You can also check with Microsoft’s official Tutorial: Azure AD SSO integration with BenQ IAM as a reference.

Prerequisites

• A Microsoft Entra ID subscription.
• A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

Add BenQ IAM from the gallery

To configure the integration of BenQ IAM into Microsoft Entra ID, you need to add BenQ IAM from the gallery to your list of managed SaaS apps.

1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
2. On the left navigation pane, select the Microsoft Entra ID service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add new application, select New application.
5. In the Add from the gallery section, type BenQ IAM in the search box.
6. Select BenQ IAM from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure Microsoft Entra ID SSO

Follow these steps to enable Microsoft Entra ID SSO in the Azure portal and BenQ IAM

1. In the Azure portal, on the BenQ IAM application integration page, find the Manage section and select single sign-on.
2. On the Select a single sign-on method page, select SAML.
3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
4. On the Basic SAML Configuration section, please perform the following steps:

• Login BenQ IAM with BenQ Admin Account, click SSO Setting in the Account Management section.
• Select SSO by SAML as SSO Setting in the pop up.
• Copy the Identifier URL on BenQ IAM and paste it to the Identifier text box in Azure Portal
• Copy the Reply URL on BenQ IAM and paste it to the Reply URL text box in Azure Portal
• In the Logout URL text box, type the following url: https://service-portal.benq.com/logout
5. On the Set up BenQ IAM section, type the name in the Organization Unit text box that can represent your organization
6. Copy the Login URL in Azure Portal and paste it to the login/SSO URL text box in BenQ IAM
7. Copy the Azure AD Identifier in Azure Portal and paste it to the Identifier/Entity ID text box in BenQ IAM
8. On the Set up single sign-on with SAML page of Azure Portal, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer. Open the Certificate (Base64), copy and paste it to the Certificate (Base64) text box in BenQ IAM
9. After filling the previous setting, click Save in BenQ IAM.

10. BenQ IAM will show the success message as below image. Then, you can go further to configure BenQ IAM for automatic user provisioning.

1. Following the results in How to set Microsoft Entra ID with Single-Sign-On chapter. In the success message windows of BenQ IAM, please, click Create Token.

   

2. Copy the token. Please keep this token carefully, it will be used in the Azure portal later.

   

3. Back to Azure portal, on the BenQ IAM application integration page, find the Manage section and select Provisioning.

4. Set the Provisioning Mode to Automatic.

   

5. Under the Admin Credentials section. About the tenant URL Please enter the url - https://service-portal.benq.com/api/scim/v2

6. About the secret token, fill in the token that generated in Step1.

   

7. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

8. Select Save.

Prerequisites

• A Google Workspace subscription.
• A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

Configure Google Workspace SSO

Follow these steps to enable Google Workspace SSO in Google Workspace and BenQ IAM.

1. Visit Google Workspace > Google Admin (https://admin.google.com/).
2. Under Apps > Overview > select Web and mobile apps section

3. Select Add App > Add custom SAML app

4. Type BenQ IAM in the App name text box, then click CONTINUE

5. On the Google Identity Provider details section, we choose Option 2 to do SSO integration by performing the following steps
• Login BenQ IAM with BenQ Admin Account, click SSO Setting in the Account Management section.
• Select SSO by SAML as SSO Setting in the pop up.
• On the Set up BenQ IAM section, type the name in the Organization Unit text box that can represent your organization
• Copy the SSO URL in Google Workspace and paste it to the login/SSO URL text box in BenQ IAM
• Copy the Entity ID in Google Workspace and paste it to the Identifier/Entity ID text box in BenQ IAM
• Copy the Certificate in Google Workspace and paste it to the Certificate (Base64) text box in BenQ IAM
• Click Continue in Google Workspace
6. On the Service provider details section

• Copy the Identifier URL in BenQ IAM and paste it to the Entity ID box in Google Workspace.
• Copy the Reply URL in BenQ IAM and paste it to the ACS URL box in Google Workspace.
7. On the Attribute mapping section, there are some attributes need to be mapped.
• Choose First name and map it with displayName. And, choose Primary email and map it with email. (Required)
• If mapping the group attributes to BenQ IAM is needed, please choose the Google groups you need to propagate to BenQ IAM and map it with groups. (Optional)
• Then, click FINISH.
8. Now, the SSO integration with Google Workspace has been set successfully. Please make sure the users under your directory have permission to login BenQ IAM by checking User access section in Google Workspace. You can permit access permissions by organizational units, groups or individuals. Then, it can make sure that only the authorized users can login to BenQ boards and services.

9. If the new groups needs to be propagated to BenQ IAM, please go to SAML attribute mapping section and add the Google groups in Google membership.

Prerequisites

• A ClassLink subscription.
• A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

Configure ClassLink SSO

Follow these steps to enable ClassLink SSO in ClassLink and BenQ.

1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.

2. Select SSO by ClassLink as SSO Setting in the pop up.

3. Please check your ClassLink Tenant ID and fill in ClassLink Tenant ID to the Tenant ID text box in BenQ IAM.

4. It is also possible to configure default user role for imported accounts here:

5. Then, click Save to continue.
   BenQ IAM will show the success message as below:

1. Go to https://launchpad.classlink.com/ , login with administrator account.
   In Roster Server management console > Add New App, search for BenQ IAM and add it.

2. Let us find the information we need here to complete the setup in BenQ SSO.
   These are Client ID and Client Secret .
   Under Applications > BenQ IAM > API, you can find Key(Client ID) and Secret(Client Secret) .

3. In SSO setting for ClassLink , user can enable One Roster connection as below.
   Fill in Client ID and Client Secret to complete the OneRoster configuration.

4. BenQ IAM will show message as below, click Sync now to start syncing users.

5. Once you see below dialog, the sync task is now queued and will run in background, you can close below dialog by click X button in the top right corner, and continue other management tasks.

6. Revisit this dialog later by go to SSO setting > ClassLink as below:

7. Sync status will be displayed as below:

8. sso_manual.oauth_classlink.oneroster.section1.step8

Prerequisites

• A Google Workspace subscription.
• A BenQ IAM administrator account. Please follow the normal steps to register a BenQ IAM admin account.

Configure Google Workspace SSO

Follow these steps to enable Google Workspace SSO in BenQ.

1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.

2. Select Google Workspace Settings in the pop up.

3. Login or choose you Google Workspace administrator account.

4. Click Allow to grant the access.

5. Click Set up under Import account settings. This setting lets you sync the domain you prefer and import all accounts or specific groups from Google Workspace. By default, BenQ IAM will import all accounts from the primary domain. If you are satisfied with the default settings, you can skip to step 9.

6. You can choose the domain you want and select either Import all accounts or Import by group.

7. If you select Import by group, please fill in and add the group email you want according to Google Admin Console.

8. Click Apply.

9. Enable Automatic synchronization to activate user auto-provisioning from your Google Workspace directory.

10. Click Sync now to finish the settings.

Prerequisites

• A Clever subscription, user account and password.
• District ID / School Name or School ID for your organization.

Configure Clever SSO

Follow these steps to enable Clever SSO in BenQ.

1. Login BenQ IAM with BenQ admin account, click SSO Setting in the Account Management section.

2. Select Clever as SSO Setting in the pop up.

3. Please fill in your Clever District ID , set the default BenQ service role, then, click Save.

4. BenQ IAM will display the success toast message with a confirmation dialog as below: