Skip to main content
All CollectionsConfigure Favro
Setting up SAML 2.0 and SCIM 2.0 with Microsoft Entra
Setting up SAML 2.0 and SCIM 2.0 with Microsoft Entra
D
Written by Dino Hrgetić
Updated over 6 months ago

Configuring SAML Single Sign-On

1. In Microsoft Entra, navigate to Applications > Enterprise applications > New application.

2. Click Create your own application.

3. Name the application and click on Create.

4.Once the app created, navigate to the Single Sign-On tab and select SAML.

5. Edit the Basic SAML Configuration:

And Save.

6. Next, while on the same page, on Attributes & Claims > Edit and add 2 entries:

  • Name: First Name Source attribute: user.givenname

  • Name: Last Name Source attribute: user.surname

*(Optional) Users will be provisioned with the Full Member role by default. You may add favroRole as a custom claim to change this behavior. See the SAML Single Sign-On section of Favro API reference for more details.

7. In Favro, navigate to Administration > Authentication methods > Single Sign-On settings > Configure and add your domain.

8. To verify the domain ownership, follow the steps described in the Domain verification section of the configuration page for your new domain.

9. After the domain ownership has been successfully verified, copy the following values from Microsoft Entra to your domain configuration page in Favro:

Microsoft Entra

Favro

Certificate (Base64)

SAML identity provider certificate

Login URL

SAML login url

Logout URL

SAML logout url

*(Important) Make sure any trailing spaces are removed from the certificate.

10. In Microsoft Entra, navigate to the Users and groups tab and assign users to the application.

11. Test the integration by navigating to the Single Sign-on tab and clicking on Test sign in.

Configuring SCIM provisioning

1. Navigate to the Provisioning tab and click Get started.

2. On the next screen, configure settings as following:

and save the changes.

*(Important) ?aadOptscim062020 must be added at the end of the Tenant URL. This is a known issue with Microsoft Entra SCIM 2.0, more details may be found here.

*(Optional) You may click on Test Connection to verify the configuration is working properly.

3. While still in the Provisioning tab of the app, navigate to the Mappings section and click on Provision Azure Active Directory Users to edit the user attributes mapping.

Make sure the mapping has the following attributes configured:

Azure Active Directory Attribute

customappsso Attribute

userPrincipalName

userName

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

givenName

name.givenName

surname

name.familyName

Join(" ", [givenName], [surname])

name.formatted

and save the changes.

*(Optional) to assign roles through SCIM, favroRole should be added to the customappsso Attribute. See the Favro API reference to learn more about supported attributes and configurations.

4. Navigate to the Overview tab of the app and Start provisioning.

Did this answer your question?