Skip to main content

How can we help?

Search

Microsoft Entra ID (Azure AD) for federated authentication

Cupix Support Center
  • Updated

This document provides instructions on configuring Entra ID (Azure AD) for federated authentication with Cupix using SAML.

During this process, you will create two separate applications: a SAML application and a Linked Sign-on application. The SAML application facilitates Service Provider (Cupix)-initiated SSO, while the Linked Sign-on application handles Identity Provider (Microsoft Entra ID)-initiated authentication.

Step 1: Create SAML App

Add new application in Azure AD

  1. Log in to the Azure Portal.
  2. Choose Microsoft Entra ID (Azure Active Directory).
  3. In the left sidebar, choose Enterprise applications.
  4. Choose New application.
  5. On the Browse Azure AD Gallery page, choose Create your own application.
  6. Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery), as shown in Figure 1. Choose Create.

    Figure 2: Add an enterprise app in Azure AD
    Figure 1: Add an enterprise app in Azure AD

It will take a few seconds for the application to be created in Azure AD, then you should be redirected to the Overview page for the newly added application.

Note: Occasionally, this step can result in a Not Found error, even though Azure AD has successfully created a new application. If that happens, in Azure AD navigate back to Enterprise applications and search for your application by name.

Set up Single Sign-on using SAML

  1. On the Getting started page, in the Set up single sign on tile, choose Get started, as shown in Figure 2.

    Figure 3: Application configuration page in Azure AD
    Figure 2: Application configuration page in Azure AD
  1. On the next screen, select SAML.
  2. In the middle pane under Set up Single Sign-On with SAML, in the Basic SAML Configuration section, choose the edit icon ().
  3. In the right pane under Basic SAML Configuration, add Identifier ID (Entity ID) with the Identifier (Entity ID) of your Cupix region. In the Reply URL (Assertion Consumer Service URL) field, enter the Reply URL of your Cupix region, as shown in Figure 3. Choose Save. Find the IDs in Table 1.

    Figure 3: Azure AD SAML-based Sign-on setup
Cupix Region Entity ID Reply URL

US 

(cupix.works)

 urn:amazon:cognito:sp:us-west-2_kpPKYsz8Q https://us.auth.cupix.com/saml2/idpresponse

EU 

(cupix-eu.works)

 urn:amazon:cognito:sp:eu-central-1_woHt84y4Y https://eu.auth.cupix.com/saml2/idpresponse

AU 

(cupix-au.works)

 urn:amazon:cognito:sp:ap-southeast-2_k6Jm7NFke https://au.auth.cupix.com/saml2/idpresponse

JP 

(cupix-jp.works)

 urn:amazon:cognito:sp:ap-northeast-1_gPfw2YH4j https://jp.auth.cupix.com/saml2/idpresponse

SG 

(cupix-sg.works)

 urn:amazon:cognito:sp:ap-southeast-1_ukw7W7cRK https://sg.auth.cupix.com/saml2/idpresponse

CA 

(cupix-ca.works)

 urn:amazon:cognito:sp:ca-central-1_eDxDCPdHx https://ca.auth.cupix.com/saml2/idpresponse

Table 1: Entry ID and Reply ID for Cupix Regions

  1. In the middle pane under Set up Single Sign-On with SAML, in the Attributes & Claims section, choose Edit.
  2. Set claim names and namespaces for Additional Claims as Table 2.
    ‘name, ‘given_name’ and ‘family_name’ are optional, but ‘email’ is mandatory for SSO integration. 
Source attributes Name Namespace
user.mail email http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.givenname given_name http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.userprincipalname name http://schemas.xmlsoap.org/ws/2005/05/identity/claims
user.surname family_name http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Table 2: Claim names


            

  1. Choose Add a group claim.
  2. Select Groups assigned to the application, set Source attribute as Cloud-only group display names, as shown in Figure 4. Choose Save.
    Figure 4: Option to select group claims


    This adds the group claim so that Cupix can receive the group membership details of the authenticated user as part of the SAML assertion.
  3. Close the User Attributes & Claims screen by choosing the X in the top right corner. You’ll be redirected to the Set up Single Sign-on with SAML page.


    Figure 5: Copy SAML metadata URL from Azure AD
  1. Scroll down to the SAML Signing Certificate section, and copy the App Federation Metadata Url by choosing the copy into clipboard icon (highlighted with red arrow in Figure 5). Paste this URL in a text editor and save it as a text file.
  2. Download Federation Metadata XML
  3. Send the App Federation Metadata Url file and Federation Metadata XML file to Cupix Support.

 

Set app invisible

The user access URL created in the previous step may not function correctly. If you attempt to open the link, you will encounter an error message (see below).  Therefore, it's recommended to mark this app as invisible to prevent users from seeing it listed in their My Apps.  In Step 2, you will create a separate application that will be displayed in My Apps.

 Figure 6: User access URL is invalid

To set the app invisible,

  1. In the left sidebar, choose Properties. 
  2. Select No for Visible to users.

 Figure 7: Set app invisible

Add user/group 

  1. In the left sidebar, choose Users and groups. 
  2. Add users or groups to allow them to use Cupix.

User and group provisioning works as follows:

  • When a user logs into Cupix via SSO for the first time, their account is automatically created in Cupix.
  • If the user belongs to one or more Azure AD groups, each of those groups is matched by name and automatically created in Cupix (if it does not already exist). The user is then added to the corresponding groups in Cupix.

Group membership is updated on each login:

  • Whenever a user logs into Cupix via SSO, their current Azure AD group memberships are checked.
  • If the user has been added to a new Azure AD group, Cupix will:
    • Create that group (if it doesn't exist), and
    • Add the user to it.
  • If the user is no longer in a group they previously belonged to, Cupix will remove the user from that group.

However, deletions are not synchronized:

  • If a user or group is deleted in Azure AD, they will remain in Cupix. Manual cleanup is required if needed.

Group name is the key identifier:

  • Azure AD groups are matched by name only, regardless of whether the group in Cupix is a system-defined or custom group.
  • For example, if a user is a member of an Azure AD group named Administrators, they will be placed in the Cupix system-defined Administrators group.

Important:

Any permission settings applied to users or groups within Azure AD are not reflected in Cupix. Access to workspaces or projects must be managed separately within Cupix.

 Figure 8: Add user and group

 

Step 2: Add Linked Sign-on app for My App

Once you've completed Step 1, Cupix Support will provide you with a Sign-on URL. You can then use this URL to create an application that will be listed in My Apps.

Add new application in Azure AD

  1. In the left sidebar, choose Enterprise applications.
  2. Choose New application.
  3. On the Browse Azure AD Gallery page, choose Create your own application.
  4. Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery). Choose Create.

Set up Single Sign-on using Linked

  1. On the Left side-bar, select Single sign-on
  2. Select Linked on Select a single sign-on method page
  3. Enter the provided Sign-on URL, then Save

Add user/group 

  1. In the left sidebar, choose Users and groups. 
  2. Add users or groups to allow them to use Cupix.
Was this article helpful?
0 out of 0 found this helpful

Related articles