After you have registered your PIM application in Azure AD, you then configure PIM with the details of the application to enable single sign-on.
To configure
PIM for single sign-on:
-
In
PIM, on the header bar, click
Admin.
-
In the
Search Admin Zones field, enter
Single Sign-On Configuration, and then click the link that displays.
-
On the Single Sign-On (SSO) screen, use the
Identity Provider list to select
Azure AD.
-
In the
Tenant ID and
Client ID fields, paste the respective details that you copied when you registered the PIM application in Azure AD.
-
If you created a client secret, paste the value into the
Client Secret field.
-
For each user, check that their identity email address matches their active email address configured in Azure AD.
If there are any user email addresses that do not match the new Azure AD email address, you may have either changed your email construct when you transitioned to Azure AD since you first implemented
PIM and set up your users, or certain users' identity email addresses have changed since you created the users.
For any user that has an identity email address that does not match their active email address in Azure AD, you must correct their email address in PIM. You do this via
Admin >
System Security >
Users and Licenses.
-
When all identity email addresses match the corresponding Azure AD usernames, click
Auto-populate in the top-right corner of the Setup SSO User Identities screen to automatically populate the SSO username for each user, and then click
Save.
-
Once you are ready to roll out the new single sign-on logon method to your user base, on the Single Sign-On (SSO) page, select the
Enable Azure AD Provider check box to enable it, and then click
.
Users now have the option to log onto
PIM via Azure AD on the main
PIM logon page.