Skip to content
English
Kontakt os
  • There are no suggestions because the search field is empty.

Microsoft Entra SSO setup guide

This guide will walk you through the setup of ComplyCloud’s SSO solution.

If you have questions or would like to schedule a support meeting, please do so by emailing us at support@complycloud.com.

You will need to setup a new Enterprise application in Microsoft Entra. The enterprise application will manage two things:

  1. Authentication through SAML, handling the login of your Microsoft users in ComplyCloud.
  2. Provisioning through SCIM, handling the synchronization of users and roles between your Entra and our application.

ComplyCloud Integration Page

During the setup steps later in the guide you will be asked to provide URLs and secrets that are specific to your ComplyCloud account. You can find the needed information in your ComplyCloud account (Settings > Account Management >Integrations), as shown in the screenshot below, from here on referred to as the ComplyCloud integration page.

Setup

  1. Setup the Enterprise application
    1. Go to your Entra Admin Center
    2. Navigate to “Enterprise applications”
    3. Press “New Application”
    4. Click “Create your own application” and in the pop-out on the right, name the application (eg. ComplyCloud SSO) and select “Integrate any other application…”
    5. Click “Create”
  2. Setup application roles 
    1. Navigate to “App registrations”
    2. Find the app registration of the enterprise app you created in step 1 and click it.
    3. In the left sidepanel, select “App Roles”. At this point, the App roles list should be empty, but if there are app roles here that you want to delete, click the row, untick the “Do you want to enable this role” checkbox and press “Apply”. The Role can now be deleted.
    4. In the left sidepanel, click “Manifest”
    5. On the integrations page in ComplyCloud, click the “Download App roles” button and insert the downloaded list of roles under “appRoles” in the shown manifest. Only copy from opening square bracket([), to closing square bracket (]).
    6. Click the “Save” button.
  3. Generate SAML
    1. Navigate to “Enterprise applications” and select the app you created in step 1.
    2. In the left sidepanel, click “Single sign-on” and select the “SAML” box under “Select a sign-on method”.
    3. Click “Edit” under “Basic SAML Configuration”.
    4. Click “Add Identifier” add the “Entity id” value found on the ComplyCloud Integration page.
    5. Click “Add Reply URL” add the “Redirect URL” value found on the ComplyCloud Integration page.
    6. Click “Save”
  4. Upload SAML
    1. Still on the SAML page, under “SAML Signing Certificate” click “Download” where it says “Federation Metadata XML”.
    2. On the ComplyCloud Integration page, click the “Upload SAML” button and upload the file downloaded in step 4a.
  5. Add users and assign roles
    1. Still on the Enterprise application page of created app, go to “Users and Groups” click “Add user/group”.
    2. Select the user you would like to grant access and the role you would like to assign for that user.
    3. Click the “Assign” button.

  6. Add groups (this step is optional). NOTE: Groups in Microsoft Entra ID are used to create “Departments” in ComplyCloud.

    1. Go to “Users and Groups” again, click “Add user/group”.

    2. Select the groups you would like to add to your Enterprise application and select the “User – YourCompanyName” role for it. It’s important to give the group the lowest role possible, otherwise it will overwrite the users’ roles.

    3. Click the “Assign” button.

  7. Setup provisioning
    1. Still on the Enterprise application page of created app, go to “Provisioning”.
    2. Click “Get started” and then choose the “Automatic” “Provisioning mode”.
    3. Under “Admin Credentials” set the “Tenant URL” to the “Provision URL” found on the ComplyCloud integration page.
    4. Under that, set the “Secret Token” to the “Provision Secret” found on the ComplyCloud integration page.
    5. Test that the configuration is correct, by clicking the “Test Connection” button.
    6. Click the “Provision Microsoft Entra ID Users” under "Mappings"
    7. Tick the “Show advanced options” at the bottom of the page and click the “Edit attribute list for customappsso”
    8. Tick the “Required” checkbox of the row called “emails[type eq “work”].value”
    9. Add a row at the bottom named “roles” with “Type” set to “String” and tick the “Required” and “Multi-value”.
    10. Back on the “Attribute Mapping” page click “Add New Mapping” and set the following values:
      1. Mapping Type – Expression
      2. Expression – AppRoleAssignmentsComplex([appRoleAssignments])
      3. Target attribute – roles
    11. Configure your attribute mapping so that it looks like the screenshot below:
      customappsso Attribute Microsoft Entra ID Attribute
      userName userPrincipalName
      active Switch([IsSoftDeleted],,"False","True","True","False")
      displayName displayName
      emails[type eq "work"].value userPrincipalName
      preferredLanguage preferredLanguage
      roles AppRoleAssignmentsComplex([appRoleAssignments])

       

    12. Click “Ok” and click “Save” on the “Attribute Mapping” page.

  1. Enabling the provisioning
    1. Still on the Enterprise application page of created app, go to “Provisioning”.
    2. Click the “Start provisioning” button to have Entra start provisioning your configured users with roles, as you set up in step 5.
    3. If you want to run a more controlled test, click the “Provision on demand” button to force the provisioning of a specific user. Follow the on-screen instructions to check that everything works.

You are done! Provisioned users should now be directed to Microsoft to log in when they attempt to log in to ComplyCloud. Please contact us at support@complycloud.com if you experience any issues following this guide or check the troubleshooting guide here: <LINK>.