Single Sign-On (SSO) is an Enterprise-level feature that authenticates users through your organization's user directory. This provides added security and ensures users do not have to maintain separate LobbyGov usernames and passwords. This is typically configured by IT staff within your organization. Please contact firstname.lastname@example.org with questions or if you'd like to schedule a meeting to walk through the configuration process.
Step 1: Login to your LobbyGov account using the primary account login or login with "Super User" level access. Visit https://portal.lobbygov.com/ to log in.
Step 2: Go to Account Settings > Subusers & Sharing. On this page, click the SAML Configuration tab. If you do not see this tab, it means your account does not have SSO/SAML authorized or there is another issue. Please contact email@example.com.
Step 3: Check the Saml Enabled checkbox.
Step 4: Enter a value in the Idp Name box. We typically use "LobbyGov SSO".
Step 5: Scroll down and click the Save button. This will enable SSO on your account. The page will reload and provide additional information you will need to configure on the Microsoft/Azure side. You should see a value in the ID field and a value in the Idp Meta Data field.
Step 6: Go to your Microsoft Azure configuration portal. Then click Microsoft Entra ID.
Step 7: Click the + Add button near the top of the window and then select Enterprise application from the menu that appears.
Step 8: Click + Create your own application. A window will appear that asks for the name of the app and what are you looking to do with the application. Enter LobbyGov SSO (or some other name you prefer) into the first field and make sure "Integrate any other application..." is selected. Then click Create.
Step 9: The new application should appear. Then click "2. Set up single sign on". Then Click "SAML" on the next page that will appear.
Step 10: We now need to set some of the required fields under "BASIC SAML Configuration". Click the Edit link in the upper right of the box.
Step 11: After you click Edit, a Basic SAML Configuration window will appear.
Go back to the LobbyGov SAMl Configuration tab from Step 3 above (use a different browser window) and look for the Idp Meta Data field value. Copy that full URL (something like https://portal.lobbygov.com/saml/metadata/####) into the Indentifier (Entity ID) field.
Then enter "https://portal.lobbygov.com/saml/acs/" followed by the 4 digit ID number listed in the ID field on the LobbyGov SAML Configuration tab. So it should look something like "https://portal.lobbygov.com/saml/acs/5555".
Then click "Save" at the upper left of the window. After it saves successfully, click the X on the uppor right corner of the window.
Step 12: Now we need to copy several pieces of information from the Entra ID application page into the LobbyGov SAML Configuration page.
Under the #4 panel, Set up for LobbyGov SSO, copy the Login URL. Paste that in on the LobbyGov SAML Configuration page in the Idp Single Signon Service field.
Copy the Microsoft Entra Identifier. Paste that into the Idp Entity ID field.
Step 13: Download the Certificate (Base64) and open it in Notepad or other text editor. Copy the entire contents, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---. Then paste it into the Idp Cert text field on the LobbyGov SAML Configuration page.
Step 14: On the LobbyGov SAML Configuration page, make a few other settings changes.
- Check "Want Message Signed".
- Set the Signature algorithm to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
- Set the Digest algorithm to http://www.w3.org/2001/04/xmlenc#sha256
- Set the Username Mapping field value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Set the Email Mapping field value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
After you've entered these values, click the Save button.
*Note: These are standard settings that work for most accounts. If you have different configurations for these, you may change them.
Step 15: Single Sign-On should now be active. You can test it by logging out of your LobbyGov account (go to your name in the upper right corner and choose Log Out. Then go to https://portal.lobbygov.com/, click SAML Login under the Login button, and enter your LobbyGov username. It should then authenticate you through your organization. If you receive an error message and are unable to resolve it, please send a copy of the error message to firstname.lastname@example.org.