Menu

    Microsoft Entra ID SSO Configuration Guide

    Avatar
    Secure Code Warrior Elves
    • Updated
    Follow

    This article provides a step-by-step guide on configuring Single Sign-On (SSO) using Entra ID (formerly Azure Active Directory). We will cover two common configuration modes: Authentication Only and Strict Mode, allowing you to choose the level of control that best suits your organization's needs.

     


    Configure SSO in Authentication Only Mode

    The minimal configuration required to enable SSO for user authentication.


    Step 1

    Navigate to Applications > Enterprise Applications and click the "+ New application" button.

     

    Entra ID - New APP - E.png


    Step 2

    • Click the "+ Create your own application" button. Enter the name of the application.
    • Select the “Integrate any other application you do not find in the gallery“ option
    • Click the "Create" button 

    Note: Secure Code Warrior doesn't have a native APP in Entra ID 

     

    Entra ID - Create APP - E.png

     

    Step 3

    Now that you have created the application, it's time to set up the Single Sign On. Click the "Set up single sign-on" button, then choose "SAML"
    Entra ID - setup SSO - E.png

     

    Step 4

    Click Edit in the "Basic SAML Configuration" section to add the required URLs.

    Note: All URLs are listed in this article Setup and Configure Single-Sign-On (SSO)

     

    Entra ID - Edit basic saml - E.png

    Required URLs:

      Identifier (Entity ID) Reply URL (Assertion Consumer Service URL)
    Production US https://portal-api.securecodewarrior.com https://portal-api.securecodewarrior.com/auth/sso/saml?d=<company_domain> 
    Production EU https://portal-api.eu.securecodewarrior.com  https://portal-api.eu.securecodewarrior.com/auth/sso/saml?d=<company_domain>
    Test Environment  https://customertest-api.securecodewarrior.com https://customertest-api.securecodewarrior.com/auth/sso/saml?d=<company_domain>

     

     

    TIP: This is also the screen where you can find your Metadata. You can either share the "App Federation Metadata URL" with our support team or download the Federation Metadata XML file and send it to them. 

    Entra ID - download metadata - E.png


    Configure SSO in Strict Mode

    IMPORTANT: Before proceeding with Strict Mode, ensure you have already completed the steps outlined in  Configuring SSO Authentication Only Mode, as Strict Mode builds upon that foundation.

     

    Create Groups

    Note: We will use the Secure Code Warrior default mapping as an example, which can be changed to what works best for your company. 

    Start by creating groups to pass the required attributes:


    Create groups for Roles

    You need to create 3 groups, one for each role

    Role Group Name
    Company Admin SCW_ROLE_COMPANY_ADMIN
    Team Manager SCW_ROLE_TEAM_MANAGER
    Developer SCW_ROLE_DEVELOPER


    Step 1

    • Navigate to Groups > All Groups and click the  "+ New group" button to create a new group 
    • Enter the name of the group. The screenshot below shows how to create a group for the SCW_ROLE_COMPANY_ADMIN role 
    • Click Create 

     

     

    Step 2 

    Repeat step 1 to create two additional groups named:

    • SCW_ROLE_TEAM_MANAGER
    • SCW_ROLE_DEVELOPER

     

     

    Create groups for Teams

    Now, let's create a group for each of your teams.

     

    Step 1

    • Navigate to Groups > All Groups and click the  "+ New group" button to create a new group 
    • Enter the name of the group. The screenshot below shows how to create a group for a team called "Application Security"
    • Click Create

     

    Entra ID - team group - E.png

     

    Step 2 

    Repeat step 1 for each team you want to create a group for. 

     

    Create Groups for Tags

    To create groups for tagsm follow the same steps as for teams and roles. 

    Note: This step is optional. If your organization doesn't use tags, you can skip this section 

     

    Attributes & Claims Configuration

    Now, let's set up the attributes and claims. This is where you set up the SAML to send the groups required to map the users to the correct Role, Team, and Tags.

     

    Step 1

    • Navigate back to the application > Single Sign On/SAML
    • Click Edit in the "Attribute & Claims" section

     

    Step 2

    Click the "+  Add a group claim" button 

     

    This will open a panel on the right-hand side of the page. In this panel:

    • Under "Which groups associated with the user should be returned in the claim?", Select Groups assigned to the application
    • Set the Source attribute to sAMAccountName
    • Enable the "Emit group name for cloud-only groups" setting if your environment is entirely cloud-based 
    • Under "Advanced Options", enable the "Customize the name of the group claim" option  and set the "Name" to Groups

     

     

    Note: The same can be done for givename and surname, to match our default mapping of these fields FIRST_NAME and LAST_NAME

     

    Adding the groups and users to the application

    Now let's add the groups to the Enterprise application we had created.

     

    Step 1

    • Navigate to "Users and groups"
    • Click the "+ Add user/group" button 

     

     

    Step 2

    • Click “none selected” under "Users and groups". This will open a panel on the right-hand side.
    • Search for all groups and users you want to add to the application and select them.
    • Confirm your selection by clicking the "Select" button at the bottom of the panel 

     

    Step 3

    Click the "Assign" button at the bottom of the "Add Assignment" page 

     

     

    The selected Users and groups will now show under Users and groups.

     

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.