SSO with Entra ID

Configure single sign-on with Microsoft Entra ID as an Identity Provider.

👍

Tip

To request an SSO setup for your workspace, please submit a ticket to LeanIX Support.

This guide explains how to configure single sign-on (SSO) with Microsoft Entra ID as an Identity Provider (IdP). Before proceeding, learn more about the general SSO configuration process. For details, see Single Sign-on (SSO).

To learn how to add a non-gallery application in Microsoft Entra ID, please refer to the Microsoft Entra ID documentation.

📘

Note

We do not support the single sign-out protocol for Entra ID.

Initial Configuration

SAML Settings

Please ensure that the settings are configured according to the example below:

  • Identifier (Entity ID): https://{SUBDOMAIN}.leanix.net/Shibboleth.sso
  • Reply URL: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST

SAML Token Attribute Configuration

When using SAML login with Microsoft Entra, you need to pass a user's first name, last name, email, and role as described in the Single sign-on (SSO) documentation page. These values are defined as SAML Token Attributes in the Relying Party Trust.

In order to properly configure the attribute mapping, custom claim rules need to be configured. The following example rules help to configure your Microsoft Entra federation with LeanIX.

Follow these steps:

  1. Configure additional claims using the following values.

    Claim NameTypeValue
    firstnameSAMLuser.givenname
    lastnameSAMLuser.surname
    mailSAMLuser.mail
    roleSAMLuser.assignedroles
    uidSAMLuser.userprincipalname

    The following image shows the target values that you need to configure. When you open the configuration page, it may show different values. For example, the first claim in the Additional claims table is initially set to givenname, but you need to change it to firstname.

    Configuring Attributes and Claims in Entra ID

    Configuring Attributes and Claims in Entra ID

  2. For each claim, delete the Namespace value in the configuration.

    Leaving the "Namespace" Value Blank in the Claim Configuration

    Leaving the "Namespace" Value Blank in the Claim Configuration

Manage role attribute

Create role attribute

For customers who assign roles in Entra ID, it's necessary to create corresponding App Roles in your App Registrations.

Assign role attribute

These app roles can then be assigned to users and/or groups within the enterprise application.

Claim Conditions

Claim conditions are an option for assigning roles to Active Directory groups. When adding conditions, they will be met in order of appearance. In the example below, if a user belongs to scoped groups of "VIEWER" and "MEMBER," they will be assigned VIEWER permission by order of operation.

👍

Tip

To learn how to configure the user.assignedroles values, please refer to the Entra ID documentation.