Application Security Platform
SSO

Microsoft Entra ID Integration with SAML

This document is for:
Invicti Platform

Microsoft Entra ID (previously called Azure Active Directory) is a universal platform designed to protect and manage identities and accesses. The Entra ID service provides Single Sign-On (SSO) access to apps and services from anywhere.

This document explains how to configure Microsoft Entra ID and Invicti Platform for Single Sign-On.

How to configure Entra ID with SAML

The process consists of two steps:

Step 1: Add Invicti to Entra ID 

  1. In the Entra ID portal, select Identity > Applications > Enterprise Applications from the left-side menu.
  2. From the Enterprise Applications page, select + New application.
  3. From the Browse Microsoft Entra Gallery page, select + Create your own application.

Create your own application in Microsoft Entra Gallery.

  1. In the input name field on the right panel, enter a name for your application. (You can enter any name you want. For this example, we use Invicti.)
  2. Select Integrate any other application you don't find in the gallery (Non-gallery).

Configure the non-gallery Invicti application.

  1. Click Create to add the application. Wait for the app to be added to your tenant.

You can now configure Entra ID Single Sign-On Integration with SAML. You need an Invicti and Entra ID account to do this.  

Step 2: Configure Entra ID Single Sign-On with SAML

  1. In Entra ID, select Enterprise Applications > Invicti.
  2. Select Set up Single Sign-On, then SAML.

Select SAML as a single sign-on method in Entra ID.

  1. Open another browser tab and log in to Invicti.
  2. Select Settings > Security & Access Control >SSO from the left-side menu.
  3. Turn on the Enable SSO toggle.
  4. Select AzureAD from the SSO Provider dropdown list.

Enable SSO provider in Invicti Platform.

  1. Copy the URL from the SAML 2.0 Service URL field.
  2. Switch to the Entra ID browser tab and click Edit in the Basic SAML Configuration section.

Set up Signle Sign-On with SAML in Entra ID.

  1. Paste the copied SAML 2.0 Service URL into the Reply URL field.
  2. Switch to the Invicti browser tab to copy the URL from the Identifier field and paste it into the Identifier field in Entra ID.
  3. Click Save.
  4. Continue to the Attributes & Claims section to ensure it is set accordingly. Click Edit to adjust any of the parameters to match the specifics below:
  • givenname - user.givenname
  • surname - user.surname
  • emailaddress - user.mail
  • Unique User Identifier - user.userprincipalname

Setting up attributes and claims in Microsoft Entra ID.

  1. In the Entra ID tab, copy the URL from the Microsoft Entra Identifier field and paste it into the IdP Identifier field in Invicti.

Configure Invicti application in Microsoft Entra ID.

  1. In Entra ID, copy the URL from the Login URL field and paste this URL into the SAML 2.0 Endpoint field in Invicti.

Configure SAML 2.0 Endpoint and IdP identifier in Invicti Platform.

  1. In Entra ID, download the Certificate (Base64). Open the certificate with a text editor.

Download the Base64 Certificate from Entra ID.

  1. Copy the content of the certificate into the X.509 Certificate field in Invicti.

Copy the certificate content into Invicti.

  1. Scroll down to Save if no additional security options are needed.
  2. If required, select Sign requests, then choose either:
  • Generate a new certificate for me; OR
  • I have an existing certificate, and upload your certificate and enter the certificate password.

Configure Additional Security Options in Invicti.

  1. In Entra ID, in the SAML Certificates > Verification certificates (optional) section, click the Edit button.

Edit the verification certificates options in Entra ID.

  1. Enable the Require verification certificates checkbox.
  2. Click the Upload certificate, select your certificate, and then click Save.

Upload the certificate in Entra ID.

  1. Return to your Invicti SSO page and select and upload the file of your Decryption certificate.
  2. Enter the Certificate password.

Upload the decryption certificate in Invicti.

  1. Use the SSO Exemptions drop-down to select any users who will bypass SSO and log in with a password.

SSO Exemptions in Invicti.

  1. Click Save to complete the configuration.

You can now add users to your app in Entra ID, so they can log in to Invicti. To do so, go to Users and groups in Entra ID.

Manage users and groups in Entra ID.

Share This Article