1. In your organization's Azure Active Directory home screen, there should be a menu option on the left side labeled "Enterprise Applications". Click this menu option.

2. Click the button "New Application" at the top of the table seen below.

3. In the search application box, type "Maptician" and the application should appear in the list of results. Click on the Maptician application to open the application properties window.
4. At the bottom of the application properties window, click the Create button to add the Maptician application.

5. This will bring you to the screen below, which is your interface between Maptician and Azure Active Directory.
   1. The following steps can be taken in any order, but we will start with assigning users.

6. You must assign users or groups of users to the application before they will be granted access by Microsoft to use Single Sign-On and be eligible for provisioning. Clicking on the "Add User" button will bring up a series of steps that depend on your Active Directory configuration, but are generally as simple as selecting individuals or groups that should be granted access to Maptician. After adding the users, click the "Single sign-on" menu option at the left of the screen.

7. Here we will configure Maptician to be accessible through SAML-based single sign-on using employees' Office 365 profiles. This does not provide Maptician with access to profile data or confidential credential information.
   1. Setting up single sign-on is an optional step, though highly recommended to streamline access and reduce the security implications of users managing one more password.
8. Select the SAML option below. Here we will configure the SAML endpoints for SSO access. The endpoints shown below are for a demo Maptician environment. Your endpoints will have the following structure: https://[your subdomain].maptician.com/saml/

9. After the "Basic SAML Configuration" URLs have been set, use the copy button to copy the "App Federation Metadata URL". This URL provides Maptician with the information to securely communicate with this environment. It needs to be sent to support@maptician.com or to your Maptician technical point of contact. Alternatively, if you are configuring the SSO on your own, you can add the App Federation Metadata Url to your Maptician environment by following Step 8c.
   1. If you are configuring SSO on your own, below is where you would enter the App Federation Metadata URL from the step above. The SSO settings are located in your Maptician environment under Settings > Environment > Single Sign-on (SSO).
      1. Set the SSO provider to Microsoft Azure AD and paste your App FedeSeration Metadata URL into the SAML Metadata URL field.
      2. Optional: To restrict users to SSO-only logins, check the box for "Restrict Users to SSO Logins".
      3. When done, click the green Save Changes button.

10. If step 8c has been completed, you can test the connectivity using the test feature below, or you can simply go to the standard Maptician login screen: https://[your subdomain].maptician.com and you should now see an SSO login button at the bottom of the login form after the username/password fields.
    1. A successful login will immediately route you to your Maptician environment's home screen with your associated profile. To log in, your Active Directory email address and Maptician profile email address must match.

11. After adding users and configuring single sign-on, you can select the "Provisioning" menu option on the left of the screen and then press "Get Started" in the resulting screen.

12. Provisioning mode needs to be changed from Manual to "Automatic" and the "Tenant URL" should be set to https://[your subdomain].Maptician.com/scim/v2/ and the Secret Token will be provided to you by your Maptician technical contact. This is a unique value that allows Microsoft to securely connect with Maptician. You will need to press the "Test Connection" button before the screen will allow you to save the configuration settings.

13. Further down on the same screen as step 11, once you have tested the connection you should be able to set the "Provisioning Status" selector to "On" and save the changes at the top of the screen.
    1. Microsoft runs provisioning syncs every 40 minutes, and so it may take that long to see the initial users provisioned into the system.

Maptician is now fully configured for single sign-on and automatic provisioning.

In the Properties menu for the application, you can review the overall configurations for your app. They should be similar to those seen below but with different ID values.