Configuring Microsoft Entra as Identity Provider

Microsoft Entra is a suite of identity and access management (IAM) solutions designed to help organizations securely manage user identities, control resource access, and protect data across various cloud and on-premises environments.

This article provides a step-by-step guide to configuring Microsoft Entra as the Identity Provider for all the services you use.

Prerequisites

1. Please make sure you have created the SSO configuration for the service you want to set Microsoft Entra as the Identity Provider.

2. Also, make sure that the user(s) is present in the Microsoft Entra portal and the respective service’s portal that you are trying to access.

3. The same user(s) must be present in Scalefusion and the SSO configuration of the respective service is applied to it.

Step 1: Configuring Microsoft Entra as an Identity Provider on Scalefusion dashboard

1. Navigate to OneIdP > Identity Providers.

2. Click on the New Provider button.
   

   

3. Select Microsoft Entra and click on Next.
   

   

4. Provide a name to this configuration for easy identification.
   

   

5. Service Provider Details will be added in the Microsoft Entra Admin Console as shown in Step 2.

6. IdP Details will be generated on the Microsoft Entra Admin Console as shown in Step 2.

Step 2: Microsoft Entra SAML Setup in Microsoft Entra Admin Console

1. Log into the Microsoft Entra Admin center.

2. Navigate to Applications > Enterprise Applications section.

3. Click on the New Application option.
   

   

4. On the next page, click on Create your own application option.
   

   

5. Provide a name to this configuration for easy identification and click the Create button.
   

   

6. On the new page, navigate to the Single sign-on section and click on SAML.
   

   

7. On the new page, click on the edit icon for the Basic SAML Configuration tab.
   

   

8. Click on Add Identifier in the Identifier (Entity ID) section.
   

   

   1. Copy the OneIdP Audience URI/Entity Id URL from the Scalefusion dashboard and enter it here.
      

      

      
      
      

9. Next, click on Add reply URL in the Reply URL (Assertion Consumer Service URL) section.
   

   

   1. Copy the OneIdP SSO URL from the Scalefusion dashboard and enter it here.
      

      

      
      

10. Click on Save to save the entries.
    

    

11. Next, scroll down to the SAML Certificates section and download the Certificate (Base64).
    

    

12. Next, scroll down to the Set up Scalefusion-Entra IDP config section to copy the Login URL, Microsoft Entra Identifier, and Logout URL and save it. These will be needed in the Scalefusion dashboard.

    

Step 3: Adding Microsoft Entra Saml setup details to the Scalefusion dashboard

1. On the Scalefusion dashboard, enter the saved URLs from Step 2 in the respective fields.

2. Upload the Certificate (Base64) that you downloaded in Step 2 in the x509 certificate section.

3. Click on Save.
   

   

Step 4: Associating Microsoft Entra Identity Provider with a Directory

1. Navigate to OneIdP > Directory.

2. Click on the 3-dots under Actions for the concerned Domain.

3. Click on Settings.
   

   

4. Go to the Federated Authentication tab and toggle on the button for Microsoft Entra as an Authentication source.
   

   

5. You can also “Set default authentication source”.
   

   

   1. On setting a default authentication source, whenever you add any new user in the Scalefusion dashboard and migrate it to OneIdP, the default Authenticator would be Microsoft Entra.
      

      

6. Click on Next and Save.

7. For existing users that are present in the Scalefusion dashboard, you can change the default authentication source by going to 3-dots under Actions > Update Authentication Source.
   

   

8. Select Microsoft Entra from the drop-down list for “Set Authentication Source” and click on Update Now.
   

   

User Login Flow

When the user enters their email on the service login page, they will be redirected to OneIdP. From there, OneIdP will redirect the user to the chosen identity provider (Microsoft Entra, in this case) for authentication. Once the identity provider authenticates the user, they will be granted access to the service.

Note:

1. If you have already created SSO Configuration for Microsoft Entra domain on Scalefusion dashboard and it is Federated then you cannot enable Identity Providers Authentication source for Entra.

2. If you have created SSO Configuration for Microsoft Entra domain on Scalefusion dashboard and it is not Federated, then you can enable Identity Providers Authentication source for Entra. However once you Federate the Microsoft Entra domain, Identity Providers Authentication source for Entra will be automatically togged Off and Authentication source will be changed to OneIdP for all the users of that domain who have Microsoft Entra as Authentication source.

   1. An email will be sent to users to reset their passwords.