Articles in this section

How to setup SSO with Microsoft Entra ID - OpenID Connect

Updated

This article describes how an organization can set up SSO on Microsoft Entra ID using the OpenID Connect protocol.

  Prerequisites

  • Global Administrator rights on your Microsoft Entra ID tenant.

  Important

  • Only the standard set of claims are supported (claim mappings are pre-configured and cannot be edited).
  • Multi-factor authentication (MFA) with Duo Security is not supported.
  • Templafy restricts the amount of AD groups to the first 999 groups that are sent.

Setup Guide

There are two ways of setting up the Templafy Open ID Connect application:

  1. Complete a Consent Flow.
  2. Add the App from the Gallery.

1. Complete a Consent Flow

  1. Click on the Templafy onboarding URL to initiate the setup: https://app.templafy.com/AzureADTenant/.
  2. Click Sign Up.
  3. Enter your Global Administrator credentials for Microsoft Entra ID.
  4. Press Accept in the consent dialogue.
  5. The Templafy App can now be found in your Microsoft Entra ID tenant under Enterprise applications.

2. Add the App from the Gallery

  1. Log in to https://portal.azure.com/.
  2. Navigate to Microsoft Entra ID --> Enterprise Applications.
  3. Click New Application.
  4. From the Gallery search for Templafy OpenID Connect.
  5. Add the suggested App into your directory by clicking Sign up for Templafy OpenID Connect.
  6. You shall be then redirected to https://app.templafy.com/AzureADTenant/ to complete the setup.

Permissions Granted to the OpenID Connect Application

Templafy is using Microsoft Graph API to read user profile attributes from Microsoft Entra ID to automatically populate user profile data and templates within the Templafy tenant. When consenting to the application, you will be prompted to grant approval to two Microsoft Graph API permissions.

  1. Sign in and read user profile: Allows users to sign in and read their profile. It also allows the app to read basic company information of signed-in users.
  2. Read directory data: Allows the app to read data in your company or school directory, such as users, groups, and apps.

Restrict Certain Users/Groups to the Application

By default, the Templafy OpenID Connect app allows all users the ability to successfully authenticate into Templafy. If you would like to restrict access to only a subset of Users/Groups, follow the steps below:

  1. Within the OpenID Connect app, select Properties.
  2. Set Assignment required? to Yes.
  3. Then, select Users and groups.
  4. Click Add user/group.

  Note

If Assignment required is set to No, all users, including potential guest accounts, may have access to the application.

Congratulations! You have now completed the setup on your side. 

  Note

Now that your task is completed, please email the Domain Hint and TenantID (found under Microsoft Entra ID --> Overview) to your Templafy Implementation Partner so they can finalize the SSO setup on Templafy's side.

Supported Claims

  Important

If end-user userprincipalname and emailaddress differ, use SAML2 protocol instead. This is because only the standard set of claims are supported with OpenID Connect (claim mappings are pre-configured and cannot be edited).
  • UserPrincipalName
  • Mail
  • GivenName
  • Surname
  • DisplayName
  • StreetAddress
  • City
  • PostalCode
  • State
  • Country
  • CompanyName
  • JobTitle
  • Department
  • BusinessPhone
  • MobilePhone
  • FaxNumber
  • PreferredLanguage

Related to

Azure AD azureAD OpenID openid open ID Microsoft Entra ID
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.