1. Home
  2. Guides
  3. Single Sign-On with Microsoft Azure Entra ID: OIDC and SCIM Integration

Single Sign-On with Microsoft Azure Entra ID: OIDC and SCIM Integration

Single sign-on (SSO) is an authentication method that allows users to access multiple apps, systems, and tools with a single set of credentials. It’s a way to streamline the authentication process while utilizing an organization’s enterprise security infrastructure.

If your organization requires SSO and would like to add Teamup to your list of SSO-enabled applications, this is the right place to get started.

We currently support Microsoft Azure with SCIM integration. This guide shows you how to configure Azure Entra ID (formerly Azure Active Directory or Azure AD) for Single-Sign-On with Teamup (public beta).

Request one or more SSO domain names

Contact Teamup Support (support@teamup.com) to request an SSO domain to be set up for you. An active Enterprise level subscription is required to enable SSO. You can upgrade yourself at any time.

Once you have obtained the SSO domain name, you may proceed with the steps below.

Login to your Microsoft account

Login to Microsoft Azure and choose Microsoft Entra ID from the home screen.

Single-Sign-On Configuration

Add a new application registration

Find the menu below in quick actions, or navigate to App registrations > New registration

Enter your Application Name (e.g. ‘Teamup – My Organization Name‘). Select Accounts in this organizational directory only (MSFT only – Single tenant), then select Web for the Redirect URI and enter https://teamup.com/oidc/authenticate in the field next to Web type.

Generate a client secret

Navigate to Certificates & secrets > New client secret to create a client secret.

 

IMPORTANT: Copy the Value of the secret right after creation as it will not be visible anymore later on.

Configure the SSO integration on Teamup

Open the Trusted Domains page and edit the domain you want to configure.

Gather the secret value from the previous step, as well as the Application (client) ID and Directory (tenant) ID from the Overview page (pictured below).

Enter these three pieces of information in the form to configure things as such, taking care to replace italicized text by their respective values:

Issuer: https://login.microsoftonline.com/{Directory (tenant) ID}/v2.0

Client ID: Application (client) ID

Client Secret: secret value from above

Save the parameters and you should now be able to log out of Teamup and log in again via SSO. After entering your email in the login form you will see a “Log in via Single-Sign-On” link below, or be redirected to the SSO login directly depending on your domain configuration.

User and group provisioning via SCIM

Create a SCIM secret on Teamup

Open the Trusted Domains page and edit the domain you want to configure.

Press on “+ Add SCIM Secret” to ensure a secret exists.

Make sure you select one of your organizations to be linked to the domain, as otherwise the provisioning of groups is not possible.

Save the form to finalize the secret generation. Copy the secret for later use.

Create the provisioning application on Microsoft Entra ID

Login to Microsoft Azure and choose Microsoft Entra ID from the home screen.

Add a new Enterprise application

Find the menu below in quick actions, or navigate to Enterprise applications > New application

Select “+ Create your own application” on top and enter your Application Name (e.g. ‘Teamup SCIM‘). Select Integrate any other application you don’t find in the gallery (Non-gallery) then Create it.

Configure provisioning

Go to Provisioning in the sidebar and then Get Started.

Select Automatic as provisioning mode, enter “https://teamup.com/scim/v2/” as Tenant URL, and then the secret you got from Teamup as Secret Token. You can then test the connection and save it if all is well. Provisioning users and groups to Teamup should now be fully set up.

Testing Single Sign-On

After you have configured SSO for your domain verify that it works. By default, SSO is configured to be optional. That means that users with existing Teamup accounts can still log in without SSO and new users can still register for a Teamup account without SSO.

Steps to test SSO with your organization’s login:

  1. Navigate to https://teamup.com/login (make sure you are not logged in).
  2. On the login form, enter an email address of the domain for which you have enabled SSO. Then click “Continue”.
  3. The server detects that SSO has been enabled for that domain and offers a link “Login via Single-Sign-On” below the login button.
  4. Follow the link “Login via Single-Sign-On” and on the next view click “Log in”. If everything is set up correctly, your browser will now be forwarded to the login page of your organization’s identity provider.
  5. Log in with your organization’s email address and password. If successful, your browser will be forwarded to your Teamup dashboard.

A note for users with existing Teamup accounts: On your first SSO login, your Teamup account will be converted to an SSO account. It will not be possible anymore to log in with your Teamup password.

Updated on September 11, 2024
WordPress Cookie Notice by Real Cookie Banner