Microsoft Entra ID (formerly Azure Active Directory) SSO Configuration Instructions

Updated

This section is only meant for DataCamp Enterprise administrators that are setting up SSO with Microsoft Entra ID (formerly Azure Active Directory) as their IdP. Only proceed if you have read and understood our SSO documentation.

Microsoft Entra ID (formerly Azure Active Directory) Configuration Instructions

Configure the application on Microsoft Entra ID

Follow the instructions on the official Microsoft Entra ID AD documentation page on integrating with DataCamp: https://learn.microsoft.com/en-us/entra/identity/saas-apps/datacamp-tutorial

Configuration on DataCamp

In the “DataCamp” application under your Azure platform’s Enterprise Applications (or within your Microsoft Entra admin center), navigate to the “Single sign-on” tab and copy the following values over to your DataCamp Group SSO settings page:

  1. Copy the “Identifier (Entity ID)” value from Microsoft Entra ID into the Entity ID / Issuer URL field in your DataCamp SSO Settings page
  2. Copy the “Login URL” value from Microsoft Entra ID into the Login URL / SSO Endpoint field
  3. Download the Certificate (Base64) from Microsoft Entra ID, copy the contents into the IdP Certificate field. Subsequent changes to the SSO configuration in Microsoft Entra ID may create a new certificate that will need to be added to the IdP Certificate field in your DataCamp SSO settings
  4. Save your changes on DataCamp

See the screenshot below for a sample DataCamp application on Microsoft Entra ID that highlights the relevant fields that should be copied over.

f529779c-a1ec-48ba-8a21-c91e4cd3cb58.png

 

1868542c-519e-4a7c-8767-d39bcb24aba4.png

Looking to use an EmployeeID or another unique identifier for NameID instead of an email address?

Using Unspecified NameID Format

When using unspecified nameid format instead of email, we need the nameid format in Microsoft Entra ID to align with the format in your DataCamp SSO settings.

To set the nameid format as unspecified on Microsoft Entra ID, in the "Attributes & Claims" section, click on the Edit button.

Then, click on the "Unique User Identifier (Name ID)" claim:

In the Name identifier format dropdown, choose "Unspecified", and then save your settings.

 

FAQ

We're getting an error: "AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application. Make sure the reply URL sent in the request matches one added to your application in the Azure portal."

Make sure that the "Reply URL" field contains both ACS Urls provided in your Datacamp SSO settings. Ensure that the correct ACS URL (the URL ending with /clients/...) is set as default.

Your configuration should then look like below.

AADSTS5011.png