Configure SSO with Microsoft Entra ID
Follow these steps to configure SAML-based SSO with SecurityScorecard as the Service Provider (SP) and Microsoft Entra ID as the Identity Provider (IdP).
Step 1. Create a new application in Microsoft Entra ID
- Sign in to the Microsoft Entra admin center.
- Go to Enterprise Applications.
- In the Microsoft Entra App Gallery, select Create your own application, and name it SecurityScorecard.
- Confirm the new application appears under All Applications.
Step 2: Configure user attributes and claims
Map the required user attributes between SecurityScorecard and Microsoft Entra ID so they align with SecurityScorecard’s SSO requirements.
Step 3: Configure Single Sign-On (SAML)
- Open the newly created application.
- From the Overview page, select Set up Single Sign-On and choose SAML.
-
In Basic SAML Configuration, enter the following values provided by SecurityScorecard:
Field Value Metadata URL https://platform-api.securityscorecard.io/v1/saml/metadata/service-provider Assertion Consumer Service, sometimes referred to as Single sign on URL https://platform-api.securityscorecard.io/v1/saml/responses (HTTP-POST) Entity ID, sometimes referred to as Audience URI (SP Entity ID) https://platform-api.securityscorecard.io/saml2/service-provider
For more information, see this article.
Step 4: Download and upload federation metadata
After completing the Basic SAML Configuration:
- Download the Federation Metadata XML file from Microsoft Entra ID.
- In SecurityScorecard, go to your profile avatar and select My Settings.
- Select Single Sign-On (SSO) settings > Configure and upload the metadata file. For more information, see this article.
Optional: Configure SecurityScorecard SSO manually
If you prefer manual configuration instead of uploading metadata:
- Enter the ACS URL and Entity ID from Microsoft Entra ID directly into SecurityScorecard's SAML settings.
- Refer to the SecurityScorecard article for specific instructions.
Step 5: Test SSO
Test the configuration by signing in with a Microsoft Entra ID test user to confirm authentication completes successfully.
Configure SCIM provisioning
SecurityScorecard supports SCIM provisioning from Microsoft Entra ID for users and groups, including role assignment.
Step 1: Connect SecurityScorecard to SCIM in Microsoft Entra ID
In Microsoft Entra ID, go to Enterprise applications.
Select the SecurityScorecard custom application you created earlier.
From the left navigation, go to Manage > Provisioning > Get started > Connect your application.
-
Enter the following values:
Tenant URL:
https://platform-api.securityscorecard.io/scim/v2/Secret token: Use the SCIM API token generated in the SecurityScorecard platform.
Select Test connection to test your settings.
Step 2: Create app roles in APP Registrations
SCIM role provisioning requires app roles to be defined at the application level.
In Microsoft Entra ID, search for App registrations and select the SecurityScorecard application.
Under Manage, select App roles.
-
Select Create app role to create the following roles:
Name Value CUSTOMER_ADMIN CUSTOMER_ADMIN VRM VRM USER USER GUEST GUEST
Step 3: Assign roles to users
- Go to Enterprise Applications and select the SecurityScorecard application.
- Open Users and groups and select one or more users.
- Select Edit assignment.
- Under Select a role, choose the appropriate role.
- Click Select and then Assign.
Step 4: Create the sscRoles custom attribute for user provisioning
- In Enterprise applications, go to the SecurityScorecard application and select Provisioning.
- Select Get started > Add scoping filters.
- Choose Provision Microsoft Entra ID Users.
- Select Show advanced options and then select Edit attribute list for customappsso.
- Create a new attribute:
- Name:
sscRoles - Required: Enabled
- Name:
- Select Save.
Step 5: Map app roles to the sscRoles attribute
- After saving the attribute list, select Add new mapping.
-
Enter the following values:
Field Value Mapping type Expression Expression SingleAppRoleAssignment([appRoleAssignments])Target attribute sscRoles - Select Save.
- Confirm that all attributes are moved, except for the following:
- userName
- active
- displayName
- emails[type eq "work"].value
- name.givenName
- name.familyName
- name.formmated
- sscRoles
Note: SecurityScorecard requires the following fields to be populated per user in Entra ID. If any are missing, provisioning will fail for that user:
- userPrincipalName
- displayName
- givenName
- surname
To update a user:
- Go to Identity > All users.
- Select the user.
- Select Edit properties.
- Populate First name and Last name (if missing).
- Save your changes.
Step 7: Provision users on demand
- Return to Enterprise applications and go to SecurityScorecard > Provisioning.
- Select Provision on demand.
- Choose the user you want to provision.
- Click Provision.
A success message appears once provisioning completes.
Step 8: Enable group provisioning with sscRoles
To provision groups, the sscRoles attribute must also be added to group provisioning.
- In Enterprise applications, go to SecurityScorecard > Provisioning.
- Select Get started > Add scoping filters.
- Choose Provision Microsoft Entra ID Groups.
- Enable Show advanced options and then select Edit attribute list for customappsso.
- Create a new attribute with the following:
-
Name:
sscRoles -
Required: Enable
-
Name:
- Save your changes.
Step 9: Map app roles to the sscRoles attribute (Groups)
- Once the new attribute is saved, select Add new mapping.
- Enter the following values:
- Mapping Type: Expression
-
Expression:
SingleAppRoleAssignment([appRoleAssignments]) -
Target attribute:
sscRoles
- Select Save.