This document explains how to configure L2L to use Microsoft's Azure SAML services to log in to L2L DISPATCH.

Step 1: Create the L2L SAML Config

We first create a new SAML Config that defines the SAML Trust between Dispatch and Azure. Log in to [customer].leading2lean.com, and navigate to Setup → IT Setup → SAML SSO Config. Click the Add New link.

In the Add New SAML Config page, enter the following information:

• Code: this must be a unique code among all the Dispatch SAML Config’s and gets used in the Dispatch SAML URL’s.
• Display Name: This is user visible text on the Dispatch login page.
• IdP User Naming Attribute: You need to choose how users will log into Dispatch. Choosing email requires that the Dispatch user accounts have their email addresses set to the same email address set on users’ Azure accounts, and choosing username requires that the Dispatch username matches the Azure username.
• Leave all the other fields blank for now and click Save. The remaining fields will be configured using values from the Azure Application in Step 3 below.
• Now click on the new SAML Config that you just created. We'll use the SP Initiate, SP SSO URL, SP SLO URL, and SP Entity ID in the next step.

Step 2: Create a new Application in Azure

1. Create a new Application
   1. Go to All Applications → New Application. Click New Application. Select Non-gallery application. Name your new Application and click Add.
2. Select Configure single sign-on and select SAML.
3. Section 1: Enter the following L2L URLs into the Azure Application. Be sure to include the trailing slash.
   

   L2L URL	Azure Application Setting
   SP Entity ID	Identifier (Entity ID)
   SSO URL	Reply URL
   SSO URL	Sign on URL
   SLO URL	Logout URL

4. Section 2: Set the Unique User Identifier.
   1. If you chose email for the IdP User Naming Attribute in L2L, select user.mail.
   2. If you chose username for the IdP User Naming Attribute in L2L, select user.userprincipalname.

Step 3: Update the L2L SAML Config

1. Download the Certificate (Base 64) from Section 3 in the Azure Application and copy/paste it into the IdP Certificate Information field on the L2L SAML Config Detail screen under the x509 Public Certificate in PEM format tab.
2. Enter the following Azure URLs from Section 4 in the Azure Application into the L2L SAML Config Detail screen:
   

   Azure URL	L2L SAML Config Detail
   Login URL	IdP SSO URL
   Azure AD Identifier	IdP Entity Id
   Logout URL	IdP SLO URL

Step 4: Configure Users in L2L

Now it's time to tie users to a SAML config. You will not be able to use SAML until you have configured a user to use the new SAML config. You can do this two different ways.

One user at a time
Select the appropriate SAML Config setting in the Edit User screen. You can only select one SAML Config setting per user.

Migrate Users tool
If all users registered to a site will be using SAML to authenticate, you can use the SAML Migration tool. This is found at the bottom of the SAML Config Detail screen. Just click the Migrate Accounts button and follow the instructions.

Step 5: Test

1. Go to https://[customer].leading2lean.com and click on the new SSO button. The title of this button will come from the Display Name in the L2L config above.
   1. If prompted, enter your credentials.
   2. You should be logged in to L2L DISPATCH
2. Log out of Dispatch
   
   1. You should be logged out of L2L DISPATCH

Troubleshooting

• Cannot log out
  Sometimes a User can successfully log in to L2L using the SAML route, but cannot log out. If this is the case, try to use the following logout URL in the L2L SAML Config Detail → IdP SLO URL field:
  

  https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0