Set up SSO for Phocas in Microsoft Entra ID
This page outlines how to configure Phocas with Microsoft Entra ID (previously called Azure AD) to enable single sign-on (SSO), a process typically carried out by the IT person in your organization with access to Entra ID.
The process involves moving between the two applications. The following key steps are outlined in detail below:
Enable SSO in Entra ID > Enter the Phocas SSO details into Entra ID > Enter the Entra ID SSO details into the Phocas and complete the SSO setup > Add the Phocas users and groups into Entra ID > Edit the user accounts in Phcoas to use the Entra ID usernames.
At the bottom of the page, you'll find some troubleshooting tips.
Enable SSO in Entra ID:
Click + New > Enterprise Application.
Click + Create your own application.
Enter an application name in the text box.
Select this option: Integrate any other application you don’t find in the gallery (Non-gallery).
Click Create.
In the 2. Set up single sign on panel, click Get started.
Click SAML.
In the Basic SAML Configuration panel, click the Edit button. Keep this screen open.
Enter the Phocas SSO details into Entra ID:
In Phocas, click Administration > Configuration, then scroll down to the Single sign-on (SSO) > Service Provider section.
Copy the Entity ID from Phocas, then in the Entra ID Identifier (Entity ID) section, click Add identifier and paste the ID into the box.
Copy the ACS URL from Phocas, then in the Entra ID Reply URL (Assertion Consumer Service URL) section, click Add reply URL, and paste the URL into the box.
Click Save.
Enter the Entra ID SSO details into the Phocas:
Enter the Entra ID SAML certificate:
On the Entra ID Single Sign On page, scroll down to the 3 SAML Certificates section and download the Certificate (Base64) file.
Open the downloaded certificate file in Notepad and copy the contents.
On the Phocas Configuration page, paste the copied certificate contents into the X509 Certificate box.
Copy the Login URL from Entra and paste it into the Single Sign On Service URL box in the Indentity Provider (IP) section of the Phocas Configuration page.
Copy the Entra Identifier from Entra and paste it into the Entity ID box in the Indentity Provider (IP) section of the Phocas Configuration page.
Complete the SSO setup on the Phocas Configuration page, then click Save.
In Entra ID, add the Phocas users and groups:
Click Users and groups in the left-hand menu.
Click + Add user/group.
Click None selected.
Locate and select the user(s) or group(s) you want to have access to Phocas, then click Select at the bottom.
Click Assign.
In Phocas, update the user accounts (or create new user accounts) to use the Entra ID usernames. For example, use the email address or User Principal Name (UPN).
The usernames depend on the source attribute sent from Entra ID. This can be found in the Single sign-on > Attributes & Claims section.
Here’s an example of updated usernames in Phocas:
Troubleshooting
If the user signs in to Phocas using SSO and returns to the sign-in page, the issue is most likely a user authentication issue. The username in Entra must match the username in Phocas; just a matching email address will not work.
If you have permission to view your Phocas logs, you can check whether the username is correct in Phocas.
Go to Logs > Security and see what the Login failed via ‘SAML' entry shows for the user and what the error message is. Here is an example of such a log:
Login failed via 'SAML' for user 'john@example.com' with ID ''
from IP address 'xx.xx.xx.xx' with User Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31'
due to reason 'InvalidUser'If the SSO is not working and the Logs > Security displays the following message, the configuration in Phocas is likely wrong. Repeat the steps above to set up the configuration again.
Login information is incorrect. SAML configuration may be incorrect.If you continue to have issues after setup, please contact our Support team.