Microsoft Entra ID Integration with SAML
This document is for:
Invicti Platform
Microsoft Entra ID (previously called Azure Active Directory) is a universal platform designed to protect and manage identities and accesses. The Entra ID service provides Single Sign-On (SSO) access to apps and services from anywhere.
This document explains how to configure Microsoft Entra ID and Invicti Platform for Single Sign-On.
How to configure Entra ID with SAML
The process consists of two steps:
Step 1: Add Invicti to Entra ID
- In the Entra ID portal, select Identity > Applications > Enterprise Applications from the left-side menu.
- From the Enterprise Applications page, select + New application.
- From the Browse Microsoft Entra Gallery page, select + Create your own application.
- In the input name field on the right panel, enter a name for your application. (You can enter any name you want. For this example, we use Invicti.)
- Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create to add the application. Wait for the app to be added to your tenant.
You can now configure Entra ID Single Sign-On Integration with SAML. You need an Invicti and Entra ID account to do this.
Step 2: Configure Entra ID Single Sign-On with SAML
- In Entra ID, select Enterprise Applications > Invicti.
- Select Set up Single Sign-On, then SAML.
- Open another browser tab and log in to Invicti.
- Select Settings > Security & Access Control >SSO from the left-side menu.
- Turn on the Enable SSO toggle.
- Select AzureAD from the SSO Provider dropdown list.
- Copy the URL from the SAML 2.0 Service URL field.
- Switch to the Entra ID browser tab and click Edit in the Basic SAML Configuration section.
- Paste the copied SAML 2.0 Service URL into the Reply URL field.
- Switch to the Invicti browser tab to copy the URL from the Identifier field and paste it into the Identifier field in Entra ID.
- Click Save.
- Continue to the Attributes & Claims section to ensure it is set accordingly. Click Edit to adjust any of the parameters to match the specifics below:
- givenname - user.givenname
- surname - user.surname
- emailaddress - user.mail
- Unique User Identifier - user.userprincipalname
- In the Entra ID tab, copy the URL from the Microsoft Entra Identifier field and paste it into the IdP Identifier field in Invicti.
- In Entra ID, copy the URL from the Login URL field and paste this URL into the SAML 2.0 Endpoint field in Invicti.
- In Entra ID, download the Certificate (Base64). Open the certificate with a text editor.
- Copy the content of the certificate into the X.509 Certificate field in Invicti.
- Scroll down to Save if no additional security options are needed.
- If required, select Sign requests, then choose either:
- Generate a new certificate for me; OR
- I have an existing certificate, and upload your certificate and enter the certificate password.
- In Entra ID, in the SAML Certificates > Verification certificates (optional) section, click the Edit button.
- Enable the Require verification certificates checkbox.
- Click the Upload certificate, select your certificate, and then click Save.
- Return to your Invicti SSO page and select and upload the file of your Decryption certificate.
- Enter the Certificate password.
- Use the SSO Exemptions drop-down to select any users who will bypass SSO and log in with a password.
- Click Save to complete the configuration.
You can now add users to your app in Entra ID, so they can log in to Invicti. To do so, go to Users and groups in Entra ID.