Entra ID - Configuring Single Sign-On Authentication

Learn how to configure Single Sign-On using SAML protocol in Microsoft Entra ID to authenticate users to your Staffbase platform.

Employee App
Staffbase Intranet
Staffbase Email

In this article, you will learn how to set up using the protocol in Microsoft Entra ID (formerly known as Azure Active Directory / Azure AD). SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.

SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

  • You have an Entra ID tenant.
  • You have one of the following permissions to configure provisioning in Entra ID:
    • Application Administrator
    • Cloud Application Administrator
    • Global Administrator

You need to create an enterprise application in Entra ID to set up SSO.

Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform. If you want to configure SCIM for user provisioning, you are able to use a single enterprise application for both SSO and SCIM for your user management.

  1. In Microsoft Azure, under Azure services, click Microsoft Entra ID.
  1. Navigate to Enterprise applications.
  2. Click New application.
  3. Click Create your own application.
    The Create your own application dialog opens.
  1. Provide a name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application.
  2. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Click Create.
    You have created an application to authenticate users using SSO.

After creating the enterprise application, you can decide on which Entra ID users need access to the Staffbase platform using SSO.

Staffbase recommends adding a few users initially to test that everything works as expected.

  1. In the enterprise application you created, click Users and groups.

The Users and groups page opens.

  1. Click Add user/group.
  1. Click None Selected.
    The Users and groups dialog opens.
  2. Search for the user or group you want to add and click Select.
  1. Click Assign.
    You have assigned users or groups to the application.

Once you have created the application, you need to define the SAML protocol.
Learn how the Microsoft identity platform uses the SAML protocol.

  1. In the enterprise application, navigate to Overview.
  2. Under Set up single sign on, click Get Started.
  1. Select SAML as the single sign-on method.

The Set up Single Sign-On with SAML page opens.

All required Service Provider (SP) values for setting up SSO, such as Entity ID, Reply URL, and so on, are available directly in your Staffbase Studio.

To get the required configuration values and instructions for your specific environment, refer SSO configuration details page.

  1. In the Set up Single Sign-On with SAML page, click Edit under Basic SAML Configuration.
  1. Enter the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) retrieved from the Staffbase Studio. SSO configuration details.
  1. Under SAML Signing Certificate, click Edit.
    The Attributes & Claims page opens.

You can modify a claim and adjust its values according to your business requirements.
At minimum, you need the following claims configured:

The Unique User Identifier (Name ID) value and the identifier in your Staffbase platform must match for each user using SSO.

If you want to use a different value from the one already in place for your users in your Staffbase platform, you will need to update the user identifiers in your Staffbase platform first. In such a case, ensure that all future user management also includes these new identifiers.

  1. Click Add new claim.
    The Manage claim dialog opens.

  2. Provide a name and assign a Source attribute for the claim.

The values are auto-filled based on your enterprise application and Entra ID tenant.

The values are auto-filled based on your enterprise application and Entra ID tenant.

  1. Under Test single sign-on, click Test.
  2. Select a way to test sign in and click Test sign in. The sign in page opens for you to test.
  3. Ensure the sign in functions as expected.

After testing the SSO authentication works as expected, you can add all users in Entra ID to the enterprise application.

  1. In the enterprise application you created, click Properties.
  2. Set Assignment required? to No.
  1. Click Save.

You have configured and enable SSO for your Staffbase platform.

You can configure the SAML domain hints to ensure that users don’t attempt to authenticate with the identity provider (IdP) using domains that are not allowed when using the Staffbase platform. To activate this feature, contact Staffbase Support or your Customer Success Manager. Learn more about domain hints.