--- title: "Azure Active Directory SSO" description: "Set up Azure Active Directory single sign-on (SSO) on Sentry." url: https://docs.sentry.io/organization/authentication/sso/azure-sso/ --- # Azure Active Directory SSO ## [Installation](https://docs.sentry.io/organization/authentication/sso/azure-sso.md#installation) If you change your organization slug, you'll need to make the same update in the steps where you enter the SAML configuration values. 1. Log in to the [Azure portal](https://portal.azure.com/). 2. Under "Manage Azure Active Directory" (the picture of the shield), click "View". This takes you to the **Organization Overview** page. 3. If you don't require a permission group for Sentry, skip to Step 5. 4. In the search bar, search for "Groups" then navigate to it. From there, create a new group, add an owner and members to the group. Set "Group type" to Office 365. For more details about group creation, see the [Azure docs](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal). 5. Return to the **Overview** page. In the search bar, enter `Enterprise Applications`, then navigate to it. Click "+ New application". Search for `Sentry` to create the application. 6. Once the application is created, you'll be directed to **Sentry - Overview**. 7. Click on "1. Assign users and groups", then "+ Add user". Add yourself and the group you've created to the Sentry app. Click "Assign". 8. Navigate back to **Overview**, click on "2. Set up single sign-on" and then select SAML as your single sign-on method. 9. For Section (1), labeled "Basic SAML Configuration", enter the following data in each line and save your changes. * Identifier (Entity ID): `https://sentry.io/saml/metadata/YOUR_ORG_SLUG/` Ensure that the URL includes a trailing slash to prevent Azure from throwing a misconfiguration error (AADSTS650056). * Reply URL (Assertion Consumer Service URL): `https://sentry.io/saml/acs/YOUR_ORG_SLUG/` * Sign on URL: `https://sentry.io/auth/login/YOUR_ORG_SLUG/` * Relay State: `https://sentry.io/organizations/YOUR_ORG_SLUG/` * Logout URL: `https://sentry.io/saml/sls/YOUR_ORG_SLUG/` 10. In Section (2), labeled "Attributes & Claims", click Edit. On the new page, click "Unique User Identifier (Name ID)" and change the "Name Identifier Format" to Unspecified. Save the changes. 11. In Section (3), labeled "SAML Certificates", copy the "App Federation Metadata URL". 12. Navigate to your **Org Settings > Auth** (or go to `https://sentry.io/settings/YOUR_ORG_SLUG/auth/`) and click on "Configure" for Active Directory. 13. Paste the App Federation Metadata URL from above and click "Get Metadata". 14. In the next page, enter the following keys in their respective fields to map the attributes from AzureAD to Sentry, and then save them. * IdP User ID: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` * User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` * First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` * Last Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` For more details about mappings for custom configs, see [The Role of Claims](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims). 15. Sentry will attempt to authenticate and link your account with Azure. After successful authentication, you'll be redirected to Sentry's SSO configuration page, where you can take the following actions: * You can share the "Login URL" value, which will be used for SP-initiated SSO, with the users in your organization. * Scroll down to the bottom and ensure that "Require SSO" is checked if you want to enforce logging in with Azure Active Directory. * Set a "Default Role" for new SSO users. Selecting "Member" should cover most use cases. * If you made changes, click "Save Settings" to complete your setup. ## [SCIM Integration](https://docs.sentry.io/organization/authentication/sso/azure-sso.md#scim-integration) This feature is only available if your organization is on a Business or Enterprise plan; it is not available on Trial plans. If you change your organization slug, you'll need to make the same update in the steps where you enter the SCIM configuration values. Sentry users can manage provisioning using Azure with SCIM. You'll need to have Azure SSO set up and configured for your organization already. Sentry supports User and Group provisioning with Azure. ### [Sentry Configuration](https://docs.sentry.io/organization/authentication/sso/azure-sso.md#sentry-configuration) 1. Sign in to [sentry.io](https://sentry.io). Select **Settings > Auth** 2. Under General Settings select "Enable SCIM", then "Save Settings" * Sentry will display "SCIM Information" that contains your Auth Token and SCIM Base URL. ### [Azure Configuration](https://docs.sentry.io/organization/authentication/sso/azure-sso.md#azure-configuration) 1. Log in to the [Azure portal](https://portal.azure.com/). 2. In your Azure portal, navigate to **Enterprise applications** in the sidebar. 3. Select the existing Sentry application. 4. Select "Provisioning" from the "Manage" menu. 5. Set "Provisioning Mode" to "Automatic". 6. Use the values from your Sentry SCIM configuration to enter your SCIM URL in the "Tenant URL" field and your SCIM Auth token in the "Secret Token" field. 7. Select "Test Connection" and wait for the message that confirms that the credentials are authorized to enable provisioning. We recommend that you select the option to "Send an email notification when a failure occurs". As a result of these changes, users who are assigned will be sent an invitation email. When a user is un-assigned, their membership object in Sentry will be deleted. You can use Use Group Provisioning to sync and assign groups in Azure; they will be reflected in Sentry teams. Please see the [Microsoft AD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sentry-provisioning-tutorial) for further documentation on Azure provisioning setup. If you are using a custom enterprise application, you **must** follow the instructions for only enabling attribute mappings that Sentry supports (Step 5).