Creating a ThinkSmart Manager Organization using Azure Single Sign-On (SSO)

Creating a ThinkSmart Manager Organization using Azure Single Sign-On (SSO)

Overview


Azure Active Directory (Azure AD) is a multi-tenant, cloud-based identity, and access management service. The Azure AD directory includes the tenant's users, groups, and apps and is used to perform identity and access management functions for tenant resources. Lenovo Portal allows user authentication through Azure AD.
To get set up, your organization needs to create a new app in Azure AD and Lenovo needs the following information:

  • Client ID
  • Client Secret
  • IDP Configuration File

Creating a ThinkSmart Manager Organization Using Azure


  1. Log in to Microsoft Azure Portal (https://portal.azure.com/).
  2. Proceed to Manage Azure Active Directory.
    Microsoft Azure
  3. Navigate to the App Registrations page and register the new app (client) by clicking the New Registration button. Leave Redirect URI value empty for now.
    App Registrations

Once the new application is created on the Azure site, start collecting data for Lenovo Organization creation process:

Client ID

Copy the Client ID from the Azure Portal Application Overview page.
MStestapp

Client Secret

Create the new secret and copy the Client Secret value on Certificates & Secrets page.
Certificates

Azure Client Secret

OpenID Connect metadata

Navigate to Application Overview and open the Endpoints tray. Copy the OpenID Connect metadata link, open it in the separate tab in browser, and download the page info to your computer (this becomes an IDP Configuration File).
Endpoints

Create organization in ThinkSmart Manager portal
  1. Go to ThinkSmart Manager portal (https://portal.thinksmart.lenovo.com).
    ThinkSmart Manager portal
  2. Click Create an Organization button and sign in with Lenovo ID.
  3. Enter the Organization ID.
    •  Note: Confirm that the organization domain completely matches the email domain of the Admin. All users that are to log in to OKTA Organization should follow this rule. (Example: Org ID should be lenovo for email@lenovo.com org admin email).
  4. Select Azure Active Directory as the Authentication Type.
    Organization
  5. Enter the organization information, address, and primary contact.
  6. Enter Azure Active Directory Settings:
    • Organization Owner Email
      • This is the first user of organization.
      • Note: email domain should match Organization ID that was entered on the previous step.
    • Client ID
    • Client Secret
      Create Organization
  7. Upload the IDP configuration file - the one that was downloaded form the Azure AD portal (Scroll down the window to see the rest of the organization registration fields).
    Create organization
  8. Input profile information.
  9. Finish organization creation.
  10. When organization is successfully created, redirect URI is required to finish the setup.
  11. Now customer is to update single sign-on URL and audience URI links on SAML Settings section in Application. Take the organization’s authentication link and set it to both fields. Save changes once completed.
Azure AD Redirect URI

 

When redirect URI is generated, add the URI to the redirection list on Authentication tab using screenshot instruction below. URI will be sent in email or can be copied from this document:
This authentication link is comprised of EU region and the org name such as:
•    <org_name> should be replaced with Organization ID that was inputted during org creation

Authentication
Authentication


User Log In Process


To log in as Organization Admininstration User, the User must follow two rules:

  • Have the email domain that matches the Portal organization domain; (e.g., For organization with domain Lenovo, email domain should be @lenovo.co,)
  • Have the user created on Portal side in Users section AND the user invited to Azure AD.

If these two rules are followed, User logs in with the selected Admin role to Portal after Azure authentication process.

To log in, proceed to the organization Portal link and log in with Microsoft credentials on redirection page. After that, User is successfully logged in and redirected to Portal.


Base User Creation


The user was not created on the Portal side, but was invited to Azure AD, they are able to log in as Base User, which is created automatically during the login.

Contact

If Base User has limited functionality and the User role can be assigned on the Users Portal page by any other organization administrator.


    • Related Articles

    • Creating a ThinkSmart Manager Organization

      Summary These instructions will walk you through creating a ThinkSmart Manager organization using a Lenovo ID. This is the standard configuration if you are not planning on using SSO. For information on creating a ThinkSmart Manager organization ...

    • Creating a ThinkSmart Manager Organization Using Okta Single Sign-On (SSO)

      Overview OKTA is a Single Sign-On (SSO) management service that allows users to log into a variety of systems using one centralized process. The OKTA directory includes the tenant's users and apps and is used to perform identity and access management ...

    • Installing ThinkSmart Manager Service

      Overview Before you can start managing a ThinkSmart device with ThinkSmart Manager, download and install ThinkSmart Management Service (TSMS) on the system first. This installer contains two required Windows services: Lenovo ThinkSmart Management ...

    • Creating and Managing a Lenovo ID

      Lenovo ID is the secure and trusted mechanism providing authentication & identity management for Lenovo Client Remote Management. It offers single sign on as well as integration with other Lenovo solutions. Lenovo ID accounts can be freely created at ...