Skip to main content

SSO: Setting up Microsoft Entra ID (formerly Azure AD)

How to set up an SSO connection with Microsoft Entra ID (formerly Azure AD)

Written by Julia Sommarlund
Updated over a week ago

There are three parts to setting up Entra ID, which we'll cover step-by-step:

  1. Prepare your Entra account

  2. Input parameters across systems

  3. Try it out / common troubleshooting

πŸ“Œ Important to note

The screenshots below show Azure AD before it was rebranded to Entra ID, but the principles remain the same.

1. Prepare your Entra account

First, you need to create a new Enterprise Application on the Microsoft Entra side, of type non-gallery.

Click the image to view it enlarged

In that new application, you should set-up Single Sign-on using SAML. For now, only enable it - we'll fill it out in section 2 below.

Click the image to view it enlarged

2. Input parameters across systems

To set up the SSO connection, there are some values in Planhat you need to input to Entra, and vice versa. Below we will walk through the required parameters, and the Planhat/Entra defines where the value should be input.

πŸ“Œ Important to note

To have access to SSO features in Planhat, a Planhat staff member ("Super Admin") first needs to enable a feature flag toggle switch (in "Admin Settings" in the "Settings" Global Tool) called "Is SSO Available".

In Planhat:

  1. Go to the "Settings" Global Tool for admins

  2. Scroll down to the "Security" category, and click on "Login & Authentication"

  3. Ensure that "SAML 2.0 (Microsoft Entra ID)" is selected in the "Login Method" dropdown menu

    Click the image to view it enlarged

  4. You can now start filling in the boxes in the form, as shown in the screenshot above and discussed below

Planhat: Initiator

This controls whether users should be able to log-in via IdP-initiated flow only (i.e. only log in via Entra Directory), or also SP-initiated (i.e. via Planhat's website). It's purely a setting, requiring no other input than a decision from your end on what works best. We recommend to use both (IdP + SP).

Planhat: Identifier (Application ID) - required

Called "Application ID" on Entra's side, found under Overview of the Application page.

____

After this, go into the Single Sign-on page. First, you need to do Basic SAML Configuration using input from Planhat's side.

Click the image to view it enlarged

Entra: Identifier (Entity ID) - required

Entra: Reply URL (Assertion Consumer Service URL) - required

In Planhat, still within the "Login & Authentication" part of Security Settings, under "Single Sign-On", click "Show Instruction".

Click the image to view it enlarged

You will be able to get your Reply URL and Identifier (Entity ID) from points 6 and 7 of your equivalent of the revealed text shown above. Note that the URLs will be unique to your specific tenant.

You should enter these values from Planhat within your Entra.

____

Planhat: Log-in URL - required

Then on the Planhat side, you should set the Login URL from Entra. You find this under the Single Sign-on page on step 4 in Entra.

After setting this, you have a couple of optional parameters to set in Planhat, including Logout URL, Session Length, whether there are any users who can bypass SSO and log-in with a password.

Planhat: Certificate (Base64) - required

Download the Certificate (Base64) and open the file in the Notepad/Text Editor in Windows/Mac, take the full content, and paste it into Planhat.

The content should look something like:

-----BEGIN CERTIFICATE-----MIIC8DCCAdigAwIBAgIQIPWmK/L1AohJLjFZGk0sXzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjA5MDcyMzEwMDBaFw0yNTA5MDcyMzEwMDBaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPJI95bz6ggtDmjv7cqyGYg58ACoarRSaka3/j0dCD4gPIMlQjo2wcENpoFQKP7go5gceP0bIQRVNZdo1QKA4uXG73ishD6b2X/bqV3qTYONSLs1u3kxZ6CYW/wvhM7sLvzh7RmdgLsP9f3sv6pOjn4UU4XfbrHLOnD1u5vXj9gUmmJL9kzCEWhhDm2xvhlOODyxnC1VE0bjgceSthXT0pc40pR7ue4HCVd8RaBU73mK6rtJDS9cosOR1aHdlWgixHfHxnAmZ0z5hjcTTO8uTJvL4d1B0ZeJoMCC/5/cPBoLU5lOejy1uj1YGdcvti8gxEIQSVRwJUBmUbyv8ue91QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB383Md47kMOzqCLkCqLJU1QmpVPZJjktp29KDWGVXGLRZW2Nu3AdilOeCfsT3qQZ0tIeronLSXw4TViBpNbUvrWrQVmz1Gud0/DQEmiO3je897FYbopHl7g9EC/yC/vZ+FXMA13y8ZFtrnBjsxpbU+b4OcelKmtF+MofrN/v7pFsvJstMVV5iF9NoRyW1VaUpq0wocCy/EYfkYWb0BlpPUdOttvuVRMRup4giUKwsddpCzllShFuVtN9WfVM/kMdMqi2KWjGhmdIYk+Ec22FnsLYvfMBmnp7EKNNOLRaqaEU0Eemueen86wqArcuLd5ecM9MWfOZ3GwLCxOiOg3cHl-----END CERTIFICATE-----

Planhat: Disable SAML AuthnContext - required

This can typically be set to disabled but if you face the error below when trying out the set-up, then enable the "Disable SAML AuthnContext".

Error: aadsts75011 authentication method x509 multifactor

3. Try it out / common troubleshooting

After everything has been set-up, you can try out the connection on the Entra side on step 5 in the SSO section.

Some common issues:

  • The user who tries to log-in is not created as a User in Planhat

  • The user ID needs to be via email address, that is matching the one used in Planhat

  • The x590 multifactor error code (see the final point on the Set-up section above on how to fix this using the Disable SAML AuthnContext parameter)

Did this answer your question?