This guide will show you how to create and configure an Azure Active Directory SAML application to enable Single Sign-On for Doppler.
SAML SSO requires a Standard subscription
Want to try it out first? Start a free 30-day trial.
- Doppler Standard subscription
- Domain Verified (Settings page)
- Azure role with permissions to create enterprise applications: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
Go to the Azure Active Directory console
Select Enterprise applications from the left menu.
In the Enterprise applications pane, select New application.
From the Browse Azure AD Gallery page, click Create your own application.
Give the application a name of your choosing such as Doppler SAML. Then click Create.
From the Enterprise applications page, click on the Doppler SAML application from the provided list.
Click on Properties from the left menu. Set the logo for the application by uploading the image below, then
Next, we'll begin configuring the SAML application. Click Overview from the left menu. then select Get started from the 2. Set up single sign on section.
Select SAML as the single sign-on method.
If a Test single sign-on prompt appears, click No, I'll test later as we're not yet ready to test.
Scroll down to the SAML Signing Certificate section and click the Download link for the Federation Metadata XML which we'll then upload into Doppler.
In a separate window, go to the Doppler dashboard and from the menu click Teams, then select the SSO tab from the top menu.
Paste in the contents of the downloaded XML file, select the domain and the default level of access, then click Save.
The Access Level controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege.
Once saved, copy the SSO URL as we'll need when configuring the SAML application in Azure.
Switch back to your previous Azure browser tab and navigate to the Single sign-on section, then click Edit from the Basic SAML Configuration section.
Then populate the form with the following values:
Identifier (Entity ID)
Sign on URL
Doppler SSO URL
The domain selected in Doppler
The form should then look similar to the following. Then click Save.
Now we need to configure the data sent to Doppler by the SAML application.
From the Setup Single Sign-On page, click Edit from the User Attributes & Claims section.
Click on the emailaddress claim to edit its properties.
Change the Name to email and delete the value for Namespace.
If the Email field for your users in Active Directory is not used, change the Source attribute to user.userprincipalname.
Then click Save.
Next, delete the user.givenname claim.
Then select the name claim.
Delete the value for Namespace and change the Source attribute to user.displayName.
If the Name (user.displayName) field for your users is not set because only First Name and LastName are populated, you'll need to create a Transform to join these two fields together.
Click the Save button to apply the changes for the name claim.
Finally, delete the surname claim.
The completed result should look like the following.
With the app configured, you're now ready to test!
We highly recommend testing with a different account in case an error is encountered which could lock you out of Doppler.
Once a test user has been created and assigned to the Doppler SAML application, click the Test this application button to bring up the testing panel.
Then click Sign in as someone else.
Once you've signed into Azure as the test user, the test will be performed.
If an error occurs, contact us using our in-product support or email [email protected], pasting into the email the error response, as well as the contents of the Download the SAML request link (don't attach the XML file as Intercom prevents the viewing of XML files).
If during testing you are presented with a Doppler error page, also paste in the Request Id shown on that page so we can look up the error on our end.
If the test was successful, great job! You're now ready to start assigning users to the Doppler SAML application.
Assigning users to the Doppler SAML application and adjusting Self-Service options such as the ability to request access and whether approval is required is the next step but is beyond the scope of this tutorial as each organization will handle things differently.
Check out Azure's guide on application user assignment.
Now that your Active Directory users can sign into Doppler via SAML SSO, the final step is to assign access to Projects in Doppler.
Navigate to a Doppler project and click on Members.
Then search for and select the user(s) and click Add.
Once the user has been added to the project, select which environments they can access.
You've successfully created an Azure Active Directory SAML application for signing into Doppler using SSO and assigned them access to a Doppler project.
Updated 10 days ago