SSO with Microsoft Entra ID

Configure single sign-on (SSO) with Microsoft Entra ID as an identity provider.

Prerequisites

Before you start, do the following:

For additional information, refer to the Microsoft Entra ID documentation.

📘

Note

The single sign-out protocol is not supported for Microsoft Entra ID.

Configuring SSO

Step 1: Create an SSO Application and Configure SAML Settings

Follow these steps:

  1. In Microsoft Entra ID, create a non-gallery application for SSO. For instructions, please refer to the Microsoft Entra ID documentation.
  2. On the SSO application page, navigate to the Single sign-on section and select SAML as the single sign-on method.
  3. Under Basic SAML Configuration, enter the following details:
    • Identifier (Entity ID): https://{SUBDOMAIN}.leanix.net/Shibboleth.sso
    • Reply URL (Assertion Consumer Service URL): https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST

      📘

      Note

      Replace {SUBDOMAIN} in the URLs with your value. When implementing SSO for your organization with the LeanIX team, you can choose a custom subdomain, for example, your company name.

Step 2: Configure SAML Token Attributes

Configure SAML 2.0 attribute mapping in Microsoft Entra ID. For more information, see Attribute Mapping. Mapping attributes are defined as SAML Token Attributes in the Relying Party Trust.

Follow these steps:

  1. Under Attributes & Claims, configure additional claims using the following values:

    Claim NameTypeValue
    firstnameSAMLuser.givenname
    lastnameSAMLuser.surname
    mailSAMLuser.mail
    roleSAMLuser.assignedroles
    uidSAMLuser.userprincipalname

    The following image shows the target values that you should configure. When you open the configuration page, it may show different values. For example, the first claim in the Additional claims table is initially set to givenname, but you should change it to firstname.

    Configuring Attributes and Claims in Entra ID

    Configuring Attributes and Claims in Microsoft Entra ID

  2. For each claim, delete the Namespace value in the configuration.

    Leaving the "Namespace" Value Blank in the Claim Configuration

    Leaving the "Namespace" Value Blank in the Claim Configuration

Basic SSO configuration is set up.

Configuring Role Attributes

If your organization manages user roles within Microsoft Entra ID and not within LeanIX, create the corresponding roles in Entra ID. To learn more about managing roles, see Managing User Roles with SSO.

To configure role attributes, follow these steps:

  1. In Microsoft Entra ID, create app roles for your app registrations.

    Creating Application Roles

    Creating Application Roles

  2. In the configuration of the enterprise application, assign app roles to users or groups.

    Assigning User Roles

    Assigning User Roles

  3. Optional: If needed, configure claim conditions. Claim conditions is an option for assigning roles to Active Directory groups. Conditions will be processed in order of appearance.

    An example of configured claim conditions is shown in the following image. If a user belongs to the scoped groups VIEWER and MEMBER, they will be assigned the MEMBER permission according to the specified order because the latest matching condition is always applied.

    To learn how to configure the user.assignedroles values, please refer to the Microsoft Entra ID documentation.

    Configuration of Claim Conditions

    Configuring Claim Conditions