Microsoft Entra ID integration with SAML

Microsoft Entra ID (previously called Azure Active Directory) is a universal platform designed to protect and manage identities and accesses. The Entra ID service provides Single Sign-On (SSO) access to apps and services from anywhere.

This document explains how to configure Microsoft Entra ID and Invicti Platform for Single Sign-On.

Configure Entra ID with SAML

The process consists of two steps:

• Step 1: Add Invicti to Entra ID
• Step 2: Configure Entra ID Single Sign-On with SAML

Step 1: Add Invicti to Entra ID

1. In the Entra ID portal, from the left-side menu, select Identity > Applications > Enterprise Applications.
2. From the Enterprise Applications page, select + New application.
3. From the Browse Microsoft Entra Gallery page, select + Create your own application.

4. In the input name field on the right panel, enter a name for your application. (You can enter any name you want. For this example, Invicti is used.)
5. Select Integrate any other application you don't find in the gallery (Non-gallery).

6. Click Create to add the application. Wait for the app to be added to your tenant.

You can now configure Entra ID Single Sign-On Integration with SAML. You need an Invicti and Entra ID account to do this.

Step 2: Configure Entra ID Single Sign-On with SAML

1. In Entra ID, select Enterprise Applications > Invicti.
2. Select Set up Single Sign-On, then SAML.

3. Open another browser tab and log in to Invicti.
4. Select Settings > Security & access control > SSO & Provisioning from the left-side menu.
5. Turn on the Enable SSO toggle.
6. Select AzureAD from the SSO Provider drop-down list.

7. Copy the URL from the SAML 2.0 Service URL field.
8. Switch to the Entra ID browser tab and click Edit in the Basic SAML Configuration section.

9. Paste the copied SAML 2.0 Service URL into the Reply URL field.
10. Switch to the Invicti browser tab to copy the URL from the Identifier field and paste it into the Identifier field in Entra ID.
11. Click Save.
12. Continue to the Attributes & Claims section to ensure it's set accordingly. Click Edit to adjust any of the parameters to match the following specifics:
    • givenname - user.givenname
    • surname - user.surname
    • emailaddress - user.mail
    • Unique User Identifier - user.userprincipalname

13. In the Entra ID tab, copy the URL from the Microsoft Entra Identifier field and paste it into the IdP Identifier field in Invicti.

14. In Entra ID, copy the URL from the Login URL field and paste this URL into the SAML 2.0 Endpoint field in Invicti.

15. In Entra ID, download the Certificate (Base64). Open the certificate with a text editor.

16. Copy the content of the certificate into the X.509 Certificate field in Invicti.

17. Scroll down to Save if no additional security options are needed.
18. If required, select Sign requests, then choose either:
    • Generate a new certificate for me; OR
    • I have an existing certificate, and upload your certificate and enter the certificate password.

19. In Entra ID, in the SAML Certificates > Verification certificates (optional) section, click the Edit button.

20. Enable the Require verification certificates checkbox.
21. Click Upload certificate, select your certificate, and then click Save.

22. Return to your Invicti SSO page and upload the file of your Decryption certificate.
23. Enter the Certificate password.

24. Use the SSO Exemptions drop-down to select any users who bypass SSO and log in with a password.

25. Click Save to complete the configuration.

You can now add users to your app in Entra ID, so they can log in to Invicti. To do so, go to Users and groups in Entra ID.

info

To learn more about the Single Sign-On fields, refer to the Single Sign-On configuration document.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center