Set up SSO with Microsoft Entra ID
Last updated
Was this helpful?
Last updated
Was this helpful?
To learn about SSO in Phocas, see .
This page outlines how to set up Phocas and Microsoft Entra ID (Entra), previously called Azure AD, to allow single sign-on (SSO) for your Phocas site.
This is an advanced technical process typically carried out by the IT person in your organization with access to Entra. It involves moving between the two applications in seven key steps, as outlined below. At the bottom of the page, you'll find some troubleshooting tips.
In your Microsoft Entra admin center, click Enterprise applications.
Click + New application.
Click + Create your own application.
Enter a name for the application.
Select this option: Integrate any other application you don’t find in the gallery (Non-gallery).
Click Create.
In the 2. Set up single sign on tile, click Get started.
Click SAML.
In the Basic SAML Configuration panel, click the Edit button. Keep this screen open and proceed to step 2 below.
In the Phocas menu, click Administration > Configuration.
Click the Single sign-on (SSO) tab.
Select the Allow SSO via SAML checkbox. The SAML configuration settings display. Keep this screen open and proceed to step 2 below.
With both the Phocas and Entra screens open side-by-side:
In Phocas, in the Service provider (SP) section, copy the Entity ID.
In Entra, in the Identifier (Entity ID) section, click Add identifier and paste the ID into the box.
In Phocas, copy the ACS URL.
In Entra, in the Reply URL (Assertion Consumer Service URL) section, click Add reply URL and paste the URL into the box.
In Entra, click Save and close the panel. Continue to keep both the Phocas and Entra ID screens open side-by-side.
The new Microsoft Enterprise app you created above takes approximately 5 to 10 minutes to be properly provisioned, after which the certificate changes. Please wait sometime before you take the next steps to ensure you use the correct certificate.
With both the Phocas and Entra screens open side-by-side:
Obtain the Entra SAML certificate:
In Entra, on the Single Sign On page, scroll down to the 3 SAML Certificates section and download the Certificate (Base64) file.
Open the downloaded certificate file in Notepad and copy all the contents.
In Phocas, in the Identity Provider (IP) section, paste the copied certificate contents into the X509 Certificate box.
In Entra, in section 4, copy the Login URL.
In Phocas, in the Identity Provider (IP) section, paste the IRL into the Login URL box.
In Entra, copy the Microsoft Entra Identifier.
In Phocas, in the Identity Provider (IP) section, paste the identifier into the Entity ID box.
In Phocas, in the Identity Provider (IP) section, enter a name for the provider, for example, My Company SSO. This will display as a button on your Phocas Sign in page.
Click Save.
In Entra, click Users and groups in the left-hand menu.
Click + Add user/group.
Click None selected.
Locate and select the user(s) or group(s) you want to have access to Phocas, then click Select at the bottom.
Click Assign.
The usernames depend on the source attribute sent from Entra. This can be found in the Single sign-on > Attributes & Claims section.
Here’s an example of updated usernames in Phocas:
If the user signs in to Phocas using SSO and returns to the Sign in page, the issue is most likely a user authentication issue. The username in Entra must match the username in Phocas; just a matching email address will not work.
Otherwise, it could be that:
The Base64 certificate is out of date. When you create the new Microsoft Enterprise app, it takes approximately 5 to 10 minutes for it to be properly provisioned. After it's provisioned, the Base64 certificate changes. If you download and use the certificate before the app is provisioned, the sign-in process won't work. Download the certificate again, open and copy the updated contents, then paste it into into the into the X509 Certificate box in Phocas (see step 4 above).
Something else in the configuration in Phocas is wrong. Repeat the steps above to set up the configuration again.
Select the required SAML options: Use enhanced SAML security, Update user account with details from IdP on user sign-on, and Automatically create user account if none exists. See the bottom of the for information about these settings.
In Phocas, (or create new user accounts) to use the Entra usernames. For example, use the email address or User Principal Name (UPN).
If you continue to have issues after setup, please .
