Skip to main content

Microsoft Entra ID / Azure AD

Requirements

To integrate Pyplan with Microsoft AD it will be necessary to create an Azure Enterprise App.

Instructions

Azure Portal — Microsoft Azure

Access the Azure Active Directory — App Registrations:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

Create the New App

Enterprise Apps service

Enterprise Apps service

Create new enterprise app

New app configuration

Assign Users and Groups

Assign users and groups

SSO Configuration

The following section edits the connections between the IDP and Pyplan.

SSO attributes step 1

SSO attributes step 2

Select the SAML configuration:

Select SAML configuration

Configure it with the following parameters:

FieldValue
Identifier (Entity ID)https://[DNS_CLUSTER_INGRESS]/api/saml2/metadata/?code=[COMPANY_NAME]
Reply URLhttps://[DNS_CLUSTER_INGRESS]/api/saml2/acs/?code=[COMPANY_NAME]
Sign On URLhttps://[DNS_CLUSTER_INGRESS]/api/saml2/login/?next=[DNS_CLUSTER_INGRESS]&code=[COMPANY_NAME]
Relay State(Empty)
Logout URLhttps://[DNS_CLUSTER_INGRESS]/api/saml2/ls/?code=[COMPANY_NAME]

SAML configuration example

Example

SAML Certificates

Edit the Signing Option and the Algorithm.

Edit signing option and algorithm

Sign SAML assertion — mandatory setting

info

The Sign SAML assertion setting is mandatory.

Azure Groups (Optional)

Pyplan allows matching an Azure group with a set of specific permissions within the application to facilitate the tasks of the security team.

For more information: Security Options

Choose one of the following patterns for each tenant and keep it consistent across the SAML configuration:

FlowWhat Azure sends in the SAML tokenRecommended use
Group ClaimsA groups claim with the Azure application group name.Use this when Pyplan should receive the group name and resolve the final role and department internally.
Extension AttributeThe same profile value in both the role and department claims.Use this when the tenant already maintains a normalized profile attribute and wants Azure to send the effective profile directly.

Azure Groups — Group Claims

The Group Claims flow keeps profile management in Azure groups. Microsoft Entra ID sends the application group name in the SAML token, and Pyplan maps that value to the final role and department internally.

Below we show the high-level integration flow for Group Claims:

Group claims flow diagram

Expected claim:

Claim nameTypeValue
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsSAMLuser.groups [ApplicationGroup]

Typical steps:

  1. In the Azure Enterprise App go to Attributes & Claims and select Add a group claim.
  2. Limit the claim to Groups assigned to the application and emit Cloud-only group display names.
  3. Confirm the generated claim is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and the value is user.groups [ApplicationGroup].
  4. Test the SAML response and confirm the expected group name is present in the assertion.

The following Azure screenshots show the step-by-step configuration inside the Enterprise App for the Group Claims flow:

Group claim example step 5 Group claim example step 6 Group claim example step 7

info

The Group Claims flow sends application-scoped group information in the SAML assertion. Ensure each tenant either assigns at most one application-scoped group per user or implements a deterministic precedence policy (for example: priority order, explicit group→role mappings, or a conflict-resolution lookup). Test sign-ins and inspect the SAML assertion to verify the expected group is emitted before enabling the integration.

Azure Groups — Extension Attribute

The Extension Attribute flow uses a single user attribute as the source of the effective profile. Microsoft Entra ID sends that same value in both the role and department claims, and Pyplan applies its internal permission mapping from those values.

Below we show the high-level integration flow for Extension Attributes:

Extension attribute flow diagram

Expected claims:

Claim nameTypeSource attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roleSAMLuser.extensionAttribute15 user.extensionAttributeX user.usertype
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/departmentSAMLuser.extensionAttribute15 user.extensionAttributeX user.usertype

Typical steps:

  1. Choose one source attribute for the tenant and populate it with the functional profile value to be sent to Pyplan.
  2. In the Azure Enterprise App add the role claim and point it to that source attribute.
  3. Add the department claim and point it to the same source attribute so both claims carry the same value.
  4. Test the sign-in flow and inspect the SAML response to verify both claims are present and consistently populated.

The following Azure screenshots show the step-by-step configuration inside the Enterprise App for the Extension Attribute flow. These examples use user.usertype; if the tenant uses user.extensionAttribute15 or another approved extension attribute, the configuration steps are the same and only the source attribute changes:

Extension attribute example 1 Extension attribute example 2 Extension attribute example 3 Extension attribute example 4

tip

Use a single controlled vocabulary for the profile values sent in role and department so the Azure configuration and the Pyplan mapping stay aligned.