"></th><th width="124.3333740234375"></th><th width="107.111083984375"></th><th></th></tr></thead><tbody><tr><td> Azure AD Attribute </td><td>R1 Discover Field </td><td> Required </td><td> Description </td></tr><tr><td><a href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier%60">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier</a></td><td>email</td><td> Yes </td><td> Unique identifier for the user, typically email address </td></tr><tr><td>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</td><td>firstName</td><td> Yes </td><td> User's first name </td></tr><tr><td>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</td><td>lastName</td><td> Yes </td><td> User's last name </td></tr><tr><td>http://schemas.microsoft.com/identity/claims/displayname</td><td>displayName</td><td> No </td><td> User's full name </td></tr><tr><td>http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</td><td>roles</td><td> No </td><td> Azure AD group memberships </td></tr></tbody></table>

### Role Mapping and Authorization

By default, all provisioned accounts receive basic permissions in R1 Discover. Further role configuration options:

1. **Manual Role Assignment**: Assign additional roles post-provisioning through R1 Discover admin interface

### Account Lifecycle Management

* **Account Creation**: Automatic on first authentication
* **Account Updates**: User attributes are updated during each authentication if they've changed in Azure AD
* **Account Deactivation**: Access is revoked immediately when user is disabled in Azure AD
* **Account Deletion**: Currently not automated; deactivated accounts remain in the system but inaccessible

### User Provisioning Limitations

* Custom attributes beyond standard SAML attributes require additional configuration
* Role management beyond basic permissions requires either group mapping configuration or manual assignment

## Security Considerations

* SAML responses must be signed with organization's X.509 certificate
* SAML assertions are encrypted using AES-256
* Token expiration time: 1 hour (configurable)
* Sessions automatically terminate after 8 hours of inactivity
* All authentication events are logged for audit purposes
* SSO integration undergoes annual penetration testing

## Implementation Requirements

* Azure AD Premium P1 or higher license for custom SAML applications
* Ability to create and manage Enterprise Applications in Azure AD
* X.509 certificate for SAML signing
* Admin rights in R1 Discover to configure SSO settings

## Technical Support Contact

For implementation assistance or troubleshooting, contact:

* Email: <r1team@r1learning.com>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.discover.r1learning.com/additional-technical-documentation/azure-ad-sso-and-user-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.