Configuring SSO with Microsoft Entra ID (Azure AD)
Before configuring SSO, make sure that in config.env the APP_URL parameter matches the current Passwork domain, example — APP_URL=https://passwork.example.com
The following Passwork server is used for the example — passwork.example.com
Authorize with Microsoft Entra ID and go to — Enterprise applications:
Open — Manage → All applications and create a New application:
In the Browse Microsoft Entra Gallery, select — Create your own application:
Perform the following steps:
- Fill in the Display Name (example: passwork-sp);
- What are you looking... — Integrate any other application you don't find in the gallery (Non-gallery)
Once created, go to Manage → Single sign-on and open SAML:
Open Basic SAML Configuration, click on Edit.
Authorize in the Passwork web interface and go to Settings and Users → SSO Settings, copy the authentication endpoint addresses from SP (Passwork) to IDP (Microsoft Entra ID):
- Identifier (Entity ID) — https://passwork.example.com/api/v1/sso/metadata
- Reply URL — https://passwork.example.com/api/v1/sso/acs
- Logout Url — https://passwork.example.com/api/v1/sso/sls
Depending on the kind of user login you want in Passwork, you can customize the processing rules so that the user format can be as follows:
- username
Please select the desired user login format in Passwork and customize.
In Set up Single Sign-On with SAML, open — Attributes & Claims:
By default, after the application is created in Microsoft Entra ID, the user format after authentication in Passwork is generated by [email protected].
No additional changes need to be made. Example of a created default statement:
Open the Unique User Identifier (Name ID) and make the following changes:
- Source — Transformation;
- Transformation — ExtractMailPrefix();
- Parameter 1 — Attribute;
- Attribute name — user.userprincipalname.
Save changes and go to Attributes & Claims.
Go to Attributes & Claims and Add new claim:
- Adding a new optional statement for displayName:
- Name — displayName;
- Source — Attribute;
- Source attribute — user.displayname;
- Save the additional statement that was created.
- Adding a new optional statement for emailAddress:
- Name — emailAddress;
- Source — Attribute;
- Source attribute — user.mail;
- Save the additional statement that was created.
Authenticate in the Passwork web interface, go to — Settings and Users → SSO Settings and fill in the mapping attributes:
- Attribute for email — emailAddress;
- Attribute for full name — displayName;
In Set up Single Sign-On with SAML → Set up passwork-sp, copy the addresses of the authentication endpoints:
Open — Settings and Users → SSO Settings and fill in the values:
- Identifier (Entity ID) — https://sts.windows.net/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/
- Reply URL — https://login.microsoftonline.com/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/saml2
- Logout URL — https://login.microsoftonline.com/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/saml2
In Set up Single Sign-On with SAML → SAML Certificates, obtain an SSL certificate in base64 format:
Open the exported SSL certificate using Notepad, copy and place it in the appropriate field — Settings and Users → SSO Settings.
At the moment Passwork does not provide an algorithm for processing additional identification during SSO integration, including different types of biometrics.
In case of identification error as a result of exchange with iDP (Microsoft Entra ID), the following content should be placed in JSON format:
Open the authentication window in the Passwork web interface and log in via SSO to verify the correct configuration:
