Microsoft Azure Entra ID (formerly Azure AD) SSO Setup
Set up the RudderStack SSO (Single Sign-On) feature with Microsoft Azure Entra ID.
Available Plans
enterprise
4 minute read
This guide lists the steps to set up your Azure Entra ID SAML integration with RudderStack. This integration supports the following features:
SP-initiated SSO
JIT(Just In Time) Provisioning
RudderStack does not support some SCIM features like importing users and groups, removing users, and syncing passwords. See Known issues before you set up SSO for your organization.
From the left sidebar, go to Applications > Enterprise applications.
Under Manage, click All applications followed by New application.
In the Microsoft Entra App Gallery, click Create your own application.
In the expanded right sidebar, enter the name of your app. Under What are you looking to do with your application?, select Integrate any other application you don’t find in the gallery (Non-gallery).
Click the Create button at the bottom and wait for a few seconds for Azure to provision the app. You will then be redirected to the admin view of the app.
Step 2: Set up SAML
In the left sidebar of the newly provisioned app, click Single sign-on under Manage. Then, click SAML.
Click the meatballs menu (...) to the right of Basic SAML Configuration. In the expanded right sidebar, fill in the following information:
Field
Value
Identifier (Entity ID) Required
urn:amazon:cognito:sp:us-east-1_ABZiTjXia
Reply URL (Assertion Consumer Service URL) Required
https://auth2.rudderstack.com/saml2/idpresponse
Sign on URL Required
https://auth2.rudderstack.com/saml2/idpresponse
Relay State
-
Click the meatballs menu (...) to the right of Attributes & Claims and remove any Additional claims. Then, click Add new claim and enter the following information:
Field
Value
Notes
Email
user.mail
-
LastName
user.displayname
Choose your preferred name, for example, display name or surname.
Unique User Identifier
user.userprincipalname
-
Copy the App Federation Metadata URL and share it with the RudderStack team.
Step 3: Set up SCIM
This section lists the steps to set up SCIM provisioning in Azure Entra ID.
It is important that your user role and service access token has admin privileges.
Otherwise, your SCIM provisioning tasks will fail.
SCIM configuration
In the left sidebar of your app, go to Manage > Provisioning > Get started.
Under Provisioning Mode, choose Automatic and enter the following credentials:
Field
Value
Tenant URL Required
https://api.rudderstack.com/scim/v2
Secret Token
Your service access token obtained in the Prerequisites section.
Click Test Connection - it should be successful.
If you see a 403 - Forbidden error, contact the RudderStack team to enable SCIM for your organization.
Enable SSO login
RudderStack does not support IdP-initiated authentication. Make sure the users log in through https://app.rudderstack.com/sso.
Known issues
RudderStack does not support the following SCIM features currently:
Import users
Import groups
Push groups (coming soon)
Remove users
Sync password
Enhanced group push
RudderStack does not support removing users - this is because it uses SCIM with SAML, where removing a user from Azure Entra ID implies that they also lose the ability to authenticate to RudderStack completely (logins via passwords, Google, etc. are completely blocked).
Instead, RudderStack supports deactivating the user which means they only lose access to the organization.
Debugging
There are times when an SSO login might fail for some users due to some reason. In such cases, the RudderStack team requires a HAR (HTTP Archive) file to inspect the requests and identify any SSO-related issues.
A HAR file is a log of exported network requests from the user’s browser. See the HAR Analyzer guide for steps on generating this file depending on your browser.
Once you generate the HAR file, share it with the RudderStack team to troubleshoot the issue.
Note the following before capturing your HAR file:
Start from https://app.rudderstack.com/sso with a clean session, preferably in incognito mode of your browser.
Complete the SSO flow until the step where you face an error.
Your HAR file might contain sensitive data - make sure to redact it using a text editor before sharing it with the team.
The following sections contain solutions for some common errors you might encounter while setting up SSO:
Invalid samlResponse or relayState from identity provider
RudderStack recommends initiating the SSO authentication by following all the above SSO configuration steps correctly and making sure the users log in through https://app.rudderstack.com/sso.
Required String parameter ‘RelayState’ is not present
The above error indicates that you did not set up your SSO app correctly. Make sure to:
Set the Identifier (Entity ID) field to urn:amazon:cognito:sp:us-east-1_ABZiTjXia.
Under Attributes & Claims, set the Email field to user.email.
This site uses cookies to improve your experience while you navigate through the website. Out of
these
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
essential
for the working of basic functionalities of the website. We also use third-party cookies that
help
us
analyze and understand how you use this website. These cookies will be stored in your browser
only
with
your
consent. You also have the option to opt-out of these cookies. But opting out of some of these
cookies
may
have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
This site uses cookies to improve your experience. If you want to
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.