About Azure Active Directory single sign-on (SSO) integration

Campus Cafe can utilize Microsoft Azure Active Directory to authenticate users logging in to Campus Cafe. If you want applicants and students to automatically be created in Azure upon their creation in Campus Cafe, you should follow these directions and then configure Azure Activity Directory to create accounts.

In this tutorial, you'll learn how to integrate Campus Cafe with Azure Active Directory (Azure AD). When you integrate Campus Cafewith Azure AD, you can:

• Control in Azure AD who has access to Campus Cafe.

• Enable your users to be automatically signed in to Campus Cafe with their Azure AD accounts.

• Manage your accounts in one central location - the Azure portal.

To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory.

Once SSO and users are configured, users can access Campus Cafe by through the Office.com portal by clicking All apps then Campus Cafe. Alternatively, users can be directed to https://{Your-School-Code}-web.scansoftware.com/cafeweb/loginsso

Prerequisites

To get started, you need the following items:

• An Azure AD subscription. If you don't have a subscription, you can get a free account.

• Contact Campus Cafe Support for a metadata file.

• Create Campus Cafe permission groups for users.

Required permissions

Scenario description

In this tutorial, you configure and test Azure AD SSO.

• Campus Cafe supports SP initiated SSO.

• Once you configure Campus Cafe you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real time. Session control extend from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.

Add Campus Cafe from the gallery

To configure the integration of Campus Cafe into Azure AD, you need to add Campus Cafe from the gallery to your list of managed SaaS apps.

1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

2. In the upper left click the three-bar main menu.

3. On the left navigation pane, click Azure Active Directory or Microsoft Entra ID.

   Open

   
   Open

   

4. Click Enterprise Applications > All Applications.

   Open

   

    

5. Click New application.

   Open

   

6. In the Search application box, type Campus Cafe.

7. Click Campus Cafe.

   Open

   

8. Click Create.

9. Wait a few seconds while the app is added to your tenant; a new screen will appear; when the new screen appears proceed to choosing groups/users that may access Campus Cafe.

Choose Microsoft groups/users that may access Campus Cafe

Specify the Microsoft groups and/or specific users that may access Campus Cafe. Campus Cafe recommends first giving access to a test user and then returning to add the production groups/users.

1. Click the Assign users and groups tile.

   Open

   

2. Click Add user.

   Open

   

3. Choose your group(s) or specific user(s) and Assign them.

Set up single sign on

1. Return to the Campus Cafe Enterprise Application overview screen. If you were on the Users and Groups screen, on the left click overview.

2. Click the Set up single sign on tile.

   Open

   

    

3. Click the SAML tile.

   Open

   

4. Click Upload metadata file.

   Open

   

5. Select the file sent from Campus Cafe support.

6. Click Add. A new sidebar will open and the relevant fields will populate automatically based on the metadata file.

7. In Sign-on URL enter a URL using the following pattern: https://{Your-School-Code}-web.scansoftware.com/cafeweb/loginsso

   Open

   

8. Click Save.

9. In the upper right click the X.

10. Do not Test if given the option.

Set up certificate

1. In the SAML Signing Certificate box, click Add a certificate.

2. Click New Certificate.

   • Signing Option: Sign SAML assertion.

   • Signing Algorithm: SHA-256.

     Open

     

3. Click Save.

4. In the upper right click the X.

5. In SAML Signing Certificate next to Federation Metadata XML click Add a certificate.

   Open

   

6. For the Signing Option select Sign SAML assertion.

7. For the Signing Algorithm select SHA-256.

8. Click Save.

9. The SAML Signing Certificate should now appear; Next to Federation Metadata XML click Download.

   Open

   

10. Save the file to your computer.

11. Send the file to Campus Cafe support.

Users in Campus Cafe

For a SSO user to authenticate with Azure, the user must have a user account in Campus Cafe. The username in Campus Cafe must match the Azure username. If you want applicants and students to automatically be created in Azure upon their creation in Campus Cafe, you should follow these directions and then configure Azure Activity Directory to create accounts.

Manually create account in Campus Cafe

1. Go to Admin > Permissions.

2. Click Lookup Person.

3. Search for the individual for which to create or edit an account and select the individual.

4. In Permission Group select the Campus Cafe permission group that will control access within Campus Cafe

5. In Username enter the user's Azure username (typically the user's institution-provided email).

6. Ensure Password is blank.

7. Click Save.

Disable Campus Cafe password change

With Azure controlling authentication, users should change passwords through Azure, not Campus Cafe. To avoid confusion, Campus Cafe recommends disabling the change password link for all Campus Cafe permission groups. Set permissions #206 and #235 to NA for all permission groups.

Configure error message for user not in Campus Cafe

If a user belongs to a Azure group that has access to Campus Cafe, the user will see a link to Campus Cafe on his or her apps page. If the user doesn’t have an account in Campus Cafe but tries to access Campus Cafe, they’ll see an error. You can control what this error message says.

Customize the error message:

1. Go to Admin > Adjustable Text.

2. In Search enter LOGINSSO_ERROR.

3. Next to LOGINSSO_ERROR click the pencil.

4. In Value (the large box) enter the error message to display to a user. (e.g. You do not have access to Campus Cafe. Contact IT Support at 555-5555 for assistance.)

5. Click Save.

6. Go to Admin > Refresh Data Cache.

Configure Campus Cafe logout button behavior

By default, clicking the logout button in Campus Cafe does not end the SSO session. With the SSO session still active, a user will be able to access Campus Cafe without logging in.

Configure logout button to end SSO session:

1. Go to Admin > Web App.

2. In Search enter LOGOUT_SSO_URL.

3. Select the checkbox next to LOGOUT_SSO_URL and click Edit Selected.

4. In Value enter https://***-web.scansoftware.com/Shibboleth.sso/Logout replacing *** with your school code.

5. Click Save.

Time out behavior

By default, Campus Cafe signs out a user after 30 minutes of inactivity. (This may be extended by contacting Campus Café support.) However, the user’s SSO session will remain active for as long as configured through the SSO. If the SSO session is still active, the user can access Campus Cafe without logging in. Essentially, the SSO time out setting takes precedence over the Campus Cafe time out.