Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.summand.com/llms.txt

Use this file to discover all available pages before exploring further.

Microsoft Entra ID supports both OIDC and SAML 2.0 against Summand. Setup runs through the WorkOS Admin Portal that Summand opens from the organization settings — there’s no Summand-side SAML wizard.

What Entra unlocks

CapabilityWorkOS intentNotes
OIDC SSOssoRecommended path for Entra. Uses Microsoft Identity Platform v2.0.
SAML 2.0 SSOssoUse if your security team specifically requires SAML.
Directory Sync (SCIM)dsyncProvisions and deprovisions users from Entra.
OIDC is generally simpler with Entra — Microsoft’s native protocol — but SAML works equally well. Pick whichever your team standardizes on.

Setup

1

Verify your domain in Summand

Settings → Organization → Domain Verification → Configure, and follow the DNS TXT record flow. Once verified, Summand will route sign-ins from this email domain to your Entra tenant.
2

Open the SSO Admin Portal

Settings → Organization → Single Sign-On → Configure. The portal opens scoped to your org.
3

Pick Microsoft Entra ID

In the portal, choose Microsoft Entra ID (formerly Azure AD) and the protocol you want — OIDC or SAML.
4

Create the application in Entra

In the Microsoft Entra admin center, register a new application:
  • For OIDCApp registrations → New registration. The portal provides a redirect URI to paste in.
  • For SAMLEnterprise applications → New application → Create your own application → Non-gallery. The portal provides Reply URL and Identifier.
Detailed Microsoft-side steps live in the WorkOS Microsoft Entra ID guide.
5

Configure attributes / claims

The portal lists the attributes WorkOS expects (email, name, optionally given_name, family_name, groups). Configure them on the Entra side under Token configuration (OIDC) or Attributes & Claims (SAML).
6

Return values to the portal

For OIDC, paste the Tenant ID, Client ID, and Client Secret into the portal. For SAML, paste the App Federation Metadata URL the portal validates and parses.
7

Test the connection

Click Test connection in the portal. WorkOS runs an end-to-end Entra sign-in flow and reports the result.
8

Assign users

On the Entra application’s Users and groups tab, assign the people or security groups who should access Summand.
9

(Optional) Configure Directory Sync

Settings → Organization → Directory Sync → Configure. Pick Microsoft Entra ID SCIM, follow the portal, and complete the provisioning configuration on the Entra side.

Conditional Access

If your tenant uses Conditional Access policies, ensure the Summand-via-WorkOS application is included in your policy scope and that your policies allow access from the device and network the user is signing in from. Common cause of “user can authenticate at Microsoft but not get back to Summand” is a Conditional Access policy that blocks the redirect.

Group → role mapping

Two ways:
  • Via the SAML/OIDC groups claim — Entra sends group IDs (or names if you’ve mapped them). Map specific groups to Summand roles in the WorkOS portal.
  • Via Directory Sync (recommended) — Entra groups become WorkOS groups; map them to Summand roles in Settings → Organization → Members.
A common Entra-specific quirk: by default Entra emits group Object IDs (GUIDs), not names. Either configure group claim mapping to send sAMAccountName / display names, or paste the GUIDs directly into the WorkOS portal and label them there.

Removing the connection

Single Sign-On → Disable in the WorkOS portal. Sessions outlive the connection until they naturally expire — revoke them in Settings → Organization → Members for immediate effect.