Configuring SSO with Microsoft Entra ID (Azure AD)

before configuring sso, make sure that in config env the app url parameter matches the current passwork domain, example — app url=https //passwork example com the following passwork server is used for the example — passwork example com adding the trust relationship of the verifying party authorize with microsoft entra id and go to — enterprise applications open — manage → all applications and create a new application in the browse microsoft entra gallery , select — create your own application perform the following steps fill in the display name (example passwork sp ); what are you looking — integrate any other application you don't find in the gallery (non gallery) once created, go to manage → single sign on and open saml open basic saml configuration , click on edit authorize in the passwork web interface and go to settings and users → sso settings , copy the authentication endpoint addresses from sp (passwork) to idp (microsoft entra id) identifier (entity id) — https //passwork example com/api/v1/sso/metadata reply url — https //passwork example com/api/v1/sso/acs logout url — https //passwork example com/api/v1/sso/sls example of completed authentication endpoints from sp configuring rules for processing requests from sp (passwork) in idp (microsoft entra id) depending on the kind of user login you want in passwork, you can customize the processing rules so that the user format can be as follows username username\@passwork local please select the desired user login format in passwork and customize in set up single sign on with saml , open — attributes & claims configuring processing rules for username\@passwork local format by default, after the application is created in microsoft entra id, the user format after authentication in passwork is generated by username\@passwork local no additional changes need to be made example of a created default statement configuring processing rules for username format open the unique user identifier (name id) and make the following changes source — transformation ; transformation — extractmailprefix() ; parameter 1 — attribute ; attribute name — user userprincipalname save changes and go to attributes & claims configuring rules for processing additional attributes to be transferred to sp go to attributes & claims and add new claim adding a new optional statement for displayname name — displayname ; source — attribute ; source attribute — user displayname ; save the additional statement that was created adding a new optional statement for emailaddress name — emailaddress ; source — attribute ; source attribute — user mail ; save the additional statement that was created configuring and completing single sign on (sso) settings in passwork filling in values user attributes authenticate in the passwork web interface, go to — settings and users → sso settings and fill in the mapping attributes attribute for email — emailaddress ; attribute for full name — displayname ; filling in values identity provider → passwork in set up single sign on with saml → set up passwork sp , copy the addresses of the authentication endpoints open — settings and users → sso settings and fill in the values identifier (entity id) — https //sts windows net/ba50022d xxxx xxxx xxxx 1145c6c9ed97/ reply url — https //login microsoftonline com/ba50022d xxxx xxxx xxxx 1145c6c9ed97/saml2 logout url — https //login microsoftonline com/ba50022d xxxx xxxx xxxx 1145c6c9ed97/saml2 filling in value certificate in set up single sign on with saml → saml certificates , obtain an ssl certificate in base64 format open the exported ssl certificate using notepad , copy and place it in the appropriate field — settings and users → sso settings filling in value advanced settings at the moment passwork does not provide an algorithm for processing additional identification during sso integration, including different types of biometrics in case of identification error as a result of exchange with idp (microsoft entra id), the following content should be placed in json format json { "security" { "requestedauthncontext" false } } open the authentication window in the passwork web interface and log in via sso to verify the correct configuration