SSO with Microsoft Entra ID

Streamline user's access to OpsLevel using Single Sign-On with Microsoft Entra ID (previously Azure Active Directory).

The OpsLevel Single Sign-On authentication method can be used with your organization’s existing Microsoft Entra ID (Entra ID) identity provider by configuring a SAML integration. Below are the detailed steps on how to get started using Entra ID and OpsLevel's SAML.

Requirements

To configure SSO, you need:

  • A Microsoft Entra ID subscription.
  • An OpsLevel Account -- all tiers have access to SSO/SAML today.

Setting up the Entra ID Application

Note: You will need access to your SAML Endpoint URL located in the Authentication Method section of your OpsLevel Account Settings. Only admin users will have access to this section

OpsLevel Authentication Method SAML Endpoint URL

Create a new Enterprise Application in the Microsoft Entra Admin Center

To set up the Entra ID SAML application for OpsLevel, first:

1. Sign in to the Microsoft Entra Admin Center portal.

2. In the left sidebar Enterprise Applications and then select All Applications.

3. To add new application, select New application.

4. Select the + Create Own Application Button.

5. Enter any name, OpsLevel will do.

6. Follow the Getting Started steps as directed:

Assign users and groups

1. Add any users and groups that you'd like to grant access to OpsLevel.

2. This can just be a single admin user during setup/onboarding, more can be added at anytime.

Set up Single Sign On

1. In the Microsoft Entra Admin Center, on the OpsLevel application integration page, find the Manage section and select single sign-on.

2. On the Select a single sign-on method page, select SAML.

3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.

4. On the Basic SAML Configuration section, perform the following steps:

  • In the Identifier text box put opslevel.
  • In the Reply URL text box, paste in the SAML Endpoint URL from your OpsLevel Account Settings page.
  • In the Sign on URL, put https://app.opslevel.com/users/sso/sign_in.
  • Optionally, you can include the Logout Url: https://app.opslevel.com/users/sign_out
  • After, the Basic SAML Configuration should look something like:

5. Configure the Attributes and Claims

  • OpsLevel looks for email, first_name, and last_name. The Unique User Identifier (Name ID) can be whatever suits your Organization, usually user.principalname or user.email will do.
  • Remove or update the existing claims to match the setup below:

Note It's very important that the Namespace be left blank.

6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

7. You will also need the Login URL to configure SSO in OpsLevel:

Complete configuration in OpsLevel

Any admin user on your OpsLevel account may configure the SAML single sign-on settings by:

1. Navigating to the Authentication Method section of the Account Settings page.

2. Selecting Edit at the bottom of the card.

SSO Settings

3. Clicking on the option labeled SAML

4. Specifying the corporate email domain used by your company under: Email Domain.

SSO Email Domain Setup

5. Pasting in the Token Signing Certificate (base64) from the SAML configuration from Microsoft Entra ID.

SSO X.509 Certificate Setup

6. Pasting in the Login URL from the SAML configuration in Microsoft Entra ID.

SSO IDP Sign In URL

7. (Optional) De-selecting Allow authentication via email / password once your configuration has been verified as operational.

Optional Email/Password Setting

If you are having trouble setting up your single sign-on in any way, send us an email at [email protected] and we’ll be happy to help debug and diagnose any issues.