This guide provides detailed steps on setting up single sign-on (SSO) for Egnyte using Microsoft Entra ID (Previously Azure Active Directory or Azure AD).
Skip Ahead to...
Prerequisites
Configuration
Creating Enterprise application for SSO
Configure Microsoft Entra ID Single Sign-On (SSO)
Egnyte Configuration
Test Microsoft Entra ID SSO
Create an Microsoft Entra Test User
Create an Egnyte Test User
Assign the Microsoft Entra ID Test User
Test Single Sign-On
Best Practices and Additional Notes
Prerequisites
- Microsoft Azure plan should allow the creation of a custom, non-gallery application.
- If there is a local Active Directory present, it should be synced with Entra ID. Refer to this Microsoft article.
- Do not add the Egnyte App from the Entra App Gallery; add a custom app as described below.
- Egnyte recommends setting up a separate application for every Egnyte domain:
Example:
Name of application Provisioning for Single Sign-On for Egnyte US West acmeusw acmeusw Egnyte US East acmeuse acmeuse Egnyte EMEA acmeemea acmeemea
Although it is possible to set up SSO within one application, Egnyte does not recommend it.
Configuration
Creating Enterprise application for SSO
- Log in to Azure Portal.
- Go to Enterprise Applications in the Microsoft Entra ID section.
- Click on + New application button and then + Create your own application. This can require a specific plan that might include additional costs.
- Enter a name for the App to easily identify it later and select the option Integrate any other application you don't find in the gallery (Non Gallery). Click on Create button.
- Alternatively, the user can select the app from the recommendations and click on the Create button.
The application will be created within a few seconds.
Configure Microsoft Entra ID Single Sign-On (SSO)
This section will show the steps to enable Microsoft Entra ID SSO and configure it in the Egnyte application.
- In the previous section after creating the App, it will automatically open the App overview page. If it doesn't automatically open or if the page was exited then click on the app name in the enterprise applications page to access it again. Select Single sign-on from the left side menu.
- Select SAML from the available options.
- Click on Edit Under Basic SAML Configuration and fill in the details as mentioned below.
-
Click on the Add Identifier link under Identifier (Entity ID) and enter the URL https://saml-auth.egnyte.com/.
If there are more than one Egnyte Domain and to set up a separate application for all of them within the same tenant, please navigate to Egnyte WebUI-> Settings -> Security & authentication and enable switch "Use domain-specific Issuer value" (Please see Egnyte Configuration section by scrolling down) and set Identifier (Entity ID) tohttps://<domainname>.egnyte.com or custom access URL (if any).
-
Click on Add reply URL link and fill in Reply URL (Assertion Consumer Service URL) with the following pattern:
-
If the domain had been configured for SAML Single Sign-On before February 20th, 2019:
https://*.egnyte.com/samlconsumer/AzureAD or https://<domainname>.egnyte.com/samlconsumer/AzureAD
or https://custom-url/samlconsumer/AzureAD -
If the domain has never been configured for SAML Single Sign-On OR if it has been created after February 20th, 2019
https://*.egnyte.com/samlconsumer or
https://<domainname>.egnyte.com/samlconsumer
or https://custom-url/samlconsumer
-
If the domain had been configured for SAML Single Sign-On before February 20th, 2019:
- Fill in Sign on URL with the URL of your domain: https://<domainname>.egnyte.com/
or the custom access URL if your Egnyte domain is tied to one.
-
Click the Save icon on the top and after the changes are saved, go back to Set up Single Sign-On.
Before changes take effect on Entra side a couple of minutes may pass.
-
Click on the Add Identifier link under Identifier (Entity ID) and enter the URL https://saml-auth.egnyte.com/.
- Download the Federation Metadata XML.
Egnyte Configuration
- In a different web browser window, log in to Egnyte as an Administrator, open the menu, and click Settings. Click the Configuration tab, and then click Security & authentication.
- In the Single Sign-On Authentication section in Egnyte, perform the following steps:
- Single sign-on authentication: SAML 2.0
- Identity provider: AzureAD
- Click on import metadata XML file and choose the downloaded file from Entra.
- Default user mapping: Email address
-
Use domain-specific issuer value: enable if you are going to configure multiple Egnyte domains within one Entra Tenant.
- Click Save.
Test Microsoft Entra ID SSO
In this section, details are included to test Microsoft Entra ID SSO with Egnyte with a test user called "Britta Simon."
For SSO to work, Microsoft Entra ID needs to know what the counterpart user in Egnyte is to Microsoft Entra ID. In other words, a relationship between an Microsoft Entra ID user and the related user in Egnyte needs to be established.
In Egnyte, assign the Username value (also known as UPN) in Microsoft Entra ID as the value of the idpusername to establish the link relationship.
To configure and test Microsoft Entra ID SSO with Egnyte, complete the following steps:
- Create an Microsoft Entra ID Test User: To test Microsoft Entra ID SSO with Britta Simon.
- Create an Egnyte Test User: To have a counterpart of Britta Simon in Egnyte linked to the Microsoft Entra ID representation of the user.
- Assign the Microsoft Entra ID Test User: To enable Britta Simon to use Microsoft Entra ID SSO.
- Test Single Sign-On: To verify the configuration was set up properly.
Create an Microsoft Entra Test User
The objective of this section is to create a test user in the Entra portal called Britta Simon.
- In the Entra portal on the left navigation pane, click the Users icon.
- Click New user on the top of the screen.
- On the User Dialog page, perform the following steps:
a. Name: BrittaSimon (without spaces)
b. User name: Email address of Britta Simon.
c. Select Show Password and write down the value of the password. - Click Review + Create.
Create an Egnyte Test User
To enable Microsoft Entra ID users to log into Egnyte, they must be provisioned in Egnyte. With Egnyte, you can manually enter your users or use a CSV file to import them. We'll show you how to add a user manually, but you can read more about importing users here.
-
Log into Egnyte as an Administrator, open the menu, and click Settings. Click the Users & Groups tab, and then click Add New Account.
.
- From the drop-down, select the type of user to add. In our example, we'll add Britta as a Power User.
- In the New Power User section, perform the following steps:
a. Type the First and Last Name, Email, Username of the Entra id account you want to provision.
b. Authentication Type: Single Sign-On
c. Set Idp Username to match UPN from Entra
- Click Save.
For existing users, find the user in the Users & Groups tab, hover over the user and click Details, and click Edit user profile. Make sure all of the details match the user in Entra id, change the Authentication type to Single Sign-On, set IdP Username, and click Save.
Assign the Microsoft Entra ID Test User
This section covers the steps toenable Britta Simon to use Entra SSO.
- In the Entra portal, open the SSO application.
- In the menu on the left, click Users and groups.
- Click the + Add User/Group button.
- Click on None selected:
- In the search box, search for Britta Simon and select the user.
- Click Select at the bottom
- Click Assign to confirm the choice.
Test Single Sign-On
Test the setup by having a user login to Egnyte with their Microsoft Entra ID credentials.
All SSO authenticated users will be re-directed to your SSO page when attempting to log in on Egnyte.
Best Practices and Additional Notes
- Egnyte recommends having at least one admin account with Egnyte authentication in case of SSO provider failure
- By default, Single Sign-On is available only for Admins and Power Users.