Entra ID (Azure AD)

Overview

This article provides a complete walkthrough for integrating Microsoft Entra ID (formerly Azure AD) with Immuta using SAML authentication. This integration enables single sign-on (SSO) for users to access Immuta using their Entra ID credentials.

Prerequisites

• Administrative access to Microsoft Entra ID (Azure AD)

• Administrative access to Immuta App Settings

• An Enterprise Application registered in Entra ID for Immuta

Configuration Steps

1. Configure Entra ID Enterprise Application

1.1 Update Entity ID (Identifier)

1. Navigate to Azure Portal → Azure Active Directory → Enterprise applications

2. Select your Immuta application (e.g., "rbauman-saas")

3. Go to Manage → Single sign-on

4. In the Basic SAML Configuration section, click Edit

5. Update the Identifier (Entity ID) field to match the Issuer value from Immuta

   • This value should match exactly what is configured in Immuta's Identity Management settings

   • Example: immuta

1.2 Update Reply URL (Assertion Consumer Service URL)

1. In the same Basic SAML Configuration section

2. Update the Reply URL field to match the SSO Callback URL from Immuta

3. The Reply URL format should be:

   • Example: https://leidos-dev.hosted.immutacloud.com/bim/iam/LeidosEntraImmuta/user/authenticate/callback

4. Click Save

1.3 Get the Entry Point URL

1. Navigate to Enterprise applications → Select your Immuta application

2. Go to Manage → Properties

3. Copy the User access URL

   • This URL will be used as the Entry Point in Immuta

   • Format: https://launcher.myapps.microsoft.com/api/signin/<application-id>?tenantId=<tenant-id>

2. Configure Immuta Identity Management

2.1 Access Immuta App Settings

1. Log into Immuta as an administrator

2. Navigate to App Settings → Identity Management

3. Select your Entra ID IAM configuration (e.g., "entraid")

2.2 Configure Client Options

Update the following fields in the Immuta IAM configuration:

• Issuer: Set to match the Entity ID configured in Entra ID

  • Example: immuta

• Entry Point (Required): Set to the User Access URL from Entra ID Enterprise Application Properties

  • Example: https://launcher.myapps.microsoft.com/api/signin/d7ec22b2-a6e0-4c1d-a30b-23814fe875ef?tenantId=7d0...

• User ID Attribute: Typically set to userName (matches the Entra ID user attribute)

• Signing Certificate: Upload the certificate from Entra ID if using certificate-based signing

  • Download from Entra ID: Single sign-on → SAML Signing Certificate → Certificate (Base64)

2.3 Save Configuration

1. Click Save in Immuta App Settings

2. Verify all settings are correctly configured

3. Verify Integration

3.1 Test SSO Login

1. Log out of Immuta

2. Navigate to your Immuta login page

3. Click the Sign in with Entra ID (or your configured SSO option)

4. You should be redirected to Microsoft's login page

5. After successful authentication in Entra ID, you should be redirected back to Immuta and logged in

3.2 Common Verification Steps

• Verify user attributes are correctly mapped (username, email, groups)

• Check that users are automatically provisioned in Immuta upon first login

• Confirm group memberships are synced correctly if using group-based access

Troubleshooting

AADSTS50011 Error - Reply URL Mismatch

Error Message:

Resolution:

1. Verify the Reply URL in Entra ID exactly matches the SSO Callback URL in Immuta

2. Check for trailing slashes, case sensitivity, and URL encoding

3. Ensure the URL includes the correct IAM name in the path

4. See: Microsoft Documentation on URL Mismatch

AADSTS75011 Error - Authentication Method Mismatch

Error Message:

Resolution:

1. In Immuta, navigate to App Settings → Identity Management → Select your IAM

2. Under Additional Config Parameters, add a new parameter:

   • Key: disableRequestedAuthnContext

   • Value: true

3. Save the configuration

4. See: Microsoft Documentation on AADSTS75011

Users Not Provisioned Automatically

Resolution:

1. Verify SCIM provisioning is configured if automatic user provisioning is required

2. Check that user attribute mappings are correct

3. Ensure users have appropriate licenses and permissions in Entra ID

4. Review Immuta audit logs for provisioning errors

Configuration Summary

Entra ID Configuration

Immuta Configuration

Additional Resources

• Microsoft Entra ID SAML Documentation

• Immuta Identity Management Documentation

• Entra ID SCIM Configuration

Related Articles

• Attempting to sign-in with AzureAD SSO fails with AADSTS75011

• Configuring a SAML IAM when using an Immuta public URL

• Entra ID Importing Users via SCIM