Content Comparison

This page outlines how to configure Phocas with Microsoft Entra ID (previously called Azure AD) to enable single sign-on (SSO), a process typically carried out by the IT person in your organization with access to Entra ID.

The process involves moving between the two applications in five key steps, as outlined below. At the bottom of the page, you'll find some troubleshooting tips.

Step 1: Enable SSO in

Entra ID

1. Click + New > Enterprise Application

   >

   .

2. Click + Create your own application.

3. On the right of your screen, enter

   Enter an application name in the text box

   and select

   .

4. Select this option: Integrate any other application you don’t find in the gallery (Non-gallery)

   option

   .

   Image Modified
5. In the application, click 

   Click Create.

6. In the 2. Set up single sign on panel, click Get started.

   Image Modified

7. Click SAML.

   Image ModifiedClick

8. In the

   Edit button for 

   Basic SAML Configuration

   .In the side

   panel

   that displays, click Enable SAML and enter a name

   ,click the Edit button. Keep this screen open.

Step 2: Enter the Phocas SSO details into Entra ID

1. In Phocas, click Administration > Configuration, then scroll down to the Single sign-on (SSO) > Service Provider section.

2. In Azure, enter the Phocas Service Provider (SP) details:

   Copy the

   Service Provider

   Entity ID from Phocas

   and paste it into the

   , then in the Entra ID Identifier (Entity ID)

   box in Azure

   section, click Add identifier and paste the ID into the box.

3. Copy the

   Service Provider

   ACS URLfrom Phocas, then in the Entra ID Reply URL (Assertion Consumer Service URL) section, click Add reply URL, and paste

   it

   the URL into the

   Reply URL

   box

   in Azure

   .

   Image RemovedImage Added

4. Click Save

the application to complete the creation process.

Open the application in Entra and on the left hand side select the section Single Sign On

Scroll down until you see Section 3

1. .

Step 3: Enter the Entra ID SSO details into Phocas and complete the SSO setup

1. Obtain the Entra ID SAML certificate:

   1. On the Entra ID Single Sign On page, scroll down to the 3 SAML Certificatessection and download the Certificate (Base64) file.

   2. Open the downloaded certificate file in

notepad

1. 1. Notepad and copy the contents

into Phocas

1. 1. .

2. On the Phocas Configuration page, in the Identity Provider (IP) section, enter the Entra ID SSO details:

   1. Paste the copied certificate contents into the X509 Certificate

field

1. 1. box.

Now copy

1. 1. Copy the Login URL

field in

1. 1. from Entra and paste it into the Single Sign On Service URL

field in PhocasNow copy the Azure AD Identifier field in

1. 1. box.

   2. Copy the Microsoft Entra Identifierfrom Entra and paste it into the Entity ID

field in Phocas

 

Image Removed15. With that information saved both in Phocas and Microsoft Azure, the users will need to be added to the Phocas Application in Microsoft Azure in Users and Groups

1. 1. box.

      Image Added

2. Complete the SSO setup on the Phocas Configuration page, then click Save.

Step 4: Add the Phocas users and groups into Entra ID

1. Click Users and groups in the left-hand menu.

 

16. On the Phocas side, you will need to create/edit the users in Phocas to use the username used to log into Azure e.g. email address or UPN.

Image Removed

 

The username to add for the user account in Phocas is dependent

1. Click + Add user/group.

2. Click None selected.

3. Locate and select the user(s) or group(s) you want to have access to Phocas, then click Select at the bottom.

4. Click Assign.

Step 5: Update the user accounts in Phocas to use the Entra ID usernames

In Phocas, update the user accounts (or create new user accounts) to use the Entra ID usernames. For example, use the email address or User Principal Name (UPN).

• The usernames depend on the source attribute sent from

Azure, this

• Entra ID. This can be found in the

user attributes & claims section.Image Removed

 

Note: If the user logs into

• Single sign-on > Attributes & Claims section.

  Image Added

• Here’s an example of updated usernames in Phocas:

  Image Added

---

Troubleshooting

If the user signs in to Phocas using SSO and returns back to the Phocas login sign-in page, the issue is most likely a user authentication issue so you will need to check whether . The username in Entra must match the username in Phocas; just a matching email address will not work.

If you have permission to view your Phocas logs, you can check whether the username is correct in Phocas.

To check this, go Go to Logs > Security and see what the Login failed via ‘SAML' entry shows for the 'user’ field, user and what the error message is, i.e.. Here is an example of such a log:

Code Block
Login failed via 'SAML' for user 'john@example.com' with ID '' from IP address 'xx.xx.xx.xx' with User Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31' due to reason 'InvalidUser'

The user shown here must match a Username in Phocas - just a matching email address will not work.

If the SSO is not working and the Logs > Security shows the line: displays the following message, the configuration in Phocas is likely wrong. Repeat the steps above to set up the configuration again.

Code Block
Login information is incorrect. SAML configuration may be incorrect.

Then the configuration in Phocas is likely wrong, and the best steps are to get the 2 URLs and the Certificate again from Entra.

InfoIf the customer is having

If you continue to have issues after setup,

the following page can be used for troubleshooting:
Troubleshooting SAML

please contact our Support team.