Ithura with Microsoft Entra ID (Azure AD): SSO and SCIM
Connect Ithura to Microsoft Entra ID (formerly Azure Active Directory) so your team signs in with their Microsoft accounts, and, on the Enterprise plan, so joiners and leavers sync automatically through SCIM. You create a non-gallery enterprise application, exchange a few values with Ithura, and assign your users.
This guide assumes the generic SAML concepts and focuses on the Entra
console. You need workspace admin access (role 20) in Ithura at
/{workspace}/settings/sso, and permission in Entra to create enterprise
applications and (for SCIM) to configure provisioning. Single sign-on is on the
Pro plan; SCIM provisioning requires Enterprise.
Keep the Ithura SSO settings page open in a second tab: you copy Ithura's SP values into Entra, then Entra's federation metadata back into Ithura.
The values you will exchange
From Ithura's SSO settings page (built from your API host and workspace slug):
- ACS (Reply) URL:
https://<api-host>/sso/{workspace}/saml/acs - SP Entity ID (Identifier):
https://<api-host>/sso/{workspace}/saml/metadata
On Ithura Cloud the API host is api.ithura.com.
1. Create the enterprise application
- In the Microsoft Entra admin center, go to Identity -> Applications -> Enterprise applications.
- Click New application -> Create your own application.
- Name it (for example
Ithura), choose Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
2. Configure SAML single sign-on
-
In the new app, open Single sign-on and choose SAML.
-
Edit Basic SAML Configuration:
- Identifier (Entity ID): paste Ithura's SP Entity ID.
- Reply URL (Assertion Consumer Service URL): paste Ithura's ACS URL.
- Leave Sign on URL, Relay State, and Logout URL blank (optional).
- Save.
-
Edit Attributes & Claims. Set the Unique User Identifier (Name ID) to
user.mail(oruser.userprincipalnameif that is where email lives) with the Email address name identifier format. Then confirm these claims are present, which Entra emits by default under the standard claim names Ithura reads:Claim name Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givennamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surnameIthura keys on the email and reads
givenname+surnamefor the display name, so these three are all it needs. -
In the SAML Certificates section, find Federation Metadata XML and download it (or copy the App Federation Metadata Url).
3. Hand the metadata to Ithura
- In Ithura at
/{workspace}/settings/sso, select SAML 2.0 and paste the Entra Federation Metadata XML into the IdP Metadata XML box. Ithura parses the entity ID, the sign-on URL, and the signing certificate out of it. Save.- If you prefer the individual fields, Entra's SAML page lists the Login URL (IdP SSO URL), the Microsoft Entra Identifier (IdP Entity ID), and a downloadable Certificate (Base64) for the signing certificate.
- Choose the Default role for auto-join and leave Enforce SSO off until a test sign-in works.
4. Assign users and test
- In Entra, open the app's Users and groups and Add user/group for everyone who should sign in. Only assigned users can authenticate.
- Test a sign-in: go to
https://ithura.com/sign-in, click Sign in with SSO, enter your workspace slug, and complete the Microsoft prompt. Assigned users also see the app on their My Apps portal (IdP-initiated). - When the sign-in works, tick Enforce SSO in Ithura if you want to require it. See Enforcing SSO.
5. SCIM provisioning (Enterprise)
Entra can push users and groups into Ithura automatically. This requires the Ithura Enterprise plan and an existing SAML configuration.
- In Ithura's SSO settings, open SCIM 2.0 Provisioning, note the SCIM Base
URL
https://<api-host>/scim/v2/, click Generate token, and copy the bearer token shown once. - In the Entra app, open Provisioning, set Provisioning Mode to
Automatic, and under Admin Credentials:
- Tenant URL:
https://<api-host>/scim/v2/ - Secret Token: the Ithura SCIM bearer token.
- Click Test Connection, then Save.
- Tenant URL:
- Under Mappings, keep Provision Microsoft Entra ID Users (and Groups if
you want group push). Ithura consumes
userName,emails[0].value,name.givenName,name.familyName,displayName,active, andexternalId; leave other attributes unmapped. - Set Provisioning Status to On and assign users to the app for provisioning.
Provisioning behavior: creating a user adds a workspace membership at the default
role (creating the underlying account if needed); active = false deactivates
the membership; a delete removes the membership but keeps the underlying account,
which may belong to other workspaces. SCIM group membership syncs Ithura groups
but does not set the workspace role: role comes from the default-role setting.
Full detail is in the Enterprise guide.
Troubleshooting
Sign-in fails with an audience or destination error. The Identifier or Reply URL in Entra does not match Ithura's SP Entity ID / ACS URL exactly, including the workspace slug. Recopy both from the SSO settings page.
The user signs in but has no name. Confirm the givenname and surname
claims (or a displayname claim) are present in Attributes & Claims. Entra's
defaults include them; a trimmed claim set can drop them.
SCIM Test Connection fails. The token is wrong, was rotated, or the Ithura plan is not Enterprise. Regenerate the token in Ithura and re-paste it, and confirm the workspace is on Enterprise.
Certificate rotation. If you roll the Entra signing certificate, re-import the federation metadata (or re-paste the certificate) in Ithura so the new certificate is stored.