Azure Integration

Prerequisites

In order to configure Azure SSO integration with Metro Retro you will need:
  • Admin access to your Metro Retro account.
  • Admin access to your Azure portal (with permission to add Enterprise Applications).
  • One or more authorized domains adding to your Metro Retro account (see end of article).
  • A note of your organizations Metro Retro Account ID.

How to find your Metro Retro Account ID

Before you begin, you will need your organization's 12 character Metro Retro Account ID. You can find this in the under the management menu within Metro Retro: https://metroretro.io/manage​
Metro Retro Account ID

Integration Setup

From within the Azure portal, search for and select Enterprise Applications from the resources palette, click New Application and then Create your own application. Set the name as Metro Retro and select Integrate any other application you don't find in the gallery if not already selected.
Click Create.
Select Single sign-on from the left menu (or getting started quick link) and select SAML as the sign-in method.
Under Basic SAML configuration, enter your Metro Retro Account ID number as the Identifier (Entity ID) and set the Reply URL to https://metroretro.io/login/saml. Leave all other fields in this section blank.
SAML Settings
Leave the default User Attributes & Claims settings, as per the screenshot above. If the defaults are different or you have changed them, please set them as above.
Next, download the Base64 encoded Certificate file from Section 3. Make a note of the Login URL and Azure AD Identifier from Section 4. We will need all these values to configure the Metro Retro side of the integration.
The data we need from Azure
Go to your Metro Retro account administration screen and navigate to Single Sign-On. Map the values from Azure to Metro Retro like so:
  • Entry Point = Login URL
  • Issuer = Azure AD Identifier
  • Certificate = Text content of the Base64 certificate file
Example configuration within Metro Retro
Once added, click Save Configuration. We recommend leaving the "Restrict login" setting off until you are sure all your team members are able to login via SSO otherwise it may block their access.
If you have not already had your authorized domains configured by a Metro Retro team member, please contact us on Intercom or at [email protected] to set these up. The domains should include all domains that your team will login from.
Authorized domains allow us to redirect users from Metro Retro to your SSO Identity Provider if they login directly via our login interface rather than going via your service portal. They are not required, but recommended.