BrainStorm is compatible with Microsoft Entra ID using the BrainStorm Platform SSO Application available within Microsoft's Enterprise applications. 

IMPORTANT! 

Your BrainStorm account ID is required to configure the Azure SSO App. If you do not know your BrainStorm ID, contact your BrainStorm administrator or your BrainStorm Client Success Manager.

1. Login to the Microsoft 365 Admin center and select Microsoft Entra ID.

2. Select Enterprise applications.

   

3. From the top, click New Application.

   

4. Using the search box at the top, enter BrainStorm Platform, then click the BrainStorm Platform tile.

   NOTE:  Make sure you click the BrainStorm Platform app with the black propeller hat logo.

5. Click Create at the bottom.

   

6. Once the app is added, a new BrainStorm Overview screen appears. Click Single sign-on from the left sidebar.

   

7. Select SAML as the single sign-on method.

   

IMPORTANT...SKIP TO THE SAML SIGNING CERTIFICATE  SECTION TO COPY THE METADATA

8. In section 3 locate the Signing Certificate to access the App Federation Metadata. You have two options:

1. (Recommended) Copy the URL (You will use this in just one moment)
   OR
2. Click the Download link next to Federation Metadata XML
   NOTE: If you use copy the URL (option a), you won't need to update the metadata later when it expires. BrainStorm can look for and update the metadata as needed.
   
   

STOP

You will now need to go into the BrainStorm Admin portal to configure SSO there and then to obtain the Provider ID, which you will need later on in this process.

1. In the BrainStorm Admin portal click the account settings icon at the bottom left, then select SSO

2. Click the Add ID Provider button in the right corner

3. Name your SSO provider. This name will appear in your SSO settings

4. In the SSO Identity Provider (IdP) section > Select Azure Active Directory from the drop-down list

5. In the URL section input your metadata previously copied > Click Insert

6. Toggle on to Automatically update Metadata

7. Click NEXT

8. On the Attribute Mapping page verify attributes are correct

9. Toggle on Update user info based on mapping

10. Click Save Changes

11. Locate the Provider ID in the URL. This will be your BrainStorm SSO ID needed in your Entra ID configuration.

STOP

Now go back to your Entra ID configuration

1. Locate Basic SAML Configuration and click Edit.

   

2. Copy and paste the following entries:

   1. Identifier (Entity ID):

      urn:brainstorminc:auth:wsfed

   2. Reply URL:
      https://auth.brainstorminc.com/signin-wsfed

   3. Sign on URL:
      https://auth.brainstorminc.com/auth/wsfed?providerId=*BrainStorm_SSO_ID*

   4. IMPORTANT! Use your BrainStorm SSO ID in place of *BrainStorm_SSO_ID * above.
      Your BrainStorm SSO ID is found in the URL of the Configure page within the BrainStorm platform side of the SSO set up. 
   5. 
3. Click Save at the top, then click the X to close the window.
4. Locate User Attributes & Claims and click Edit.
5. By default, you should see SAML token attributes for givenname, surname, emailaddress, name (UPN), title, department. Verify defaults and click Save.
6. Click  Properties and select Assignment Required to Yes or No.

   1. No (recommended): Any user in your Microsoft Enr can access the application and authenticate.

   2. Yes: Users must be assigned to the application before they can authenticate and access.
      

      
      

7. Click Save.
8. Skip this step if you selected No for Assignment Required.  If you selected Yes for Assignment Required,
   1. Click Users and groups.
   2. Click Add user/group.
   3. Click users or groups in the Add Assignment dialog.
   4. Within the dialog, search for the user/group that you wish to assign to the BrainStorm application.
   5. Select and assign the user/group to be added. Repeat as needed
      
      

You can now test your SSO Set up by logging in to the BrainStorm end user portal (https://app.brainstorminc.com)