Configuring SAML Single Sign-On
1. In Microsoft Entra, navigate to Applications > Enterprise applications > New application.
2. Click Create your own application.
3. Name the application and click on Create.
4.Once the app created, navigate to the Single Sign-On tab and select SAML.
5. Edit the Basic SAML Configuration:
Identifier (Entity ID): https://favro.com/saml/metadata.xml
Reply URL (Assertion Consumer Service URL): https://favro.com/saml/assert
And Save.
6. Next, while on the same page, on Attributes & Claims > Edit and add 2 entries:
Name: First Name Source attribute: user.givenname
Name: Last Name Source attribute: user.surname
*(Optional) Users will be provisioned with the Full Member role by the default. You may add favroRole as a custom claim to change this behavior. See the SAML Single Sign-On section of Favro API reference for more details.
7. In Favro, navigate to Administration > Authentication methods > Single Sign-On settings > Configure and add your domain.
8. To verify the domain ownership, follow the steps described in the Domain verification section of the configuration page for your new domain.
9. After the domain ownership has been successfully verified, copy the following values from Microsoft Entra to your domain configuration page in Favro:
Microsoft Entra | Favro |
Certificate (Base64) | SAML identity provider certificate |
Login URL | SAML login url |
Logout URL | SAML logout url |
*(Important) Make sure any trailing spaces are removed from the certificate
10. In Microsoft Entra, navigate to the Users and groups tab and assign users to the application.
11. Test the integration by navigating to the Single Sign-on tab and clicking on Test sign in.
Configuring SCIM provisioning
1. Navigate to the Provisioning tab and click Get started.
2. On the next screen, configure settings as following:
Provisioning Mode: Automatic
Tenant URL: https://favro.com/api/scim/v2?aadOptscim062020
Secret Token: [SCIM API token found in Favro authentication settings for the domain]
and save the changes.
*(Important) ?aadOptscim062020 must be added at the end of the Tenant URL. This is a known issue with Microsoft Entra SCIM 2.0, more details may be found here.
*(Optional) You may click on Test Connection to verify the configuration is working properly.
3. While still in the Provisioning tab of the app, navigate to the Mappings section and click on Provision Azure Active Directory Users to edit the user attributes mapping.
Make sure the mapping has the following attributes configured:
Azure Active Directory Attribute | customappsso Attribute |
userPrincipalName | userName |
Switch([IsSoftDeleted], , "False", "True", "True", "False") | active |
givenName | name.givenName |
surname | name.familyName |
Join(" ", [givenName], [surname]) | name.formatted |
and save the changes.
*(Optional) to assign roles through SCIM, favroRole should be added to the customappsso Attribute. See the Favro API reference to learn more about supported attributes and configurations.
4. Navigate to the Overview tab of the app and Start provisioning.
