search
GoodAccess WebsiteRequest Free TrialDownload App

Microsoft Entra ID

This guide will show you how to integrate GoodAccess with Microsoft Entra ID SSO/SCIM.

circle-info

This feature is available in the Premium plan and higher.

triangle-exclamation

Remember to grant your Azure users access permissions to GoodAccess. Users without them won't be able to log in.

hashtag
Step 1 - Adding a new identity provider

Log in to the GoodAccess Control Panel, and go to Settings > SSO & Identity.arrow-up-right

Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.

hashtag
Step 2 - Setting up Single Sign-On with SAML

Log in to the Azure Portalarrow-up-right, and go to Enterprise applications (you can use the searchbar).

Click + New application, and + Create your own application.

Give the application a name, choose Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

In your new application go to Single Sign-On > SAML.

Azure Portal with key steps to creating a new enterprise application.
Creating a new enterprise application
Azure Portal with key steps to creating a new enterprise application.
Creating a new enterprise application
Azure Portal with key steps to selecting SAML as a single sign-on method for the enterprise application.
Selecting SAML as a single sign-on method

hashtag
1. Basic SAML Configuration

Click Edit to open Basic SAML Configuration.

Copy the details from GoodAccess - (2) GoodAccess links.

  • Identifier - Entity ID

  • Reply URL - Assertion Consumer Service URL

  • Sign on URL - Login URL

  • Relay State - Relay State

Return to GoodAccess, and click Continue.

Return to Azure, and click Save.

Azure Portal with key steps to opening the "Basic SAML Configuration".
Opening the Basic SAML Configuration
Azure Portal with key steps to setting up the "Basic SAML Configuration".
Setting up the Basic SAML Configuration

hashtag
2. Attributes & Claims

Click Edit to open Attributes & Claims.

Under the Additional claims section click on the record with the value user.userprincipalname and edit it as follows:

  • Name - "name" (without quotes)

  • Namespace - Delete pre-filled URL

Click Save.

Then, still in the Additional claims section click on the record with the value user.mail and edit it as follows:

  • Name - "email" (without quotes)

  • Namespace - Delete pre-filled URL

  • Source attribute - user.userprincipalname

Don't forget to Save.

Azure Portal with key steps to setting up the "Attributes & Claims".
Setting up Attributes & Claims
Azure Portal with key steps to managing the "user.userprincipalname" claim.
Managing the "user.userprincipalname" claim
Azure Portal with key steps to managing the "user.mail" claim.
Managing the "user.mail" claim

hashtag
3. SAML Certificates

Download the Certificate (Base64), and open the file in a text editor (e.g. Notepad).

Azure Portal with key steps to downloading the certificate.
Downloading the certificate

hashtag
4. Set up GoodAccess

Copy the details to GoodAccess - (3) Identity Provider links, and click Continue.

  • Sign in URL - Login URL

  • Entity ID - Microsoft Entra ID Identifier

  • X509 signing certificate - Copy the certificate from the text editor

Azure Portal with key steps to setting up GoodAccess.
Setting up GoodAccess
circle-info

If you don't want to setup SCIM, skip the next step in GoodAccess, and click Submit to finish the configuration.

You have now successfully set up your Microsoft Entra ID SSO with GoodAccess.

hashtag
Step 3 (optional) - Setting up SCIM

In the application, go to Provisioning > Provisioning, and set Provisioning mode to Automatic.

Expand Admin Credentials, and copy the URL and Token from GoodAccess - (4) User provisioning (SCIM).

Return to GoodAccess, and click Submit.

Return to Azure, and click Test Connection, and Save to confirm your settings.

Azure Portal with key steps to setting up SCIM.
Setting up SCIM

hashtag
1. Attribute Mapping

Open Mappings, and select Provision Microsoft Entra ID Users.

Here, make sure that only the following four attributes are listed:

  • userName

  • active

  • displayName

  • externalId

If there are other attributes except these four, Delete them to prevent provisioning issues.

Don't forget to Save.

Azure Portal with key steps to setting up the "Attribute Mapping".
Setting up the Attribute Mapping
Azure Portal with key steps to setting up the "Attribute Mapping".
Setting up the Attribute Mapping

hashtag
2. Starting the provisioning

triangle-exclamation

Users created via Provisioning on demand may be skipped by Azure during future automatic provisioning.

We strongly recommend avoiding this function.

If you have already created users this way, click the Restart provisioning button to restore synchronization for all users.

Go to Overview, and click Start provisioning.

Azure Portal with key steps to starting the provisioning.
Starting the provisioning
circle-info

The whole provisioning process will take around 20 minutes to complete depending on the number of members and groups being added.

You have now successfully set up Microsoft Entra ID SCIM with GoodAccess.

hashtag
Step 4 - Managing user access

In the application, go to Users and groups, and click + Add user/group.

Choose who should have access, and click Assign.

Azure Portal with key steps to managing user access.
Managing user access
PreviousJumpCloudNextOkta

Last updated

Was this helpful?