Azure SSO
Capcade provides the option to enhance security and streamline access with Single Sign-On (SSO). This allows users to conveniently use their company's Azure Active Directory credentials to efficiently log in to Capcade.
Before you begin setup
Please verify that you have the necessary configurations and permissions enabled on Capcade:
Since SSO is set up on an entity level for all members of the entity, your entity users must be formally placed in an entity (learn more about entities on Capcade here)
You will need to be an entity admin to configure SSO for your entity (learn how to configure entity permissions here)
Your entity's plan must have the SSO feature enabled (contact your Capcade account representative or message chat support to request access)
Please note that you will also need to have a member of your IT team involved in the process of setting this up.
Within Azure (identity provider), please ensure that you can access the "Create Your Own Application" option in Azure Active Directory. You can learn more about how to create your own application in Azure Active Directory.
Step 1: Initial setup in Capcade
Click on "Entity" in the left-hand navigation pane
Click "Settings"
Toggle the "Single sign-on" on
Click "Edit"
Type "Azure" as the name of your identity provider
Copy the Registration ID
You will then use the Registration ID to paste in place of REGISTRATION_ID in the Federation Metadata XML provided to you by Azure Active Directory when you set up the New Own Application in Azure in the next step.
Step 2: Initial setup in Azure
Go to Azure Active Directory
Click "Enterprise applications"
Click "New application"
Click "Create Your Own Application"
Under "What's the name of your app?" enter Capcade as the application name and select the "Integrate any other application you don't find in the gallery (Non-gallery)" option
Click "Create"
Click "Single Sign-On" and select "SAML" as a "single sign-on method"
Click "Edit" in the section "Basic SAML Configuration"
In the "Basic SAML Configuration", enter the following:
For "Identifier (Entity ID)" enter
https://api.capcade.com/saml2/service-provider-metadata/REGISTRATION_IDand replace "REGISTRATION_ID" in the URL with the Registration ID generated in step 6 from the initial setup in CapcadeFor "Reply URL (Assertion Consumer Service URL)" enter
https://api.capcade.com/login/saml2/sso/REGISTRATION_IDand replace "REGISTRATION_ID" in the URL with the Registration ID generated in step 6 from the initial setup in Capcade
Click "Save"
Click "Edit" in the section "Attributes & Claims"
In the "Attributes & Claims" enter the following: In the "Required claim" section for the "Unique User Identifier (Name ID)" choose "user.mail"
In the "SAML Certificates" section you can find Federation Metadata XML. Download this so you can upload the XML file in the Configure Identify Provider dialog box in Capcade.
Step 3: Activate SSO in Capcade
Return to the "Configure identity provider" dialog in Capcade
Click on "Upload" and upload the XML metadata file you downloaded from Azure in the previous step
Click "SAVE CONFIGURATION"
Your SSO should now be set up, and after entering your email on the Capcade login page, an option to log-in via SSO will be available.
SSO Glossary
Identifier (Entity ID): The unique ID that identifies your application to Azure Active Directory. This value must be unique across all applications in your Azure Active Directory tenant. The default identifier will be the audience of the SAML response for IDP-initiated SSO.
Reply URL (Assertion Consumer Service URL): The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML.
To learn more about your organization and profiles, visit the collection of articles in our help guide.