Articles in this section

Integration Instructions: Microsoft Azure/Entra ID

  • Updated

Supported Features

Tubular currently supports the following features:

  • Service Provider (SP) Initiated flow

Tubular does not support the following features:

  • Identity Provider (IDP) Initiated Flow
  • SAML JIT (Just In Time) Provisioning

 

Step 1: Set up Microsoft Azure/Entra ID as SAML identity provider (IDP)

  1. Sign in to the Azure portal.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. Add a new application by selecting New application.
  5. Select Non-gallery application.
  6. Set “Tubular” as the name of the application and click Add.
  7. Assign a test user to the application (required)
  8. Go to Configure single sign-on (required).
  9. Select SAML-based Sign-on in the Single Sign-on Mode.
  10. Enter the following values into the appropriate fields:
    1. Identifier: urn:auth0:tubularlabs:CONNECTION_NAME
    2. Reply URL: https://tubularlabs.com/auth/oauth/login?connection=CONNECTION_NAME
    3. User Identifier: user.mail
  11. In the User Attributes and Claims section, select the Edit icon.
  12. Verify that the Name Identifier Value is set to user.mail. To modify this value, select Edit. Change the name identifier format to EmailAddress and the Source attribute value to Email.
  13. In step 3, download the Certificate (Base64)
  14. In step 4, copy the Login URL and put it in a safe place so you can access it later.
  15. Click Finish

The CONNECTION_NAME is a unique identifier for your connection. It should only contain alphanumeric characters and hyphens and must be less than 128 characters in length.

We recommend that you include your company name as a part of the connection name to ensure that the name is unique. For example, Acme Corp may name their connection Acme-Login.

If you plan on setting up a TEST or STAGING connection first, give it the same connection name in Tubular as you plan to use for your live connection.

 

Step 2: Enable Tubular SAML App

  1. Sign in to the Azure portal.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. In the application list, select Tubular.
  5. In the app's overview page, find the Manage section and select Users and groups.
  6. Select Add user, then select Users and groups in the Add Assignment dialog.
  7. Type in the full name, email address, or full group name of the user/group you are interested in assigning into the Search by name or email address search box.
  8. Click the checkbox next to the user/group to add them to the Selected list
  9. Continue to select users/groups to add to the Selected list.
  10. When you are finished, click the Select button to add them to the list of users and groups to be assigned to the application.
  11. Click the Assign button to assign the application to the selected users.

 

Step 3: Set up Tubular as a SAML 2.0 service provider (SP)

Once you’ve finished configuring Microsoft Azure as your IDP, you can send over your connection details to your Customer Success Manager or our Support team to finalize integration of your Azure with Tubular. Send us over the following pieces of information that you should have saved from your steps above:

  1. The Connection Name you configured in step 1.
  2. The Identity Provider Single Sign-On URL you copied at the end of step 1.
  3. The X.509 Certificate, the entire contents of the file you downloaded in step 1. This is an X.509 Certificate that’s required for SSO setup.

Our team will then input these fields to make the connection to your Azure instance.

After your credentials are authenticated, you and all of your seat holders should now be redirected to sign in using your IDP when signing into Tubular Labs. 

Once SSO is set up for your organization, it will be the only method your users can use to log into the platform. We don’t currently have the option for some users to still use password for logging in after SSO is linked. User passwords will no longer be managed through Tubular. If a user attempts to reset their Tubular password it will have no effect. Please refer your users to your internal help desk for assistance recovering their Microsoft account.

Related articles