Versions Compared

Version Old Version 2 New Version Current
Changes made by

Denise McGettigan

Denise McGettigan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

[Re the title, are Azure Ad / Entra the same thing? Or different apps? We switch between both names in steps]

This page outlines how to configure Phocas with Microsoft Entra ID (previously called Azure AD) to enable single sign-on (SSO), a process typically carried out by the IT person in your organization with access to Entra ID.

The steps involve process involves moving between the two applications in five key steps, as outlined below. At the bottom of the page, you'll find some troubleshooting tips.

Step 1: Enable SSO in

Azure:

Entra ID

  1. Click + New > Enterprise Application

    >

    .

  2. Click + Create your own application.

  3. On the right of your screen, enter

    Enter an application name in the text box

    and select

    .

  4. Select this option: Integrate any other application you don’t find in the gallery (Non-gallery)

    option

    .

    Image Modified

  5. Click Create.

  6. In

    the application, click 

    the 2. Set up single sign on panel, click Get started.

    Image Modified

  7. Click SAML.

    Image ModifiedClick

  8. In the

    Edit button for 

    Basic SAML Configuration

    . where?In the side

    panel

    that displays, click Enable SAML and enter a name

    ,click the Edit button. Keep this screen open.

Step 2: Enter the Phocas SSO details into Entra ID

  1. In Phocas, click Administration > Configuration, then scroll down to the Single sign-on (SSO) > Service Provider section.In Azure, enter the Phocas Service Provider (SP) details:

  2. Copy the

    Service Provider

    Entity ID from Phocas

    and paste it into the

    , then in the Entra ID Identifier (Entity ID)

    box in Entra

    section, click Add identifier and paste the ID into the box.

  3. Copy the

    Service Provider

    ACS URLfrom Phocas, then in the Entra ID Reply URL (Assertion Consumer Service URL) section, click Add reply URL, and paste

    it

    the URL into the

    Reply URL

    box

    in Entra

    .

    image-20240319-021127.pngImage Removedimage-20240725-012819.pngImage Added

  4. Click Save the application to complete the creation process. how/where?

  5. Open the application in Entra and on the left-hand side, select the section Single Sign On.

  6. Scroll down to section 3 SAML Signing Certificate.

Step 3: Enter the Entra ID SSO details into Phocas and complete the SSO setup

  1. Obtain the Entra ID SAML certificate:

    1. On the Entra ID Single Sign On page, scroll down to the 3 SAML Certificatessection and download the Certificate (Base64) file.

    2. Open the downloaded certificate file in Notepad and copy the contents.

  2. Back in Phocas, paste On the Phocas Configuration page, in the Identity Provider (IP) section, enter the Entra ID SSO details:

    1. Paste the copied certificate contents into the X509 Certificatebox.

    Enter the Entra details into the Phocas Indentity Provider (IP) section:

    2. Copy the Login URLfrom Entra and paste it into the Single Sign On Service URLbox in Phocas.

    3. Copy the Azure AD Microsoft Entra Identifierfrom Entra and paste it into the Entity IDbox in Phocas.

    Image Removed
    1. image-20240725-012227.pngImage Added

  3. Complete the SSO setup on the Phocas Configuration page, then click Save. [new, need more? add link]In Azure, add

Step 4: Add the Phocas users

in

and groups into Entra ID

  1. Click Users and Groupsgroups in the left-hand menu. [more how or screenshot? you gave more steps in other steps above].

  2. Click + Add user/group.

  3. Click None selected.

  4. Locate and select the user(s) or group(s) you want to have access to Phocas, then click Select at the bottom.

  5. Click Assign.

Step 5: Update the user accounts in Phocas to use the Entra ID usernames

In Phocas,

edit

update the user accounts (or create new user accounts

if required

) to use the

Azure

Entra ID usernames. For example, use the email address or User Principal Name (UPN)

[like one in screenshot below?]

.

[denise to add link]

  • The usernames

are dependent

  • depend on the source attribute sent from

Azure, this Image RemovedExample of edited

  • Entra ID. This can be found in the

user attributes & claims section. [correct name? how do i get there?]

  • Single sign-on > Attributes & Claims section.

    Image Added

  • Here’s an example of updated usernames in Phocas:

    image-20240319-024807.pngImage Modified

Troubleshooting

If the user signs in to Phocas using SSO and returns to the sign-in page, the issue is most likely a user authentication issue. The username in Azure Entra must match the username in Phocas; just a matching email address will not work.

If you have the Logs user permissionpermission to view your Phocas logs, you can check whether the username is correct in Phocas.

Go to Logs > Security and see what the Login failed via ‘SAML' entry shows for the user and what the error message is. Here is an example of such a log:

Code Block
Login failed via 'SAML' for user 'john@example.com' with ID '' 
from IP address 'xx.xx.xx.xx' with User Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31' 
due to reason 'InvalidUser'

If the SSO is not working and the Logs > Security displays the following message, the configuration in Phocas is likely wrong. The best Repeat the steps are above to get the two URLs and the Certificate again from Entra. [repeat steps above?]set up the configuration again.

Code Block
Login information is incorrect. SAML configuration may be incorrect.

If you continue to have issues after setup, please contact our Support team. [denise add link]

Key steps in the process:

Table of Contents
minLevel1
maxLevel2
outlinefalse
styledisc
typelist
printabletrue