Microsoft Azure Entra ID (formerly Azure AD) SSO Setup

Set up the RudderStack SSO (Single Sign-On) feature with Microsoft Azure Entra ID.
Available Plans
  • enterprise

This guide lists the steps to set up your Azure Entra ID SAML integration with RudderStack. This integration supports the following features:

  • SP-initiated SSO
  • JIT(Just In Time) Provisioning
info
RudderStack does not support some SCIM features like importing users and groups, removing users, and syncing passwords. See Known issues before you set up SSO for your organization.

Setup

Step 1: Create new application

  1. Sign in to Microsoft Entra ID Admin Center.
  2. From the left sidebar, go to Applications > Enterprise applications.
  3. Under Manage, click All applications followed by New application.
New application option
  1. In the Microsoft Entra App Gallery, click Create your own application.
Create your own application option
  1. In the expanded right sidebar, enter the name of your app. Under What are you looking to do with your application?, select Integrate any other application you don’t find in the gallery (Non-gallery).
Initial configuration
  1. Click the Create button at the bottom and wait for a few seconds for Azure to provision the app. You will then be redirected to the admin view of the app.

Step 2: Set up SAML

  1. In the left sidebar of the newly provisioned app, click Single sign-on under Manage. Then, click SAML.
SAML SSO method
  1. Click the meatballs menu (...) to the right of Basic SAML Configuration. In the expanded right sidebar, fill in the following information:
FieldValue
Identifier (Entity ID)
Required
urn:amazon:cognito:sp:us-east-1_ABZiTjXia
Reply URL (Assertion Consumer Service URL)
Required
https://auth2.rudderstack.com/saml2/idpresponse
Sign on URL
Required
https://auth2.rudderstack.com/saml2/idpresponse
Relay State-
  1. Click the meatballs menu (...) to the right of Attributes & Claims and remove any Additional claims. Then, click Add new claim and enter the following information:
FieldValueNotes
Emailuser.mail-
LastNameuser.displaynameChoose your preferred name, for example, display name or surname.
Unique User Identifieruser.userprincipalname-
  1. Copy the App Federation Metadata URL and share it with the RudderStack team.
Metadata URL

Step 3: Set up SCIM

This section lists the steps to set up SCIM provisioning in Azure Entra ID.

Prerequisites

Before you configure the SCIM app, you need to generate a personal access token with admin privileges. Follow these steps:

  1. Log in to the RudderStack workspace you want to enable SCIM for. Note that your role in the organization must be of Org Admin type.
  2. Go to Settings > Your Profile > Account tab and scroll down to Personal access tokens. Then, click Generate new token:
New personal access token in RudderStack dashboard
  1. Set an appropriate name for the token.
  2. Select Admin from the Role dropdown.
warning
Make sure your user role and personal access token has admin privileges, otherwise your SCIM provisioning tasks will fail.
  1. Click Generate and save the token securely. It will not be visible again once you close this window.

SCIM configuration

  1. In the left sidebar of your app, go to Manage > Provisioning > Get started.
Provisioning
  1. Under Provisioning Mode, choose Automatic and enter the following credentials:
FieldValue
Tenant URL
Required
https://api.rudderstack.com/scim/v2
Secret TokenYour personal access token obtained in the Prerequisites section.
Provisioning
  1. Click Test Connection - it should be successful.
info
If you see a 403 - Forbidden error, contact the RudderStack team to enable SCIM for your organization.

Performing SSO login

RudderStack does not support IdP-initiated authentication. Make sure the users log in through https://app.rudderstack.com/sso.

Debugging

There are times when an SSO login might fail for some users due to some reason. In such cases, the RudderStack team requires a HAR (HTTP Archive) file to inspect the requests and identify any SSO-related issues.

info
A HAR file is a log of exported network requests from the user’s browser. See the HAR Analyzer guide for steps on generating this file depending on your browser.

Once you generate the HAR file, share it with the RudderStack team to troubleshoot the issue.

warning

Note the following before capturing your HAR file:

  • Start from https://app.rudderstack.com/sso with a clean session, preferably in incognito mode of your browser.
  • Complete the SSO flow until the step where you face an error.
  • Your HAR file might contain sensitive data - make sure to redact it using a text editor before sharing it with the team.

Known issues

RudderStack does not support the following SCIM features currently:

  • Import users
  • Import groups
  • Push groups (coming soon)
  • Remove users
  • Sync password
  • Enhanced group push
warning

RudderStack does not support removing users - this is because it uses SCIM with SAML, where removing a user from Azure Entra ID implies that they also lose the ability to authenticate to RudderStack completely (logins via passwords, Google, etc. are completely blocked).

Instead, RudderStack supports deactivating the user which means they only lose access to the organization.


Questions? Contact us by email or on Slack