Microsoft Entra ID
This guide will show you how to integrate GoodAccess with Microsoft Entra ID (Azure AD) SSO/SCIM.
Last updated
This guide will show you how to integrate GoodAccess with Microsoft Entra ID (Azure AD) SSO/SCIM.
Last updated
This feature is available in the Premium plan and higher.
Please note: Changing the login method to identity provider will permanently delete all Members you invited. Your team Members will be automatically added to GoodAccess upon their first login. Manually added Members will stay.
Remember to grant your Azure users access permissions to GoodAccess. Users without them won't be able to log in.
Log in to the GoodAccess Control Panel, and go to Settings > SSO & Identity.
Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.
Log in to the Azure Portal, and go to Enterprise applications (you can use the searchbar).
Click + New application, and + Create your own application.
Give the application a name, choose Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
In your new application go to Single Sign-On > SAML.
Click Edit to open Basic SAML Configuration.
Copy the details from GoodAccess - (2) GoodAccess links.
Identifier - Entity ID
Reply URL - Assertion Consumer Service URL
Sign on URL - Login URL
Relay State - Relay State
Return to GoodAccess, and click Continue.
Return to Azure, and click Save.
Click Edit to open Attributes & Claims.
Under the Additional claims section click on the record with the value user.mail and edit it as follows:
Name - "email" (without quotes)
Namespace - Delete pre-filled URL
Click Save.
Then, still in the Additional claims section click on the record with the value user.userprincipalname and edit it as follows:
Name - "name" (without quotes)
Namespace - Delete pre-filled URL
Don't forget to Save.
Download the Certificate (Base64), and open the file in a text editor (e.g. Notepad).
Copy the details to GoodAccess - (3) Identity Provider links, and click Continue.
Sign in URL - Login URL
Entity ID - Microsoft Entra ID Identifier
X509 signing certificate - Copy the certificate from the text editor
If you don't want to setup SCIM, skip the next step in GoodAccess, and click Submit to finish the configuration.
You have now successfully set up your Microsoft Entra ID SSO with GoodAccess.
In the application, go to Provisioning > Provisioning, and set Provisioning mode to Automatic.
Expand Admin Credentials, and copy the URL and Token from GoodAccess - (4) User provisioning (SCIM).
Return to GoodAccess, and click Continue, and Submit.
Return to Azure, and click Test Connection, and Save to confirm your settings.
Open Mappings, and select Provision Microsoft Entra ID Users.
Here, make sure that only the following four attributes are listed:
userName
active
displayName
externalId
If there are other attributes except these four, Delete them to prevent provisioning issues.
Don't forget to Save.
Open Mappings, and select Provision Microsoft Entra ID Groups.
Switch the Enabled button to No, and click Save.
During Provisioning on demand, delays may occur when 2 or more user accounts are created in GoodAccess. The delay may be long enough to cause timeout errors in Azure, but the provisioning will still be completed correctly.
Go to Overview, and click Start provisioning.
The whole provisioning process will take around 20 minutes to complete depending on the number of members and groups being added.
You have now successfully set up Microsoft Entra ID SCIM with GoodAccess.
In the application, go to Users and groups, and click + Add user/group.
Choose who should have access, and click Assign.
