Skip to main content

Fountain Azure Entra ID Setup

Updated today

Third-Party Provider:

Please note that some of the instructions in this article pertain to a third-party provider and, as such, may not reflect all current settings. Should you have any questions or issues, please contact Microsoft Azure directly.

If your company is using Microsoft Azure SSO for user logins, a Fountain account Administrator will need to complete a few additional steps in both Azure and Fountain to ensure users can log in through Azure SSO when accessing the Fountain platform.

Tip!
You'll be copying information from Azure to Fountain and vice versa during this setup process. Fountain recommends having Azure open in a browser tab and Fountain in another browser tab so you can quickly navigate back and forth between both platforms.

Azure Entra ID (OnTrac IdP) Steps

First, you must complete the following steps in Microsoft Azure:

  1. Log in to your Azure portal and navigate to Azure Active Directory (now called Microsoft Entra ID).

  2. Navigate to Enterprise applications and click +New application.

  3. Click +Create your own application.

  4. Type a name, such as Fountain SSO, and select Integrate any other application you don't find in the gallery (Non-gallery).

  5. Finally, navigate to the Single Sign-On blade and select SAML.

Exchange Metadata - Fountain to Azure Steps

Next, you'll share Fountain's details with Azure:

  1. In the Azure SAML set up screen, locate the Basic SAML Configuration section and click Edit.

  2. Navigate to the Fountain browser tab and click your company logo in the bottom left side panel. Then click Settings.

  3. In the Users section, click the User Access & Security link.

  4. Click Start under the User Single Sign-on (SSO) section.

  5. Copy the SP Entity ID for Fountain.

  6. Navigate back to the Azure tab and paste the Fountain SP Entity ID into the Identifier (Entity ID) field.

  7. Navigate back to the Fountain tab and copy the ACS URL.

  8. Navigate back to the Azure tab and paste the ACS URL into the Reply URL (Assertion Consumer Service URL) field.

  9. Click Save in Azure.

Exchange Metadata - Azure to Fountain Steps

Finally, you'll share Azure's details with Fountain:

  1. In the Azure SAML setup screen, navigate to the SAML Certificates section.

  2. Copy the Login URL from Azure.

  3. Navigate to the Fountain browser tab and click the Enable toggle to on. This will allow you to paste into the fields on the Right.

  4. Paste the Login URL into the Login URL field.

  5. Navigate back to the Azure browser tab and copy the Azure AD Identifier.

  6. Navigate back to the Fountain browser tab and paste the Azure AD Identifier into the IdP Entity ID field.

  7. Navigate back to the Azure browser tab and download the Certificate (Base64).

  8. Open the .cer file with a plain text editor (like Notepad or TextEdit).

  9. Copy the entire block of text, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

  10. Navigate back to the Fountain browser tab and paste the entire block of text into the Certificate field.

  11. Click Save in Fountain.

Important Note:

After you click Save, all users will be forced to log in via Azure Entra ID. If you have issues after testing, click the Enabled toggle to off to allow users to log in.

Assign Users and Test

Next, you'll assign users in Azure and test SSO:

  1. In your newly set up Fountain SSO application in Azure, navigate to the Users and groups blade and assign a test user.

  2. In Azure's SAML settings, check the User Attributes & Claims.

    1. The Unique User Identifier (NameID) must be the value that Fountain expects to receive. This value is typically the user's email address, such as user.userprincipalname or user.mail in Azure.

  3. Open a new incognito or private browser window.

  4. Go to https://employer.fountain.com.

  5. Attempt to log in. You should be redirected to the Microsoft login page.

  6. Sign in as the test user you just assigned in Azure. If the configuration is correct, you will successfully log in to Fountain.

Once enabled, all users will log in via Azure Entra ID. Fountain will automatically redirect the user to the Azure Login URL. Azure will then ask the user to sign in (if they aren't already). After successful authentication, Azure will send a SAML "assertion" (a secure XML packet) back to Fountain's ACS URL. Fountain will verify this assertion using Azure's Certificate and, upon success, log the user in.

If you run into issues or need assistance with setup, reach out to your Fountain Customer Success contact or [email protected].

Did this answer your question?