Microsoft Entra/Azure IDP SSO configuration

You can enable SSO for an organization in Diligent One. When the required configuration is complete, you can securely access the system with your Entra ID credentials.

Important Note
These instructions use the existing domain name of highbond.com. We now have diligentoneplatform.com available, and will soon use this as the main system access point (such as with links included in email notifications). You can use identical steps with the diligentoneplatform.com URL in place of highbond.com to set up SSO. For example,

https://accounts.highbond.com/saml/sso/consume/your-custom-domain

would now be: 

https://accounts.diligentoneplatform.com/saml/sso/consume/your-custom-domain

Before you start
Review our SSO documentation to ensure you are familiar with the setup and requirements. A user with System Admin access to your organization is required to complete the setup on the Diligent One side. See Configuring Single Sign-On (SSO).

Steps

Entra supports different ways of handling SAML authentication for new applications. These instructions use an Enterprise Application with SAML selected as the authentication method. This is the most straightforward way to set up SSO for Diligent One, and the instructions also mirror those previously used for Azure Active Directory. For more information on the Entra side of the setup, see Microsoft's Entra documentation.

1. Navigate to https://entra.microsoft.com and log in to your account. You will need access to create a new application, e.g. an Application Administrator role.
2. On the left side, under the Applications section, select Enterprise Applications.
3. Select New Application, then click Create your own application at the top.
4. Enter the desired name (e.g. Diligent One SSO) and ensure Integrate any other application you don't find in the gallery (Non-gallery) is chosen, then click Create.
5. After the app is created, select Single sign-on from the left menu, then select SAML as the method. You should see the configuration screen where you can set up all required settings like the image below.
6. At the same time, open another browser tab to sign in to Diligent One as a System Admin (or work with another user who has this access).
7. From the Diligent One homepage, select Platform Settings > Security Settings. If you do not see Platform Settings as an option on the Launchpad page, the account you used to sign in does not have System Admin privileges.
8. Within the Single sign-on (SSO) options section, click the Set up provider button, and take note of the Custom domain entry as you will use it in each URL in the Entra configuration.
9. Switch back to the Entra tab to enter required details:
10. Basic SAML Configuration:
    1. Identifier (Entity ID) = https://accounts.highbond.com/saml/metadata/your-custom-domain
    2. Reply URL (Assertion Consumer Service URL) = https://accounts.highbond.com/saml/sso/consume/your-custom-domain
    3. Sign on URL = https://accounts.highbond.com/saml/sso?custom_domain=your-custom-domain
    4. Relay State (Optional) = <leave blank>
    5. Logout Url (Optional) = https://accounts.highbond.com/saml/slo/your-custom-domain
11. Attributes & Claims
    1. Depending on your configuration, the default settings should work to allow authentication.
    2. A user's email address is the unique identifier for a Diligent One account, so user.userprincipalname is commonly used for the name identifier, but this can also be changed to user.mail if a different email address is to be used.
12. On the Diligent One side, complete the following fields on the Single sign-on set up panel:
    • Entity ID - Copy and paste the Microsoft Entra Identifier field.
    • Metadata URL - <leave blank>
    • Redirect Login URL - Copy and paste the Login URL field.
    • Logout URL - Copy and paste the Logout URL field.
    • Public certificate - Download the certificate file in Base64 format from the SAML Certificates section of the Entra configuration. Copy and paste the entire contents (including the BEGIN and END CERTIFICATE lines) into the field.
13. On the bottom right, click the Enable button to save your configuration.
14. With the configuration complete, you can use the Test button in the Entra configuration to try the sign-in process; make sure to log out out of Diligent One via the profile icon in the top right before testing. Users can also test using the instructions below. Note that System Admins are still able to sign in using their username and password, so if there are any issues you can adjust the configuration as necessary.

 

Example setup:

 

Signing in

Note
As an alternative to manually logging into the HighBond/Diligent One homepage below, if users have an Entra portal with available applications then Diligent One can be selected directly from there.

 

1. Navigate to the HighBond/Diligent One homepage (www.highbond.com).
2. On the sign in screen, click Continue with SSO at the bottom.
3. Enter your custom domain name and click Continue.
4. If not already signed in to Entra, enter your credentials and/or two-factor response as needed.
5. You should be signed in successfully. Please note that the system does not support just-in-time provisioning, so if you have issues please ensure a System Admin has added your account as a user.

Tip
Users that sign in manually can bookmark the following URL to avoid entering their custom domain each time: https://accounts.highbond.com/saml/sso?custom_domain=custom_domain

 

Common errors during setup:

"The signed in user 'user@email.com' is not assigned to a role for the application"
>> Check on the Entra side to ensure the user has been given access to the Diligent One application, either individually or via a user group.

"First Name cannot be blank. Last Name cannot be blank."
>> See the article here: With SSO configured, user receives "First Name cannot be blank. Last Name cannot be blank." when logging into HighBond