This is a guide to the integration between Synerise and Microsoft Entra ID (formerly Microsoft Azure Active Directory (Azure AD)), which enables your users to authorize with their Microsoft Entra ID accounts. The integration with Microsoft Entra ID is offered through the SAML 2.0 protocol. ## Benefits --- - **Centralized user management** - With Microsoft Entra ID, you get to administer users from one central place in your organization. - **Increased security** - The benefit of a single user account in many applications helps to maintain a single identity and credentials, so users don’t have to remember too many credentials. Authentication takes place only with Microsoft Entra ID, with a single set of security-related policies regardless of the application. - **Improved user experience** - Your users only need to sign in once to use multiple applications. This approach ensures faster authentication, saves time and relieves users from remembering multiple credentials. ## Prerequisites --- To get started, you need the following items: - An Microsoft Entra ID subscription with permission to create applications - At least one [verified domain](/docs/settings/identity-access-management/access-control/managed-domains) - User permissions to access Settings and perform Identity provider configuration in Synerise ## Configuring SAML application in Microsoft Entra ID --- The first step is to add the Synerise application to your Microsoft Entra ID account. 1. Log in to [Microsoft Azure Portal](https://portal.azure.com/). 2. Go to **Microsoft Entra ID > Manage > Enterprise Applications**. 3. Select **All applications** and then click **New application**. 4. In the **Add from the gallery** section, in the search box type `Synerise AI Growth Operating System`. 5. From the results, select **Synerise AI Growth Operating System** and add the application. **Result**: Your application is added. 7. On the Synerise AI Growth Operating System application integration page, go to **Manage > Single sign-on**.

SAML-based SSO — Configuration in the Microsoft Azure portal

8. In the **Basic SAML Configuration** section, on the right side, click the **Edit** button. 9. Obtain the value of the **Service Provider Redirect URI** field (you can find it in Synerise, go to

**Settings > Access Control > Identity Providers**), and enter this value in the following fields in Azure MD: - **Reply URL (Assertion Consumer Service URL)** - **Sign on URL** 10. In the **SAML Signing Certificate** section, download **Certificate (Base64)**. 11. From the **Set up Synerise AI Growth Cloud** section, note down the value of the **Login URL** field (it's required in the further part of the integration process). 12. From the **Set up Synerise AI Growth Cloud** section, note down the value of the **Azure AD Identifier** field (it's required in the further part of the integration process). ## Configuring user assignment to the application --- You can assign users to the Synerise application in several ways within Microsoft Entra ID depending on your needs. The configuration settings allow you to let all your users use Synerise or only the selected user groups/individuals. 1. Log in to [Microsoft Azure Portal](https://portal.azure.com/). 2. Go to **Microsoft Entra ID > Manage > Enterprise Applications**. 3. Select the **Synerise** application. 4. Go to the **Manage > Properties** section. - If you want to require assigning users to the app (unassigned users won’t be able to use the application, regardless of any further configuration), set **Assignment required?** to **Yes**.

Further procedure when you select Yes

Go to Users and groups and click Add user.
Select individual users or groups who will be granted access to the Synerise application.
Confirm the selection by clicking Assign.

- If you don’t want to assign users to the app, set the **Assignment required?** to **No**.

Results when you set No

All users and groups have access to the application.
If you want to grant access to specific user groups, you can map those user groups in Dynamic group assignment in Synerise.
If there was no role assignment mapping, whenever a user accesses the Synerise app, this user receives information about the lack of access and a request to contact Organization admin.

## Configuring application access based on Microsoft Entra ID security groups ---

Perform this procedure only if you set the **User assignment required** to **No** in the [Configuring user application assignment procedure](/docs/settings/identity-access-management/single-sign-on-tutorials/setup-sso-entra-id#configuring-user-assignment-to-the-application). Otherwise, omit it.

1. Log in to [Microsoft Azure Portal](https://portal.azure.com/). 2. Go to **Microsoft Entra ID > Manage > Groups**. 3. Select the security groups you want to enable access for. 4. Note down the **Object Ids** of the security groups for which you want to enable access to Synerise. In this example, access will be granted for three security groups:

- `SYN_ADMIN` with **Object Id**: `9338ee1f-f662-48df-b286-7b93c9816e38`) where we want to assign the PROFILE_ADMIN role in Synerise - `SYN_MANAGER` with **Object Id**: `1826c186-ec0d-4ac0-a939-53d964b0e157` where we want to assign the PROFILE_MANAGER role in Synerise - `SYN_USER` with **Object Id**: `731e7b07-604a-4ce5-b26e-e1a73c4e440f` where we want to assign the PROFILE_USER role in Synerise

These are just example **Object Ids**. While performing the procedure, replace them with the actual IDs for your security groups.

6. After noting down the IDs, go to Synerise (

**Settings > Access Control > Identity Providers** ) to the **Just-in-Time provisioning** section. 1. Switch the **Dynamic role assignment** option on. 2. Follow the instructions described [here](/docs/settings/identity-access-management/access-control/single-sign-on#define-permissions-for-users-who-authorize-by-identity-provider). ## Configuring application access based on Synerise SAML app assignment ---

Perform this procedure only if you set the **User assignment required** to **Yes** in the [Configuring user application assignment procedure](/docs/settings/identity-access-management/single-sign-on-tutorials/setup-sso-entra-id#configuring-user-assignment-to-the-application). Otherwise, omit it.

1. Log in to [Microsoft Azure Portal](https://portal.azure.com/). 2. Go to **Microsoft Entra ID > Manage > Enterprise Applications**. 3. Select the **Synerise** application (which was created in the [Configuring SAML application in Microsoft Azure](#configuring-user-assignment-to-the-application) section). 4. In the **Overview** section (which you're currently in), select **1. Assign users and groups**. 5. Select **Add user > Users and groups** and select the groups you want to assign to the Synerise application. 6. After assigning all users or groups, to confirm selection, click the **Assign** button. 7. Continue the set up within Synerise as described in [this step](#mapping-step) in [Configuring Microsoft Entra ID as an Identity Provider in Synerise](#configuring-microsoft-entra-id-as-an-identity-provider-in-synerise). ## Configuring group claims --- In order to pass role or group claims within Microsoft Azure, you must: 1. Log in to [Microsoft Azure Portal](https://portal.azure.com/). 2. Go to **Microsoft Entra ID > Manage > App registrations**. 3. Select the **Synerise** application (which was created in the [Configuring SAML application in Microsoft Azure](#configuring-user-assignment-to-the-application) section). 4. Go to **Token configuration** section. 5. Click **Add groups claim**. - If you want to enable access to the application based on Active Directory security group assignment for users, click **Security groups**. - If you want to enable access to the application based only on groups assigned to the Synerise application, click **Groups assigned to the application**. 6. Optionally, go to the **SAML** section and select **Emit groups as role claims**. - If you select it, the claim will use the following attribute name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role` - If you leave this checkbox unselected, the SAML integration will use the following attribute name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups` or `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups` 7. Continue the configuration depending on your selection in [step 5](#step5): - If you selected **Security groups**, continue to [this procedure](#configuring-application-access-based-on-microsoft-entra-id-security-groups). - If you selected **Groups assigned to the application**, continue to [this procedure](#configuring-microsoft-entra-id-as-an-identity-provider-in-synerise). ## Configuring Microsoft Entra ID as an Identity Provider in Synerise --- 1. Log in to Synerise. 2. Select the workspace you want to configure single sign-on for. 3. Go to

**Settings > Access Control > Single Sign-On (SSO)**. 4. In the **General settings** section: 1. From the **Authentication methods** dropdown list, select the authentication method to the value of your choice. Read more information about it the [Make log-in screen modifications](/docs/settings/identity-access-management/access-control/single-sign-on#make-log-in-screen-modifications) section.

At the beginning, we suggest setting it to **Both methods** unless you have a separate account that’s in different domain than you will be setting up SSO for.

2. In the **Sign-in button text** field, type the name that is displayed on the sign-in button, for example `Sign in with Microsoft Entra ID`. 5. In the **Authentication settings** section: 1. From the **Managed domains**, select the domains you want to use for your SSO. 2. Enable **Attribute containing email address**. **Result**: The **URL of the email attribute** text field appears. 3. In the **URL of the email attribute**, enter the email attribute name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` (use it only for Microsoft Entra ID integration).

6. In the **Just-in-Time provisioning** section, follow the procedure described [here](/docs/settings/identity-access-management/access-control/single-sign-on#define-permissions-for-users-who-authorize-by-identity-provider). - If you kept the default role assignment:

**Result**: In this model, every authenticated person has a role (or roles) assigned according to the settings defined here regardless of any configuration on Identity Provider side and depending on setup in the **Update user roles while signing in** field. - If you selected dynamic role assignment:

**Result**: Every authenticated person has a role (or roles) assigned based on group/role mapping between Microsoft Entra ID and Synerise depending on setup in the **Update user roles while signing in** field. 7. In the **SAML protocol settings** section: 1. In the **Issuer** and **SSO endpoint** fields, enter the Login URL obtained from the Microsoft Azure Portal (you copied the URL while performing [step 10](#login-url) in the [Configuring SAML application in Microsoft Azure](#configuring-saml-application-in-microsoft-entra-id) procedure). 2. In the **Identity Provider application ID** field, paste the value you obtained from **Azure AD Identifier** from Microsoft Azure Portal (you copied the URL while performing [step 11](#app-id) in the [Configuring SAML application in Microsoft Azure procedure](#configuring-saml-application-in-microsoft-entra-id)). 3. The **Service Provider redirect URI** is filled in by default (you used it in [step 8](#redirect-uri) in the [Configuring SAML application in Microsoft Azure procedure](#configuring-saml-application-in-microsoft-entra-id)). 3. In **Request binding**, select the method of communication between the requestors and responders. 5. In **Response signature verification**, select where the SAML signature is available. 4. In **Response validation method**, select **Static**. 4. In **Identity Provider Signature Certificate**, upload certificate downloaded from Microsoft Azure Portal (you downloaded it in [step 9](#download-certificate) in the [Configuring SAML application in Microsoft Azure procedure](#configuring-saml-application-in-microsoft-entra-id)). 5. Optionally, set the **Max clock skew** to 10 seconds. **Result**:

8. Next to the **Single Sign-On (SSO)** headline, click **Apply**. ## Test SSO --- After completing the Microsoft Entra ID setup, test the integration. 1. If you are logged in to Synerise, log out. 2. Go [the Synerise portal](https://app.synerise.com/spa/login). 3. Enter your email address. 4. Click **Continue**. 5. Click the **Sign in with Microsoft Entra ID** (the text on the button depends on the value you entered in [this step](#button-name)). **Result**: You will be redirected to Microsoft where you will be authenticated immediately if there is an active session or you will be asked to authenticate and as a result you'll be redirected back to Synerise.

In case you can't authenticate

In the Synerise application, review the SAML setup for any typos or errors in the Just-In-Time provisioning configuration.
In Microsoft Entra ID portal:
1. Click Test this application.
  Result: You are automatically signed in to the Atlassian Cloud for which you can configure SSO.
  
  The result of configuring SAML settings in Synerise
Alternatively, Synerise is available in https://myapplications.microsoft.com/ if you didn't set the Visible to users? option to No in the Enterprise application setup.

Congratulation! You signed in through Microsoft Entra ID.

When the process works as expected, you can switch the **Authentication Mode** setting, so only the SSO authentication method is allowed, excluding the option of authorizing through email and password.