Configuring Microsoft Entra ID (Azure Active Directory) Integration with SAML
Microsoft Entra ID (formerly called Azure Active Directory) is a universal platform designed to protect and manage access to identities. The Entra ID service provides SSO access to apps and services from anywhere.
- Using Security Assertion Markup Language (SAML), a user can use their managed account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO). An Identity Provider (IdP) service provides administrators with a single place to manage all users and cloud applications.
- You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IdP service provides your users with a unified sign-on across all their enterprise cloud applications.
- Invicti Enterprise supports the SAML methods, both IdP-initiated and SP-initiated.
- You can also create a new user in Invicti Enterprise with the Enable Auto Provisioning option.
If you encounter any problem while setting up Single Sign-On (SSO) integration, refer to Troubleshooting SSO Issues.
TIP: You have to use IdP-initiated SSO if you want to utilize Auto Provisioning. If you will use SP-initiated SSO, please set the Name ID Format value to email address on the IdP side.
Single Sign-On Fields
This table lists and explains the Single Sign-On fields in the Single Sign-On window.
Select this option to enable the single sign-on feature.
Enforce to authenticate only with single sign-on
Enable this option so only administrator users can authenticate without single sign-on. Users can only sign in to Invicti Enterprise by using the email address that belongs to their employer.
This is the SAML identity provider’s Identifier value.
SAML 2.0 Service URL
This is the Consumer URL value (also called the SSO Endpoint or Recipient URL).
SAML 2.0 Endpoint
This is the URL from your IdP's SSO Endpoint field.
This is the X.509 certificate value.
How to add Invicti Enterprise to Entra ID (Azure Active Directory)
- Log in to the Entra ID Azure Portal.
- On the left navigation pane, select the Azure Active Directory service.
- Select Enterprise applications, then All Applications.
- Select + New Application.
- In the Browse Entra ID Gallery (Preview) window, type Netsparker Enterprise in the search box.
- Select Netsparker Enterprise from the results panel.
- Select Create to add the application.
Wait a few seconds while the app is added to your tenant. You can now configure Entra ID Single Sign-On Integration with SAML. To do this, you need an Invicti Enterprise and Entra ID account.
TIP: If you have not assigned any role to your users, they can still log in to Invicti Enterprise but will not have any role/permission to use the application. To learn how to add roles to your users, refer to Configuring Microsoft Entra ID (Azure Active Directory) Integration with SCIM.
How to configure Entra ID Single Sign-On Integration with SAML
- Log in to the Entra ID Azure Portal.
- Select Enterprise Applications.
- From the Enterprise Applications page, select Netsparker Enterprise.
- Select Set up Single Sign-On > SAML.
- Click the pencil icon for Basic SAML Configuration to edit the settings.
- Log in to Invicti Enterprise, and from the main menu, select Settings > Single Sign-On.
- Select Azure Active Directory from the drop-down list. Then, copy the URL from the SAML 2.0 Service URL field.
- In Entra ID (Azure AD), paste the copied URL into the Reply URL field.
- Select Save.
- In Entra ID (Azure AD), click Edit in the User Attributes & Claims section. Then change the Unique User Identifier to user.mail.
- In Entra ID (Azure AD), copy the URL from the Azure AD Identifier field and paste this URL into the IdP Identifier field in Invicti Enterprise.
- In Entra ID (Azure AD), copy the URL from the Login URL field and paste this URL into the SAML 2.0 Endpoint field.
- In Entra ID (Azure AD), download the Certificate (Base64). Open the certificate with a text editor.
- Copy the content of it into the X.509 Certificate field in Invicti Enterprise.
- Select one or all of the following options, if necessary:
- Enable Auto Provisioning: If enabled, an account will be automatically created for IdP-registered users when they first access Invicti Enterprise. To do so, you must complete the FirstName, LastName, and Phone Number (optional) fields in the Attribute Statements on the IdP side. For further information about OnlySsoLogin, refer to Provisioning a member.
- Require SAML assertions to be encrypted: If enabled, it prevents third parties from reading private data in transit from assertions.
There are two options:
- Generate a new certificate for me: Invicti generates a key pair. Invicti will keep a private key to decrypt received SAML messages and provide you with a certificate so that you can upload it on the IdP side.
- I have an existing certificate: You need to upload your certificate to Invicti by importing a decryption certificate from your files.
- Use Alternate Login Email: If enabled, this lets users use an alternative email for SSO. You can enter an alternative email on the New Member Invitation page and while editing the user's details on the Team page.
- Select Save Changes.
For further information, refer to the Microsoft documentation on this integration: