Ithura with Microsoft Entra ID (Azure AD): SSO and SCIM

Connect Ithura to Microsoft Entra ID (formerly Azure Active Directory) so your team signs in with their Microsoft accounts, and, on the Enterprise plan, so joiners and leavers sync automatically through SCIM. You create a non-gallery enterprise application, exchange a few values with Ithura, and assign your users.

This guide assumes the generic SAML concepts and focuses on the Entra console. You need workspace admin access (role 20) in Ithura at /{workspace}/settings/sso, and permission in Entra to create enterprise applications and (for SCIM) to configure provisioning. Single sign-on is on the Pro plan; SCIM provisioning requires Enterprise.

Keep the Ithura SSO settings page open in a second tab: you copy Ithura's SP values into Entra, then Entra's federation metadata back into Ithura.

The values you will exchange

From Ithura's SSO settings page (built from your API host and workspace slug):

  • ACS (Reply) URL: https://<api-host>/sso/{workspace}/saml/acs
  • SP Entity ID (Identifier): https://<api-host>/sso/{workspace}/saml/metadata

On Ithura Cloud the API host is api.ithura.com.

1. Create the enterprise application

  1. In the Microsoft Entra admin center, go to Identity -> Applications -> Enterprise applications.
  2. Click New application -> Create your own application.
  3. Name it (for example Ithura), choose Integrate any other application you don't find in the gallery (Non-gallery), and click Create.

2. Configure SAML single sign-on

  1. In the new app, open Single sign-on and choose SAML.

  2. Edit Basic SAML Configuration:

    • Identifier (Entity ID): paste Ithura's SP Entity ID.
    • Reply URL (Assertion Consumer Service URL): paste Ithura's ACS URL.
    • Leave Sign on URL, Relay State, and Logout URL blank (optional).
    • Save.
  3. Edit Attributes & Claims. Set the Unique User Identifier (Name ID) to user.mail (or user.userprincipalname if that is where email lives) with the Email address name identifier format. Then confirm these claims are present, which Entra emits by default under the standard claim names Ithura reads:

    Claim nameValue
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givenname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname

    Ithura keys on the email and reads givenname + surname for the display name, so these three are all it needs.

  4. In the SAML Certificates section, find Federation Metadata XML and download it (or copy the App Federation Metadata Url).

3. Hand the metadata to Ithura

  1. In Ithura at /{workspace}/settings/sso, select SAML 2.0 and paste the Entra Federation Metadata XML into the IdP Metadata XML box. Ithura parses the entity ID, the sign-on URL, and the signing certificate out of it. Save.
    • If you prefer the individual fields, Entra's SAML page lists the Login URL (IdP SSO URL), the Microsoft Entra Identifier (IdP Entity ID), and a downloadable Certificate (Base64) for the signing certificate.
  2. Choose the Default role for auto-join and leave Enforce SSO off until a test sign-in works.

4. Assign users and test

  1. In Entra, open the app's Users and groups and Add user/group for everyone who should sign in. Only assigned users can authenticate.
  2. Test a sign-in: go to https://ithura.com/sign-in, click Sign in with SSO, enter your workspace slug, and complete the Microsoft prompt. Assigned users also see the app on their My Apps portal (IdP-initiated).
  3. When the sign-in works, tick Enforce SSO in Ithura if you want to require it. See Enforcing SSO.

5. SCIM provisioning (Enterprise)

Entra can push users and groups into Ithura automatically. This requires the Ithura Enterprise plan and an existing SAML configuration.

  1. In Ithura's SSO settings, open SCIM 2.0 Provisioning, note the SCIM Base URL https://<api-host>/scim/v2/, click Generate token, and copy the bearer token shown once.
  2. In the Entra app, open Provisioning, set Provisioning Mode to Automatic, and under Admin Credentials:
    • Tenant URL: https://<api-host>/scim/v2/
    • Secret Token: the Ithura SCIM bearer token.
    • Click Test Connection, then Save.
  3. Under Mappings, keep Provision Microsoft Entra ID Users (and Groups if you want group push). Ithura consumes userName, emails[0].value, name.givenName, name.familyName, displayName, active, and externalId; leave other attributes unmapped.
  4. Set Provisioning Status to On and assign users to the app for provisioning.

Provisioning behavior: creating a user adds a workspace membership at the default role (creating the underlying account if needed); active = false deactivates the membership; a delete removes the membership but keeps the underlying account, which may belong to other workspaces. SCIM group membership syncs Ithura groups but does not set the workspace role: role comes from the default-role setting. Full detail is in the Enterprise guide.

Troubleshooting

Sign-in fails with an audience or destination error. The Identifier or Reply URL in Entra does not match Ithura's SP Entity ID / ACS URL exactly, including the workspace slug. Recopy both from the SSO settings page.

The user signs in but has no name. Confirm the givenname and surname claims (or a displayname claim) are present in Attributes & Claims. Entra's defaults include them; a trimmed claim set can drop them.

SCIM Test Connection fails. The token is wrong, was rotated, or the Ithura plan is not Enterprise. Regenerate the token in Ithura and re-paste it, and confirm the workspace is on Enterprise.

Certificate rotation. If you roll the Entra signing certificate, re-import the federation metadata (or re-paste the certificate) in Ithura so the new certificate is stored.