SSO Integration - Microsoft Entra ID (Azure SSO)

Written by Alice Wang Updated

The following are instructions to configure Single Sign-On (SSO) for your Auditoria tenant with Microsoft Entra ID (formerly Azure Active Directory).

Before You Begin

Have your designated Auditoria support/subscription contact submit a ticket to:

In the ticket, indicate that you would like to enable SSO with Microsoft Entra ID and include:

  • Your Auditoria tenant IDs (production and/or sandbox)

  • Which Auditoria pod are your tenants in:

    • US Standard

    • US Enterprise

    • Canada

    • EMEA

Note
If you have multiple Auditoria tenants in the same pod, configuring a single SSO app in Microsoft Entra ID for that pod will enable SSO for all Auditoria tenants in that pod.

Step 1: Create the Enterprise Application in Microsoft Entra ID

  1. Go to the Microsoft Azure portal:
    Microsoft Azure

  2. Navigate to:
    Microsoft Entra IDEnterprise applications

  1. Click New application.

  2. Choose Create your own application, provide an application name (for example, “Auditoria”), and click Create.

  1. On the application overview page, under Get started, click Set up single sign-on.

  1. Select SAML as the single sign-on method.

Step 2: Basic SAML Configuration

  1. In the Single Sign-On pane, under Basic SAML Configuration, click Edit.

  2. Enter the values below, using the correct pod.
    You will need the <<conn-name>> value from your Auditoria Customer Success team.

Identifier (Entity ID)

  • US Standard:
    urn:auth0:prod-auditoria:<<conn-name>>

  • US Enterprise:
    urn:auth0:prod-auditoria-ent1:<<conn-name>>

  • Canada:
    urn:auth0:prod-auditoria-ca:<<conn-name>>

  • EMEA:
    urn:auth0:prod-auditoria-em1:<<conn-name>>

Reply URL (Assertion Consumer Service URL)

  • US Standard:
    https://auth.auditoria.ai/login/callback?connection=<<conn-name>>

  • US Enterprise:
    https://auth-ent1.auditoria.ai/login/callback?connection=<<conn-name>>

  • Canada:
    https://auth.auditoria.ca/login/callback?connection=<<conn-name>>

  • EMEA:
    https://auth-em1.auditoria.ai/login/callback?connection=<<conn-name>>

Logout URL (SLO URL)

  • US Standard:
    https://auth.auditoria.ai/logout

  • US Enterprise:
    https://auth-ent1.auditoria.ai/logout

  • Canada:
    https://auth.auditoria.ca/logout

  • EMEA:
    https://auth-em1.auditoria.ai/logout

Sign-on URL and Relay State are optional and can be left blank.

Click Save when finished.

Step 3: Configure Attributes & Claims

Auditoria uses the user’s email address as the unique identifier for SSO.

  1. In the Single Sign-On pane, under User Attributes & Claims, click Edit.

  2. Click Unique User Identifier (Name ID).

  3. Set:

    • Name identifier format: Email address

    • Source attribute: The user’s email address (this must match the email used for that user in Auditoria).

Save your changes.

Step 4: Download the Certificate

  1. In the Single Sign-On pane, locate the SAML Signing Certificate section.

  2. Download the certificate in Base 64 format.

This certificate is used by Auditoria to validate the SAML assertions sent by Microsoft Entra ID. You will provide it to Auditoria in the support ticket.

Step 5: Capture Microsoft Entra ID Details for Auditoria

From the Set up <application name> subsection on the same SSO page, capture the following:

  • Login URL

  • Microsoft Entra Identifier (sometimes listed as Azure AD Identifier)

  • Logout URL (if shown)

Step 6: Send Configuration Details to Auditoria

Once you have:

  • The Base 64 certificate (Step 4), and

  • The Login URL, Microsoft Entra Identifier, and Logout URL (Step 5),

Send this information to your Auditoria Customer Success team member as part of the support ticket you opened at the beginning.

Auditoria will:

  • Configure the SSO connection on the Auditoria side using the values you provided.

  • Coordinate timing for enabling SSO to minimize disruption to users.

Step 7: Assign Users to the Auditoria Application

After Auditoria confirms that SSO is fully configured on their side:

  1. In Microsoft Entra ID, open your Auditoria enterprise application.

  2. Assign the appropriate users and/or groups to the application so it appears in their My Apps portal, and enable SSO so they can access Auditoria.

Handling Certificate Expiry and Renewal

Over time, the SAML signing certificate used by your Auditoria application in Microsoft Entra ID will expire or need to be rotated.
When that happens, follow the steps below to avoid SSO downtime.

  1. Add a new certificate in Microsoft Entra ID

    • In the Azure portal, open your Auditoria enterprise application.

    • Go to Single sign-on → SAML Signing Certificate.

    • Add or generate the new signing certificate, but keep the current certificate active until Auditoria confirms the change.

  2. Download the new certificate

    • In the SAML Signing Certificate section, download the certificate in Base64 format.

    • This is the certificate Auditoria will use to validate SAML assertions from Microsoft Entra ID.

  3. Notify Auditoria (certificate renewal/rotation)
    Update your existing ticket or open a new one with support@auditoria.ai and include:

    • This is a certificate renewal/rotation for an existing Microsoft Entra SSO setup.

    • Your Auditoria tenant IDs (production and/or sandbox).

    • Your Auditoria pod (US Standard / US Enterprise / Canada / EMEA).

    • The new Base 64 certificate file.

    • The current Login URL, Microsoft Entra Identifier, and Logout URL (if they have changed).

  4. Schedule a change window
    Coordinate a short maintenance window with:

    • Your Microsoft Entra ID administrator, and

    • One or two test users.

    During this window, Auditoria will:

    • Update your SSO configuration to use the new certificate.

    • Have your test users sign in and confirm access.

  5. Complete the rotation

    • During the change window, your Microsoft Entra ID administrator should:

      • Set the new SAML signing certificate to Active for the Auditoria enterprise application.

      • Keep the previous certificate active until testing is complete and Auditoria has confirmed that the new configuration is working.

    • After SSO is confirmed to work with the new certificate, you can remove or deactivate the old certificate in the Microsoft Entra application, per your internal policies.

    • If users cannot sign in after the change, contact Auditoria immediately.

      • If the previous certificate is still valid, Auditoria may temporarily revert to it while you re‑export and resend the correct new certificate.

Why this matters
If the new certificate is made the only active certificate in Microsoft Entra ID before Auditoria updates your SSO configuration, users will be unable to sign in until the new certificate is configured on the Auditoria side.
 

This is the same failure mode seen in past incidents where a new or corrupted certificate was applied without a coordinated change window with the SSO administrator.

Important Coordination Note

Once Auditoria enables SSO for your tenant:

  • Users will be required to sign in through Microsoft Entra ID.

  • Users may not be able to access their Auditoria tenants until:

    • The Auditoria application has been assigned to them in Microsoft Entra ID, and

    • The SSO configuration is complete on both sides.

Recommendation
Coordinate a maintenance window with your Auditoria Customer Success contact and your Microsoft Entra ID administrator. This is especially important when:

  • Enabling SSO for the first time, or

  • Rotating / renewing the SAML signing certificate used by your Auditoria SSO application.

Sign on URL and Relay State are both optional.