Azure Single Sign-On for Excel Add-in

Single Sign-On (SSO) adds more security and convenience when signing on to SEI Excel Add-in using Azure Active Directory (Azure AD).

This topic describes how to set up Azure with the SEI Excel Add-in.

Configuring the Azure Domain

You must first configure the Azure Domain, as this is the platform from which we retrieve the data required to correctly set up Excel Add-in.

1. In your Web browser, go to https://portal.azure.com/ and enter your login credentials (if required).

2. In the left menu, click on Enterprise Applications.
   

   

3. In the upper bar, click on + New application.

   

4. Under the Add your own app section, select Non-gallery application.
   

   

5. In the Name field, enter a name for your application and click Add.
   

   

6. Under the Getting Started section, select 2. Set up single sign on.
   

   

7. Select SAML for the single sign-on method.
   

   

Although there are 5 sections for the SAML SSO method, you only need to set the parameters in these sections:

• Basic SAML Configuration
• User Attributes & Claims

Basic SAML Configuration

1. In the upper-right corner, click the pencil to edit the parameters in the Basic SAML Configuration section.
   

   

2. In the Identifier (Entity ID) field, enter https://exceladdin/ followed by a Unique Identifier for your Azure Domain.

3. In the Reply URL (Assertion Consumer Service URL) field, enter the value exactly as follows: https://exceladdin

   Example

   Here, we enter ssoaddin to define the Unique Identifier for the Azure Domain.
   

   

4. Click Save to apply changes.

5. In the left menu, under the Manage section, click Users and groups.
   

   

6. In the upper bar, click + Add user to authorize users and groups to use SSO.
   

   

   This completes the basic SAML configuration.

User Attributes & Claims

The installation package for the configuration of the SEI Excel Add-in application automatically fills in the ssoNameAttribute parameter with the USERNAME attribute by default.

For the Azure Domain, you can replace this value with one of the attributes listed in the User Attributes & Claims section.

If you want to use the mailnickname attribute (because you want to choose the part of the email address before the @ sign), you will have to create it, since this attribute does not exist by default in the Azure Domain.

To create the attribute:

1. In the left menu, under the Manage section, click Single Sign-On.
   

   

2. In the upper-right corner, click the pencil to edit the User Attributes & Claims section.
   

   

3. Click + Add new claim.
4. In the Name field, enter mailnickname.
5. For the Source, select Attribute.

6. In the Source attribute field, enter user.mailnickname.
   

   

7. Click Save to finish.

Configuring the SEI Excel Add-in

Retrieving the Azure Certificate

Before starting the Excel Add-in configuration, you must retrieve the certificate from Azure Domain.

To retrieve the certificate:

1. Scroll to the SAML Signing Certificate section.

2. Click Download next to the Certificate (Base64) field.
   

   

Editing the EXCEL.EXE.config file

In order to fully benefit from Azure SSO functionality, you need to edit the EXCEL.EXE.config file.

You can find this file in these locations:

Path	Office Version
C:\Program Files (x86)\Microsoft Office\OfficeXX\ OR C:\Program Files (x86)\Microsoft Office\Root\OfficeXX\	32-bit
C:\Program Files\Microsoft Office\OfficeXX\ OR C:\Program Files\Microsoft Office\Root\OfficeXX\	64-bit

If you cannot find the EXCEL.EXE.config file in these locations, perform a search in the following directories depending on the Office version you are using:

• C:\Program Files (x86)\Microsoft Office for the Office 32-bit version

• C:\Program Files\Microsoft Office for the Office 64-bit version
  

Attribute in EXCEL.EXE.config file	Value before change	Value after change	Comment
ssoMode	"None"	"Saml2"	Enable the SAML2 Single Sign-On mode
ssoSpEntityId	"https://exceladdin/SomeEntityId"	"https://exceladdin/ssoaddin"	Modify with the value entered in the Identifier (Entity ID) field according to your choice in Basic SAML Configuration
ssoSpReturnUrl	"https://exceladdin/"	"https://exceladdin/"	Should never be modified
ssoServiceAddress	"http://localhost:4504"	"http://yourserver:4504"	Modify according to your BI Service address
ssoWebURL	"http://localhost:81"	"http://yourserver:81"	Modify according to your Web Client address
ssoNameAttribute	"USERNAME"	"USERNAME"	Modify according to your choice in User Attributes & Claims
ssoDefaultCentralPoint	"\\SERVER\CentralPoint"	"\\YOURSERVER\CentralPoint"	Modify according to your Central Point shared folder path
ssoIdpEntityId	"https://stubidp.sustainsys.com/Metadata"	"https://sts.windows.net/c2c50f21-66a7-xxxx-xxxx-xxxxxxxxxxxx/"	This is the value you retrieved from the Azure AD Identifier field in the Set up BI Web Server section
ssoModeSignOnURL	"https://stubidp.sustainsys.com/"	"https://login.microsoftonline.com/c2c50f21-66a7-xxxx-xxxx-xxxxxxxxxxxx/saml2"	This is the value you retrieved from the Azure Login URL field in the Set up BI Web Server section
ssoSigningCertificateFileName	"stubidp.sustainsys.com.cer"	"BI Excel Add-In.cer"	For the Full certificate name field, enter the name of the certificate you downloaded from the Azure Domain with the .cer extension (for example: BI Excel Add-in.cer).

Steps after the Installation/Configuration

Copying the Azure Domain Certificate

• Copy the certificate you downloaded from the Azure Domain and paste it into your Office Excel folder (refer to Editing the EXCEL.EXE.config file for more details regarding the location).
  

  

Creating Users and Groups in SEI

• Refer to Users to create your Web Client. Enter the same values for User Name and ssoNameAttribute you defined during the configuration of your EXCEL.EXE.config file.

Accessing SEI Excel Add-in with Azure SSO enabled

• The first time you use Excel Add-in, you will have to enter your credentials.