SecureHiveDocs
Sign InGet Started
Back to Documentation

Identity Provider Authentication

Configure Single Sign-On (SSO) with Microsoft Entra ID using either OIDC or SAML protocols

Documentation
Authentication SetupOIDC ConfigurationSAML ConfigurationTroubleshootingSCIM (Enterprise Application)Best Practices
Identity Provider Authentication Setup
Configure Single Sign-On (SSO) with Microsoft Entra ID using either OIDC or SAML protocols

Where to configure what in Azure

Microsoft splits configuration by design. Use the right place for each feature:

  • App Registration → OIDC/SSO only (client ID, client secret, redirect URIs, API permissions).
  • Enterprise Application (non-gallery) → SCIM provisioning (Provisioning → Tenant URL + Secret Token), SAML SSO (if used), and user/group assignment.

For SCIM user provisioning, configure the Enterprise Application, not the App Registration.

OIDC Authentication

Modern, token-based authentication using OAuth 2.0 and OpenID Connect.

✓ Modern Protocol✓ Token-based✓ REST API Support
SAML 2.0 Authentication

Enterprise-grade authentication using Security Assertion Markup Language.

✓ Enterprise Standard✓ XML-based✓ High Security

Which Protocol Should You Choose?

Choose OIDC if:

  • You prefer modern APIs and token-based authentication
  • Need mobile app support
  • Want easier integration with REST APIs
  • Require API permissions for additional data access

Choose SAML if:

  • You have enterprise requirements and existing SAML infrastructure
  • Need maximum security with XML-based assertions
  • Want simpler setup (no API permissions required)
  • Prefer attribute-based authentication over token-based
OIDC Configuration with Microsoft Entra ID
Step-by-step guide to configure OpenID Connect authentication
1

Create App Registration in Azure Portal

Navigate to Azure Portal → Azure Active Directory → App registrations → New registration

Name: Secure Hive - [Your Organization]

Supported account types: Accounts in this organizational directory only

Redirect URI: Web - https://yourdomain.com/auth/sso/callback

2

Configure Authentication

In your app registration, go to Authentication → Add a platform

Platform: Web

Redirect URIs:

  • https://yourdomain.com/auth/sso/callback
  • https://yourdomain.com/auth/sso/logout

Front-channel logout URL: https://yourdomain.com/auth/sso/logout

3

Configure API Permissions

Go to API permissions → Add a permission → Microsoft Graph

Delegated permissions:

  • openid - Sign users in
  • profile - View users' basic profile
  • email - View users' email address
  • User.Read - Sign in and read user profile
4

Get Application Credentials

Navigate to Overview → Copy the following values

Application (client) ID: Copy this value

Directory (tenant) ID: Copy this value

Client Secret: Go to Certificates & secrets → New client secret

5

Configure in Secure Hive

Navigate to Settings → Identity Provider Configuration

OIDC Configuration Values:

Client IDFrom Azure
Application (client) ID from Azure
Client SecretFrom Azure
Client secret from Azure
Redirect URIRequired
https://yourdomain.com/auth/sso/callback
IssuerRequired
https://login.microsoftonline.com/{tenant-id}/v2.0
SAML 2.0 Configuration with Microsoft Entra ID
Step-by-step guide to configure SAML 2.0 authentication
1

Create Enterprise Application in Azure Portal

Navigate to Azure Portal → Azure Active Directory → Enterprise applications → New application

Name: Secure Hive - [Your Organization]

Application type: Non-gallery application

Description: Secure Hive SAML SSO Integration

2

Configure Single Sign-On

In your enterprise application, go to Single sign-on → SAML

Basic SAML Configuration:

Identifier (Entity ID)Required
https://sts.windows.net/{tenant-id}/
Reply URL (ACS URL)Required
https://yourdomain.com/auth/saml/acs
Sign on URLOptional
https://yourdomain.com/auth/sso/login
3

Review User Attributes & Claims

Azure AD automatically configures default SAML claims. Review these in User attributes & claims. No API permissions required for SAML!

Default Azure SAML Claims:

Unique User Identifier (Name ID)user.userprincipalname
Email Address
emailaddressuser.mail
Given Name
givennameuser.givenname
Name
nameuser.userprincipalname
Surname
surnameuser.surname

Note: These are the default claims automatically configured by Azure AD. SecureHive will automatically map these to user profile fields during authentication.
SAML advantage: No API permissions needed - user attributes are sufficient!

Optional Claims for Enhanced Functionality:

Display Name
displaynameuser.displayname
Object ID
objectidentifieruser.objectid
Groups
groupsuser.groups
4

Download Federation Metadata

Go to Single sign-on → SAML → Download Federation Metadata XML

Save the FederationMetadata.xml file - you'll need this for Secure Hive configuration.

5

Configure in Secure Hive

Navigate to Settings → Identity Provider Configuration

IDP Type: SAML 2.0

Method 1 - Upload Metadata: Upload the FederationMetadata.xml file

Method 2 - Manual Configuration:

  • SSO URL: https://login.microsoftonline.com/{tenant-id}/saml2
  • Entity ID: https://sts.windows.net/{tenant-id}/
  • ACS URL: https://yourdomain.com/auth/saml/acs
  • Certificate: Copy from FederationMetadata.xml
Troubleshooting Common Issues
Solutions to common authentication configuration problems

Redirect URI Mismatch

Error: "The redirect URI in the request does not match the redirect URIs configured for the application"

Solution: Ensure the redirect URI in Azure matches exactly: https://yourdomain.com/auth/sso/callback

Application Not Found

Error: "Application with identifier was not found"

Solution: Verify the Entity ID/Identifier in Azure matches the Issuer configured in Secure Hive

SAML Response Invalid

Error: "SAML message was not properly DEFLATE-encoded"

Solution: Ensure your SAML configuration includes proper certificate and signature settings

User Not Provisioned

Error: User signs in successfully but doesn't appear in Secure Hive

Solution: Check that JIT (Just-In-Time) provisioning is enabled in your IDP configuration

SCIM Provisioning (Enterprise Application)
User provisioning from Microsoft Entra ID to Secure Hive via SCIM. Configure this in the Enterprise Application, not the App Registration.

Prerequisites

Before configuring SCIM provisioning:

  • Enterprise Application: A non-gallery Enterprise Application in your tenant (same place you configure SAML if you use it)
  • SCIM token: A per-tenant secret token (e.g. 32–64 characters) that you will set in both Entra and Secure Hive
  • SCIM base URL: Your SCIM endpoint (e.g. https://scim.securehive.ai/scim/v2)
1

Create or use an Enterprise Application

Navigate to Microsoft Entra admin center → Enterprise applications → New application → Create your own application (non-gallery)

Name: e.g. Secure Hive – [Your Organization]

Application type: Non-gallery application

This is the same type of app used for SAML. OIDC/SSO continues to use the separate App Registration.

2

Enable Provisioning and set SCIM endpoint

In the Enterprise Application: Provisioning → Get started → Provisioning mode: Automatic

Admin credentials (SCIM):

Tenant URLhttps://scim.securehive.ai/scim/v2

Use your actual SCIM base URL (e.g. from your Secure Hive tenant SCIM settings)

Secret Token

A bearer token you generate (e.g. 32–64 character random string). Store the same value in Secure Hive SCIM configuration for this tenant.

3

Configure in Secure Hive

In Secure Hive: Settings → Identity (or SCIM settings) for your tenant. Enter the same Secret Token you set in Azure, and ensure the SCIM base URL matches (e.g. https://scim.securehive.ai/scim/v2).

4

Attribute mappings

In the Enterprise Application: Provisioning → Mappings → Provision Azure Active Directory Users. Configure these mappings:

externalId (required)

Edit the externalId mapping so the source attribute is objectId, not the default (e.g. mailNickname). Secure Hive expects a stable GUID for each user; if Azure sends an alias like "jhua", provisioning will fail with a validation error.

Path: Mappings → Provision Azure Active Directory Users → externalId → Source: objectId

department (optional)

To sync department: add or edit a mapping from Azure department to the SCIM target department (or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department if your app uses the enterprise extension).

manager (optional)

To sync manager: add or edit a mapping from Azure manager (or the user's manager reference) to the SCIM enterprise extension manager (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager). Value is typically the manager's object ID or a value object.

See docs/azure-scim-attribute-mapping.md in the repo for more detail on externalId.

Summary

  • App Registration → OIDC/SSO (client ID, secret, redirect URIs).
  • Enterprise Application → SCIM provisioning (Tenant URL + Secret Token), and SAML if you use it.
  • One App Registration can serve OIDC for all customers; each customer tenant has its own Enterprise Application instance for SCIM (and optionally SAML).

Common issues

Provisioning not available

Provisioning is only visible for Enterprise applications (non-gallery). It does not appear under App registrations.

Validation error when creating users

Ensure attribute mapping: externalIdobjectId in the Enterprise Application Provisioning → Mappings.

Best Practices & Security Recommendations
Security and operational best practices for IDP configuration

Security

  • Use HTTPS for all redirect URIs
  • Rotate client secrets regularly
  • Enable certificate-based authentication for SAML
  • Use least-privilege permissions

Operations

  • Test configuration in staging first
  • Document all configuration changes
  • Monitor authentication logs
  • Have a fallback authentication method

Need Help?

If you encounter issues not covered in this documentation, please contact our support team.

Contact Support