SSO setup — Microsoft Entra (SAML)

5 min read · Updated 12 May 2026

Connect WBSync to Microsoft Entra ID (Azure AD) using SAML 2.0. The Entra admin centre calls this an "Enterprise application" with non-gallery setup.

Step by step

1
Create a non-gallery Enterprise app

In the Entra admin centre, Enterprise applications → New application → Create your own application. Name it WBSync. Pick Integrate any other application you don't find in the gallery (Non-gallery).

2
Configure SAML SSO

Open the new app, Single sign-on → SAML. In section 1 (Basic SAML Configuration), paste:

  • Identifier (Entity ID): WBSync's ACS URL (or metadata URL)
  • Reply URL (ACS URL): WBSync's ACS URL
3
Add attribute mappings

In section 2 (Attributes & Claims), edit the default claim and add:

  • emailuser.mail
  • first_nameuser.givenname
  • last_nameuser.surname

Keep the Name identifier as user.userprincipalname.

4
Copy Entra's values to WBSync

From section 3 (SAML Signing Certificate) download the Certificate (Base64) and paste its contents into WBSync's IdP X.509 signing certificate field. From section 4 copy:

  • Login URL → WBSync's IdP SSO URL
  • Microsoft Entra Identifier → WBSync's IdP Entity ID

Set the Email domain in WBSync to your tenant's verified domain. Save.

5
Assign users, test, enforce

Back in the Entra app, Users and groups → Add user/group — assign at least yourself for testing. Then in WBSync click Test connection. Green badge means done.

Frequently asked

Can the Owner still sign in if SSO breaks?

Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.

What happens to existing users?

Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.

What about new users? Do I have to invite them first?

No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.

Is the OIDC client secret stored safely?

Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.

What does 'Test connection' actually do?

It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.

Related

Single Sign-On — overview
Single Sign-On · 3 min
SSO setup — Microsoft Entra (OIDC)
Single Sign-On · 4 min