SAML settings
  • SAML SSO with Azure Active Directory
  • SAML SSO with Google Workspace
  • How to sign in with SSO?
    • ClassLink settings
  • How to set ClassLink with Single-Sign-On
  • How to set up ClassLink SSO OneRoster connection?
  • How to sign in with ClassLink?
    • Google Workspace settings
  • SSO and user auto-provisioning with Google Workspace
  • How to sign in with Google?
    • Clever settings
  • How to set up Clever with Single-Sign-On
  • How to sign in with Clever?

    • How to set Microsoft Entra ID with Single-Sign-On by SAML

    You can also check with Microsoft’s official Tutorial: Azure AD SSO integration with BenQ IAM as a reference.

    Prerequisites

    1. A Microsoft Entra ID subscription.
    2. A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

    Add BenQ IAM as enterprise application

    To configure the integration of BenQ IAM into Microsoft Entra ID, you need to add BenQ IAM from the Microsoft Entra Gallery to your list of managed SaaS apps.

    1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
    2. On the left navigation pane, select the Microsoft Entra ID service.
    3. Navigate to Enterprise Applications and then select All Applications.
    4. To add new application, select New application.
    5. In the Microsoft Entra Gallery section, type BenQ IAM in the search box.
    6. Select BenQ IAM from results panel and then add the app. Wait a few seconds while the app is added to your application list.

    Configure Microsoft Entra ID SSO

    Follow these steps to enable Microsoft Entra ID SSO in the Azure portal and BenQ IAM

    1. In the Azure portal, on the BenQ IAM application integration page, find the Manage section and select Single sign-on.
    2. On the Select a single sign-on method page, select SAML.
    3. Click the pencil icon for Attributes & Claims to edit attributes.
    4. Add new claim for firstName and lastName
    5. Fill up firstName in Name field and define the source attribute as user.givenname
    6. Fill up lastName in Name field and define the source attribute as user.surname
    7. Remember click “Save” button to complete the revision.

    On the Basic SAML Configuration section, please perform the following steps:

    1. Login BenQ IAM with BenQ Admin Account, click SSO Setting in the Account Management section.
    2. Select SSO by SAML as SSO Setting in the pop up.
    3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
    4. Copy information to fill up the required information:
      • On the Set up BenQ IAM section, type the name in the Organization Unit text box that can represent your organization
      • Copy the Login URL in Azure Portal and paste it to the login/SSO URL text box in BenQ IAM
      • Copy the Azure AD Identifier in Azure Portal and paste it to the Identifier/Entity ID text box in BenQ IAM
      • On the Set up single sign-on with SAML page of Azure Portal, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer. Open the Certificate (Base64), copy and paste it to the Certificate (Base64) text box in BenQ IAM
      • Copy the Identifier URL on BenQ IAM and paste it to the Identifier text box in Azure Portal
      • Copy the Reply URL on BenQ IAM and paste it to the Reply URL text box in Azure Portal
      • In the Azure Portal-Logout URL text box, type the following url: https://service-portal.benq.com/logout
      • After filling the previous setting, click Save in BenQ IAM.
      • BenQ IAM will show the success message as below image. Then, you can go further to configure BenQ IAM for automatic user provisioning.

    Continue to check how to configure BenQ IAM for automatic user provisioning

    Configure BenQ IAM for automatic user provisioning

    You can also check with Microsoft’s official Tutorial: Configure BenQ IAM for automatic user provisioning

    1. Following the results in How to set Microsoft Entra ID with Single-Sign-On chapter. In the success message windows of BenQ IAM, please, click Create Token.

    2. Copy the token. Please keep this token carefully, it will be used in the Azure portal later.

    3. Back to Azure portal, on the BenQ IAM application integration page, find the Manage section and select Provisioning.

    4. Set the Provisioning Mode to Automatic.

    5. Under the Admin Credentials section. About the tenant URL Please enter the url - https://service-portal.benq.com/api/scim/v2

    6. About the secret token, fill in the token that generated in Step1.

    7. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

    8. Select Save.

    Mapping the attribute for provision

    To ensure the data of Microsoft Entra ID display correctly in IAM, please mapping the attribute according to the steps below:

    1. Enable the capability to edit the list of supported attributes by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true
    2. Go to BenQ IAM application overview and click “Provision User Accounts”
    3. Click “Attribute mapping”
    4. Click “Provision Microsoft Entra ID Users” under the “Mappings” section

      5. Scroll down the page to find “Show advanced options” check box and tick it, advanced options will appear. Click on “Edit attribute list for BenQIAM”
    5. Add name.givenName and name.familyName column and set as String type. Click check box to set as Required columns and Save.
    6. You will be navigated to the Attribute Mapping page after saving the revision. Now you can click “Add New Mapping”
    7. Now you can associate Source attribute and Target attribute.
      Select source attribute as givenName, and name.givenName as target attribute.
      Repeat steps 6. Select source attribute as surname , and name.familyName as target attribute.

    8. Check the attribute mapping table again and click ”Save” to complete the mappings.

    How to set Google Workspace with Single-Sign-On by SAML

    Prerequisites

    1. A Google Workspace subscription.
    2. A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

    Configure Google Workspace SSO

    Follow these steps to enable Google Workspace SSO in Google Workspace and BenQ IAM.

    1. Visit Google Workspace > Google Admin (https://admin.google.com/).
    2. Under Apps > Overview > select Web and mobile apps section
    3. Select Add App > Add custom SAML app
    4. Type BenQ IAM in the App name text box, then click CONTINUE
    5. On the Google Identity Provider details section, we choose Option 2 to do SSO integration by performing the following steps
      • Login BenQ IAM with BenQ Admin Account, click SSO Setting in the Account Management section.
      • Select SSO by SAML as SSO Setting in the pop up.
      • On the Set up BenQ IAM section, type the name in the Organization Unit text box that can represent your organization
      • Copy the SSO URL in Google Workspace and paste it to the login/SSO URL text box in BenQ IAM
      • Copy the Entity ID in Google Workspace and paste it to the Identifier/Entity ID text box in BenQ IAM
      • Copy the Certificate in Google Workspace and paste it to the Certificate (Base64) text box in BenQ IAM
      • Click Continue in Google Workspace
    6. On the Service provider details section
      • Copy the Identifier URL in BenQ IAM and paste it to the Entity ID box in Google Workspace.
      • Copy the Reply URL in BenQ IAM and paste it to the ACS URL box in Google Workspace.
    7. On the Attribute mapping section, there are some attributes need to be mapped.
      • Choose Google Directory Attributes and map it with App attributes as bellow table
      • If mapping the group attributes to BenQ IAM is needed, please choose the Google groups you need to propagate to BenQ IAM and map it with groups. (Optional)
      • Then, click FINISH.
    8. Now, the SSO integration with Google Workspace has been set successfully. Please make sure the users under your directory have permission to login BenQ IAM by checking User access section in Google Workspace. You can permit access permissions by organizational units, groups or individuals. Then, it can make sure that only the authorized users can login to BenQ boards and services.
    9. If the new groups needs to be propagated to BenQ IAM, please go to SAML attribute mapping section and add the Google groups in Google membership.

    How to set up Classlink with Single-Sign-On?

    Prerequisites

    • A ClassLink subscription.
    • A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

    Configure ClassLink SSO

    Follow these steps to enable ClassLink SSO in ClassLink and BenQ.

    1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.
    2. Select SSO by ClassLink as SSO Setting in the pop up.
    3. Please configure default user role for imported accounts
    4. Then, click Next to enter ClassLink login page.
    5. Login your ClassLink account.

    How to set up ClassLink SSO OneRoster connection?

    1. Go to https://launchpad.classlink.com/ , login with administrator account.
      In Roster Server management console > Add New App, search for BenQ IAM and add it.
    2. Let us find the information we need here to complete the setup in BenQ SSO.
      These are Client ID and Client Secret .
      Under Applications > BenQ IAM > API, you can find Key(Client ID) and Secret(Client Secret) .
    3. In SSO setting for ClassLink , user can enable One Roster connection as below.
      Fill in Client ID and Client Secret to complete the OneRoster configuration.
    4. BenQ IAM will show message as below, click Sync now to start syncing users.
    5. Once you see below dialog, the sync task is now queued and will run in background, you can close below dialog by click X button in the top right corner, and continue other management tasks.
    6. Revisit this dialog later by go to SSO setting > ClassLink as below:
    7. Sync status will be displayed as below:
    8. sso_manual.oauth_classlink.oneroster.section1.step8

    How to set Google Workspace with Single-Sign-On and user auto-provisioning

    Prerequisites

    • A Google Workspace subscription.
    • A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

    Configure Google Workspace SSO

    Follow these steps to enable Google Workspace SSO in BenQ.

    1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.
    2. Select Google Workspace Settings in the pop up.
    3. Login or choose you Google Workspace administrator account.
    4. Click Allow to grant the access.
    5. Click Set up under Import account settings. This setting lets you sync the domain you prefer and import all accounts or specific groups from Google Workspace. By default, BenQ IAM will import all accounts from the primary domain. If you are satisfied with the default settings, you can skip to step 9.
    6. You can choose the domain you want and select either Import all accounts or Import by group.
    7. If you select Import by group, please fill in and add the group email you want according to Google Admin Console.
    8. Click Apply.
    9. Enable Automatic synchronization to activate user auto-provisioning from your Google Workspace directory.
    10. Click Sync now to finish the settings.

    How to set up Clever with Single-Sign-On

    Prerequisites

    • A Clever subscription, user account and password.
    • District ID / School Name or School ID for your organization.

    Configure Clever SSO

    Follow these steps to enable Clever SSO in BenQ.

    1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.
    2. Select Clever as SSO Setting in the pop up.
    3. Please fill in your Clever District ID , set the default BenQ service role, then, click Save.
    4. BenQ IAM will display the success toast message with a confirmation dialog as below: