Skip to content
English
Kontakt os
  • There are no suggestions because the search field is empty.

Microsoft Entra SSO setup guide

This guide will walk you through the setup of ComplyCloud’s SSO solution.

If you have questions or would like to schedule a support meeting, please do so by emailing us at support@complycloud.com.

You will need to setup a new Enterprise application in Microsoft Entra. The enterprise application will manage two things:

  1. Authentication through SAML, handling the login of your Microsoft users in ComplyCloud.
  2. Provisioning through SCIM, handling the synchronization of users and roles between your Entra and our application.

ComplyCloud Integration Page

During the setup steps later in the guide you will be asked to provide URLs and secrets that are specific to your ComplyCloud account. You can find the needed information in your ComplyCloud account (Settings > Account Management >Integrations), as shown in the screenshot below, from here on referred to as the ComplyCloud integration page.

Setup

  1. Setup the Enterprise application
    1. Go to your Entra Admin Center
    2. Navigate to “Enterprise applications”
    3. Press “New Application”
    4. Click “Create your own application” and in the pop-out on the right, name the application (eg. ComplyCloud SSO) and select “Integrate any other application…”
    5. Click “Create”
  2. Setup application roles 
    1. Navigate to “App registrations”
    2. Find the app registration of the enterprise app you created in step 1 and click it.
    3. In the left sidepanel, select “App Roles”. At this point, the App roles list should be empty, but if there are app roles here that you want to delete, click the row, untick the “Do you want to enable this role” checkbox and press “Apply”. The Role can now be deleted.
    4. In the left sidepanel, click “Manifest”
    5. On the integrations page in ComplyCloud, click the “Download App roles” button and insert the downloaded list of roles under “appRoles” in the shown manifest. Only copy from opening square bracket([), to closing square bracket (]).
    6. Click the “Save” button.
  3. Generate SAML
    1. Navigate to “Enterprise applications” and select the app you created in step 1.
    2. In the left sidepanel, click “Single sign-on” and select the “SAML” box under “Select a sign-on method”.
    3. Click “Edit” under “Basic SAML Configuration”.
    4. Click “Add Identifier” add the “Entity id” value found on the ComplyCloud Integration page.
    5. Click “Add Reply URL” add the “Redirect URL” value found on the ComplyCloud Integration page.
    6. Click “Save”
  4. Upload SAML
    1. Still on the SAML page, under “SAML Signing Certificate” click “Download” where it says “Federation Metadata XML”.
    2. On the ComplyCloud Integration page, click the “Upload SAML” button and upload the file downloaded in step 4a.
  5. Setup provisioning
    1. Still on the Enterprise application page of created app, go to “Provisioning”.
    2. Click “Get started” and then choose the “Automatic” “Provisioning mode”.
    3. Under “Admin Credentials” set the “Tenant URL” to the “Provision URL” found on the ComplyCloud integration page.
    4. Under that, set the “Secret Token” to the “Provision Secret” found on the ComplyCloud integration page.
    5. Test that the configuration is correct, by clicking the “Test Connection” button.
    6. Click the “Provision Microsoft Entra ID Users” under "Mappings"
    7. Tick the “Show advanced options” at the bottom of the page and click the “Edit attribute list for customappsso”
    8. Tick the “Required” checkbox of the row called “emails[type eq “work”].value”
    9. Add a row at the bottom named “roles” with “Type” set to “String” and tick the “Required” and “Multi-value”.
    10. Click "Save"
    11. Back on the “Attribute Mapping” page click “Add New Mapping” and set the following values:
      1. Mapping Type – Expression
      2. Expression – AppRoleAssignmentsComplex([appRoleAssignments])
      3. Target attribute – roles
    12. Configure your attribute mapping so that it looks like the screenshot below:
      customappsso Attribute Microsoft Entra ID Attribute
      userName userPrincipalName
      active Switch([IsSoftDeleted],,"False","True","True","False")
      displayName displayName
      emails[type eq "work"].value userPrincipalName
      preferredLanguage preferredLanguage
      roles AppRoleAssignmentsComplex([appRoleAssignments])

       

    13. Click “Ok” and click “Save” on the “Attribute Mapping” page.

  6. Add groups (this step is optional). As a default, all provisioned groups become departments on the main account, but if you have subsidiary accounts in ComplyCloud and wish to provision groups to those subsidiaries as departments, you will have to configure a roles attribute for the groups, similar to what was done for users. 

    1. Go to you Enterprise application page of the created app, go to “Provisioning” and then “Attribute mapping”

    2. Select “Provision Microsoft Entra ID Groups”, tick the “Show advanced options” checkbox at the bottom and click “Edit attribute list for customappsso”
    3. On the Edit Attribute List page create another row called “roles”, with a tick in the “Required?” and “Multi-Value?” checkboxes.
    4. Also tick the “Required?” checkbox for the “members” attribute.
    5. Click “Save” in the top left corner.
    6. Click the “Add new mapping” button and input the following values:
      1. Mapping Type – Expression
      2. Expression – AppRoleAssignmentsComplex([appRoleAssignments])
      3. Target attribute – roles (You might have to refresh the page to see this option)
    7. Click the “Enabled” switch near the top, to enable this mapping.
    8. Click “Save” in the top left corner.
    9. From the “Users and groups” page of the enterprise application, you can now provision groups as departments.
    10. Select the groups you would like to add to your Enterprise application and select the “User – YourCompanyName” role for it. It’s important to give the group the lowest role possible, otherwise it will overwrite the users’ roles.
    11. Click the “Assign” button.
  7. Assigning users and groups
    1. Still on the Enterprise application page of created app, go to “Users and Groups” click “Add user/group”.
    2. Select the user you would like to grant access and the role you would like to assign for that user.
    3. Click the “Assign” button.
    4. Add users and assign roles. Note that a user or group can be assigned multiple times, and must be to have access to multiple accounts.
  8. Enabling the provisioning
    1. Still on the Enterprise application page of created app, go to “Provisioning”.
    2. Click the “Start provisioning” button to have Entra start provisioning your configured users with roles, as you set up in step 5.
    3. If you want to run a more controlled test, click the “Provision on demand” button to force the provisioning of a specific user. Follow the on-screen instructions to check that everything works.

You are done! Provisioned users should now be directed to Microsoft to log in when they attempt to log in to ComplyCloud. Please contact us at support@complycloud.com if you experience any issues following this guide.