This document explains how to configure L2L to use Microsoft's Azure SAML services to log in to L2L DISPATCH.
Step 1: Create the L2L SAML Config
We first create a new SAML Config that defines the SAML Trust between Dispatch and Azure. Log in to [customer].leading2lean.com, and navigate to Setup → IT Setup → SAML SSO Config. Click the Add New link.
In the Add New SAML Config page, enter the following information:
- Code: this must be a unique code among all the Dispatch SAML Config’s and gets used in the Dispatch SAML URL’s.
- Display Name: This is user visible text on the Dispatch login page.
- IdP User Naming Attribute: You need to choose how users will log into Dispatch. Choosing email requires that the Dispatch user accounts have their email addresses set to the same email address set on users’ Azure accounts, and choosing username requires that the Dispatch username matches the Azure username.
- Leave all the other fields blank for now and click Save. The remaining fields will be configured using values from the Azure Application in Step 3 below.
- Now click on the new SAML Config that you just created. We'll use the SP Initiate, SP SSO URL, SP SLO URL, and SP Entity ID in the next step.
Step 2: Create a new Application in Azure
- Create a new Application
- Go to All Applications → New Application. Click New Application. Select Non-gallery application. Name your new Application and click Add.
- Select Configure single sign-on and select SAML.
- Section 1: Enter the following L2L URLs into the Azure Application. Be sure to include the trailing slash.
L2L URL Azure Application Setting SP Entity ID Identifier (Entity ID) SSO URL Reply URL SSO URL Sign on URL SLO URL Logout URL
- Section 2: Set the Unique User Identifier.
- If you chose email for the IdP User Naming Attribute in L2L, select user.mail.
- If you chose username for the IdP User Naming Attribute in L2L, select user.userprincipalname.
Note about IdP-initiated SSO: For applications that support IdP-initiated SSO, Microsoft Azure/Entra provides the ability to authenticate into a registered application through the "My Apps" web portal. L2L does not support IdP-initiated SSO natively, however, this functionality can be emulated by configuring the Login URL in Azure/Entra to use the L2L SP Initiate URL instead of the of the IdP SSO URL.
Step 3: Update the L2L SAML Config
- Download the Certificate (Base 64) from Section 3 in the Azure Application and copy/paste it into the IdP Certificate Information field on the L2L SAML Config Detail screen under the x509 Public Certificate in PEM format tab.
- Enter the following Azure URLs from Section 4 in the Azure Application into the L2L SAML Config Detail screen:
Azure URL L2L SAML Config Detail Login URL IdP SSO URL Azure AD Identifier IdP Entity Id Logout URL
IdP SLO URL
Step 4: Configure Users in L2L
Now it's time to tie users to a SAML config. You will not be able to use SAML until you have configured a user to use the new SAML config. You can do this two different ways.
One user at a time
Select the appropriate SAML Config setting in the Edit User screen. You can only select one SAML Config setting per user.
Migrate Users tool
If all users registered to a site will be using SAML to authenticate, you can use the SAML Migration tool. This is found at the bottom of the SAML Config Detail screen. Just click the Migrate Accounts button and follow the instructions.
Step 5: Test
- Go to https://[customer].leading2lean.com and click on the new SSO button. The title of this button will come from the Display Name in the L2L config above.
- If prompted, enter your credentials.
- You should be logged in to L2L DISPATCH
- Log out of Dispatch
- You should be logged out of L2L DISPATCH
- Cannot log out
Sometimes a User can successfully log in to L2L using the SAML route, but cannot log out. If this is the case, try to use the following logout URL in the L2L SAML Config Detail → IdP SLO URL field: