Authentication
      Back to home
      1. Knowledge base
      2. Administration
      3. Authentication

      Azure Active Directory single sign-on (SSO) integration with Orchidea

      In this tutorial, you'll learn how to integrate Orchidea with Azure Active Directory (Azure AD).

      📌This feature is available on Orchidea Professional and Enterprise plans

      Follow these steps to enable Azure AD SSO in the Azure portal.

      1. Click Home on the left side navigation in Orchidea. Then, from the browser address bar, write down the address of the Orchidea home page, which is in the format https://app.orchidea.dev/workspacename.

      2. Go to Azure Active Directory admin center. There, select All services from the left navigation. In the appearing menu, click Enterprise applications.
      3. Then, click + New application
      4. From the opening window, click +Create your own application.
      5. Name your App and choose the section Integrate any other application you don't find in the gallery (Non-gallery)

        Click Create from at the bottom of the window. The app is ready.

      6. Choose Assign users and groups from the opening window.

      7. Click +Add user/group to add users or groups you want to give access to Orchidea.

      8. Choose None Selected. You can then select the users and groups you want to give access to Orchidea from the window that appears on the right.


        Once you have selected the groups and users you want, click Select and Assign.
      9. Next, select Single sign-on from the inner navigation on the left side, and select SAML from the panels that appear.

      10. Click Edit from the section Basic SAML Configuration.
      11. In the window that appears on the right, fill in the following fields:
        1. Identifier (Entity ID) - Fill in here "https://orchidea.dev"
        2. Reply URL (Assertion Consumer Service URL) fill in the temporary response URL here "https://app.orchidea.dev/api/saml/login/" (you can't save the configuration if this field is empty)
        3. Sign on URL - Fill in the address of the Orchidea homepage you saved in step 1 of this guide.

          Finally, click Save to save your changes.
      12. Next, download the single sign-on metadata of the application you created under the SAML Signing Certificate from Federation Metadata XML - Download.



      13. Navigate to Workspace settings by clicking the sprocket icon in the right top corner of Orchidea.
      14. Click Authentication on the left-side navigation. Then, click + Add new IDP.



      15. In the window that appears, fill in the optional name of the IDP to the IDP name field. Then go to Metadata section and click Select File. Download in the appearing window the single sign-on metadata that you downloaded in step 12.


        After downloading the metadata, ensure that the IDP information for first name, last name, email, and username are linked to the corresponding information in Orchidea.

        If you want a new account to be automatically created for the users using this IDP, when they log in to Orchidea for the first time, fill in the allowed domains to the section under Automatic User Creation.
        Also check the Workspace settings that 1) the Allow invites and self signup from domains listed below is selected there, and 2) the same domains have been added there. Here is a link to a related article.
        When you are done, finally click Add New IDP at the bottom of the window.
      16. To copy the response URL, click Copy Response URL from the IDP line you just created.

      17. Go back to the last view of Azure Active Directory admin center and click Edit from Basic SAML Configuration.
      18. In the window that appears on the right, replace the temporary Reply URL (Assertion Consumer Service URL) you previously filled out - with the URL you saved in the step 16.

        Finally, click Save to save the changes.


      19. Next, test the integration with a username that has been given access to Orchidea in step 8. If you are testing with an existing user using password authentication, you must first go to set the user to use the IDP you just created in Admin settings. Turn on for this user also the setting Manual sign in. This allows the user to choose in sign in between single sign-on and password-based sign-in. This is practical if single sign-on has problems.



      20. If the single sign-on works as expected, you may want to finally turn on the IDP you just created for all the users who previously used password authentication. However, in case of problems in single sign-on, it is recommended that you turn on Manual sign in for at least a few Admin-level accounts.