In a cluster deployment, if Avaya Aura® Device Services nodes are located in multiple data centers, ensure that port 7600 is open in the data centers for subnets where cluster nodes are deployed.

Determine the attribute names that the identity provider sends in SAML responses for the following:

• First name

• Last name

• Email address

• Group/Role indicator

Configure the NameID format. Avaya Aura® Device Services uses the emailAddress format for NameID.

Ensure that the identity provider supports the Service Provider-initiated (SP-initiated) flow and the SP-initiated flow is enabled and configured on the identity provider.

Configure an SSO application on the third-party identity provider’s side.

Obtain the SAML v2.0 identity provider’s IDPSSODescriptor metadata file.

You can obtain this file from the third-party identity provider.

You must import this metadata file into Keycloak when enabling SSO authentication support on Avaya Aura® Device Services or after Avaya Aura® Device Services is installed.

Obtain the SPSSODescriptor metadata file.

You can obtain this file from the following URL after the identity provider is added to Keycloak:

https://<AADS FQDN>:<AADS PORT>/auth/realms/SolutionRealm/broker/<SAML V2 PROVIDER NAME>/endpoint/descriptor

For example, if the Avaya Aura® Device Services front-end FQDN is aads.company.com, the AADS front-end port is the default port 443, and you created on SAML v2.0 identity provider on Keycloak with the name mySAMLProvider, then the URL for retrieving the SPSSODescriptor file is:

https://aads.company.com/auth/realms/SolutionRealm/broker/mySAMLProvider/endpoint/descriptor

You can also obtain this file from the Keycloak administration portal.

Determine the attribute names that the identity provider sends in OAuth2 token responses for the following:

• First Name

• Last Name

• Email Address

• Client ID

• Client Secret

Add and configure an application for SSO purposes on the Microsoft Azure portal.