Table of contents:
In this article, we will share the different steps to integrate Azure/Entra SSO with Right-Hand.
Create RH App in Entra
Go to your Azure/Entra portal.
Click on Enterprise Applications.
Select New Application.
Choose Create your own application.
Provide the application name “Right-Hand Entra SSO.” and keep the default option as it is: “Integrate any other application you don't find in the gallery (Non-gallery).”
Click Create.
Select “Set up single SSO” from the Overview page.
Get the SSO Sign-in URL From the Right-Hand
Navigate to the Right-Hand portal.
Click on Settings from the left pane.
Go to the Integrations tab.
Click Add New.
Copy the SSO Sign-in URL. Save the link for further use.
Configure Entra SSO
SP initiated
In an SP-initiated (Service Provider-initiated) SSO flow, the user starts the authentication process at the service provider's site. The SP sends an authentication request to the Identity Provider (IdP) to authenticate the user. Once authenticated, the user is redirected back to the SP with a token granting access.
Go back to the SSO settings of the RH application in Entra.
Edit the Basic SAML Configuration tabs.
Enter the copied SSO Sign-in URL in Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) and Sign-on URL.
Click Save.
IDP Initiated
In an IdP-initiated (Identity Provider-initiated) SSO flow, the user begins the authentication process at the IdP. After successful authentication, the IdP sends a token to the SP, allowing the user to access the service without initiating the process from the SP's site.
Go back to the SSO settings of the RH application in Entra.
Edit the Basic SAML Configuration tabs.
Enter the copied SSO Sign-in URL in Identifier (Entity ID), and Reply URL (Assertion Consumer Service URL).
Click Save.
Setup Attributes & Claims
In the next Section, Edit the Attributes.
Under the Required Claim section, set the Source Attribute field to either the Email or UPN field based on what you have synced with the Right-Hand portal.
Important: Right-Hand relies on email addresses to identify users.
Setup SAML Certificates
Next, edit the SAML Signing Certificate.
Select the Signing Option to “Sign SAML response and assertion.”
Click Save.
Now download the Federation Metadata XML from the SAML Signing Certificate Section.
Assign the Microsoft Entra Users
Go to “Users and Groups” from the right panel.
Click on “Add users.”
Select the list of users who can access the RH app and click Assign.
Configure Right-Hand SSO
Go back to the Right-Hand Portal.
Click on Settings from the left pane.
Go to the Integrations tab.
Click Add New.
Select Idp as “Add Another IDP Integrations.”
Entra IdP Integration Name as “Entra SSO”.
Click on Browse and Upload the Federation Metadata XML File.
Click Save.
Test SSO
SP initiated
Go directly to the Right-Hand login page and initiate the login flow.
Click on Single Sign-On (SSO) > Enter your email and log in.
IDP initiated
Click on Test this application in the Entra portal, and you should be automatically signed in to the Right-Hand application for which you set up the SSO.
You can also use the Microsoft My Apps portal to test the application in any mode.
If configured in SP mode, when you click the Right-Hand app in the My Apps portal, you will be redirected to the application sign-on page to initiate the login flow.
If configured in IDP mode, you should be automatically signed in to the Right-hand application for which you set up the SSO.