Version: 7.0

SSO configuration with Microsoft Entra ID (Azure AD)

danger

Before setting up SSO, make sure that the APP_URL parameter in config.env matches the current Passwork domain, example — APP_URL=https://passwork.example.com

The following Passwork server is used as an example — passwork.example.com

Adding trust relationship for the Relying Party

Open — Manage → All applications and create a New application:

In the Microsoft Entra application gallery overview, select — Create your own application:

Perform the following actions:

Fill in the Name (example: passwork-sp);
What are you looking to do... — Integrate any other application you don’t find in the gallery (Non-gallery).

After creation, go to Manage → Single sign-on and open SAML:

Open configuration for SAML protocol in the created application

Open Basic SAML Configuration, click Edit.

Log in to the Passwork web interface and go to Settings and Users → SSO Settings, copy the authentication endpoint URLs from the SP (Passwork) to the IDP (Microsoft Entra ID):

Identifier (Entity ID) — https://passwork.example.com/api/v1/sso/metadata
Reply URL — https://passwork.example.com/api/v1/sso/acs
Sign-out URL — https://passwork.example.com/api/v1/sso/sls

Example of filled authentication endpoints from SP:

Fill in Passwork endpoints in SAML configuration

Configuring request processing rules from SP (Passwork) in IDP (Microsoft Entra ID)

danger

Depending on the desired user login format in Passwork, you can configure processing rules so that the user format can be one of the following:

username
[email protected]

Please choose the required user login format in Passwork and perform the configuration.

In Single sign-on with SAML configuration, open — Attributes & Claims:

Configuration of processing rules for [email protected] format

danger

By default, after creating the application in Microsoft Entra ID, the user format after authentication in Passwork is formed as [email protected].

No additional changes are required. Example of the default created claim:

Default example after application creation

Configuration of processing rules for username format

Open Unique User Identifier (ID) and make the following changes:

Source — Transformation;
Transformation — ExtractMailPrefix();
Parameter 1 — Attribute;
Attribute name — user.userprincipalname.

Example of creating SAML attribute for transformation

Save changes and go back to Attributes & Claims.

Configuring additional attribute processing rules for passing to SP

Go to Attributes & Claims and Add a new claim:

Adding a new additional claim for displayName:
1. Name — displayName;
2. Source — Attribute;
3. Source attribute — user.displayname;
Save the created additional claim.

Adding a new additional claim for emailAddress:
1. Name — emailAddress;
2. Source — Attribute;
3. Source attribute — user.mail;
Save the created additional claim.

Configuring and filling in Single Sign-On (SSO) parameters in Passwork

Filling in the "User Attributes" Values

Log in to the Passwork web interface, go to — Settings and Users → SSO Settings and fill in the mapping attributes:

Email attribute — emailAddress;
Full name attribute — displayName.

Filling in the "Identity Provider → Passwork" values

In Single sign-on with SAML configuration → passwork-sp setup, copy the authentication endpoint URLs:

Copy and paste Microsoft Entra ID endpoints into Passwork

Open — Settings and Users → SSO Settings and fill in the values:

Identifier (Entity ID) — https://sts.windows.net/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/
Login URL — https://login.microsoftonline.com/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/saml2
Logout URL — https://login.microsoftonline.com/ba50022d-xxxx-xxxx-xxxx-1145c6c9ed97/saml2

Filling in the "Certificate" Value

In Single sign-on with SAML configuration → SAML Certificates, obtain the SSL certificate in base64 format:

Obtain Microsoft Entra ID public SSL certificate in base64

Open the obtained SSL certificate with Notepad, copy and paste it into the corresponding field — Settings and Users → SSO Settings.

Example of exported key in base64 format

base64

Filling in the "Additional Settings" value

Currently, Passwork does not provide an algorithm for processing additional identification during SSO integration, including various types of biometrics.

In case of identification errors resulting from exchange with the IDP (Microsoft Entra ID), you need to place the following content in JSON format:

json

{
  "security": {
    "requestedAuthnContext": false
  }
}

Open the login window in the Passwork web interface and log in via SSO to verify correct configuration:

Adding trust relationship for the Relying Party​

Configuring request processing rules from SP (Passwork) in IDP (Microsoft Entra ID)​

Configuring additional attribute processing rules for passing to SP​

Configuring and filling in Single Sign-On (SSO) parameters in Passwork​

Filling in the "User Attributes" Values​

Filling in the "Identity Provider → Passwork" values​

Filling in the "Certificate" Value​

Filling in the "Additional Settings" value​

Adding trust relationship for the Relying Party

Configuring request processing rules from SP (Passwork) in IDP (Microsoft Entra ID)

Configuring additional attribute processing rules for passing to SP

Configuring and filling in Single Sign-On (SSO) parameters in Passwork

Filling in the "User Attributes" Values

Filling in the "Identity Provider → Passwork" values

Filling in the "Certificate" Value

Filling in the "Additional Settings" value