Skip to main content

Setup - SSO with Microsoft Entra

Configuring SurePath AI Single Sign-On with Microsoft Entra ID (Previously Azure AD)

Updated over 3 months ago

NOTE: SurePath AI supports both SAML and OIDC for Single Sign-On with most vendors. OIDC is the recommended protocol if your organization has no requirements for SAML.

OIDC Configuration

Prerequisites

Output Checklist

Save the following to be used in the SurePath AI client setup.

  • Directory (tenant) ID

  • Issuer (URL) - You will create this.

    • This is a combination of MS info and your Directory (tenant) ID

    • Example: https://login.microsoftonline.com/{insert tenant ID}/v2.0

  • Client Secret

Procedure

Note: Please use the search bar if the icon or name is not visible.

  • Select App registrations

  • Select New registration

  • Enter SurePath AI SSO Integration (or another suitable name)

  • Select Default Directory only - Single tenant or whatever is right for your organization.

Note: The following information can be found in the SurePath AI Admin interface under Configure > Organization > Identity > Single Sign-On

  • Set the Redirect URI platform to Web

  • Set the URI to the value from the Authorization Callback URLs field

  • Click Register

  • Copy the Directory (tenant) ID

    • Save this for use in the SurePath AI setup

  • Manage - Certificates & Secrets

    • New client secret

      • Client Secrets tab

      • Enter a description

      • Enter the expiration date

        1. Pro tip: go make a calendar invite for 2 weeks before this date to renew it

      • Add

    • Copy the Value of the new secret you created

      • Save this for use in the SurePath AI setup

      • This is a communication secret/password so treat it appropriately and keep it secure.

  • Token Configuration

    • Add optional claim

    • Token type -> ID

    • Select email

    • Click Add

    • Check Turn on the Microsoft Graph email permissions (required for claims to appear in token).

    • Click Add

Configure SurePath AI provider for OIDC

  • Enter the name you will use.

    • Users will see this name so it's helpful to have the company name and SSO in the name field to bolster confidence in the end user that they are using a company resource.

  • Select OIDC from the Provider Type

  • Enable the new provider with the toggel switch

  • Enter the Azure Directory (tenant) ID in the SurePath AI Client Id field

  • Enter the value of the Secret in the SurePath AI Client Secret field.

  • Enter the Issuer (URL) - You need to create this.

    • This is a combination of MS info and your Directory (tenant) ID

    • Example: https://login.microsoftonline.com/{insert tenant ID}/v2.0

  • SAVE the entry

SAML Configuration

Prerequisites

You will need the following values to complete your configuration. Information on how to retrieve them will be included below.

Setup Azure Application

Note: While in the Azure portal, please use the search bar if the icon or name is not visible on the screen. You may need to expand menu items as well.

  • Select Enterprise applications

  • Select New Application

  • Select Create your own application

  • Enter SurePath AI SSO Integration (or another suitable name)

  • Ensure the last radio button is checked: Integrate any other application…

  • Select Set up single sign on (may need to select it)

  • Select SAML

  • Scroll down a bit to see the App Federation Metadata Url

  • Copy this value for use in the SurePath AI admin interface.

Configure SurePath AI provider for SAML

  • Enter the name you will use. Users will see this name so it's helpful to have the company name and SSO in the name field to bolster confidence in the end user that they are using a company resource.

  • Select SAML - Metadata URL from the Provider Type Dropdown box

  • Paste the App Federation Metadata Url from Azure here in the Metadata URL field.

  • Click SAVE CHANGES

  • The Metadata URL will be validated over the next few seconds and provide and error if anything is wrong.

  • The screen will now contain the values you need to finish the SSO configuration.

    • Identifier (Entity ID) = Service Provider Entity ID

    • Reply URL (Assertion Consumer Service URL) = Authorization Callback URLs

  • You can now enable the provider with the toggle switch.

Finish Azure Configuration

  • Select Basic SAML Configuration > Edit

  • Select Add identifier and enter value from the Service Provider Entity ID field

  • Select Add reply URL and enter value from the Authorization Callback URLs field

  • Click Save

  • Close the window

  • Click on Yes to run the test

Test the configuration

  • Once the test passes, you can test using your new SSO authentication.

Related Articles
SASE - Netskope - Proxy Chaining
Setup - Connector and Data Source Microsoft Sharepoint
Resolve an Issue - Azure Entra SCIM `Enterprise application` deletion
HowTo - Data Source - AWS Knowledge Base to Microsoft SharePoint
Setup - Configure SSO for Any Provider
Did this answer your question?