Documentation
Canary
Organisations and Users
Single Sign On
Microsoft Entra SSO

Microsoft Entra SSO

Info

See Microsoft Identity Platform for more details.

This guide walks you through configuring Microsoft Entra ID as the authentication provider for your organisation in Canary.

You’ll need:

  • A Microsoft Entra tenant
  • An OAuth 2.0 Client ID
  • A Client Secret

1. Create an Enterprise Application in Entra

  1. Login to your Entra tenant
  2. Click on Manage > Enterprise Applications in the left menu.
  3. Click on New Application in the top menu bar and then Create your own application.
  4. Give your app a name like “Canary App” and select Register an application to integrate with Microsoft Entra ID (App you’re developing). This app and name is solely in your tenant. Click the Create button.
  5. Give your app registration a name (this can be anything) and we recommend you select the option Accounts in this organizational directory only. This limits usage to only users in your own tenant.
  6. Select Web as the platform type and enter the following redirect URI
    • https://canary.kaweka.nz/auth/callback is the main URI for normal logins
  7. Click the Register button

Entra App Registration

2. Configure the App Registration

  1. Go to App registrations and select the app you have just created.
  2. Under Authentication enter the following two Redirect URIs,
    • https://canary.kaweka.nz/auth/callback is the main URI for normal logins
    • https://canary.kaweka.nz/auth/callback/test allows a test redirect when setting things up
    • Press the Save button
  3. Check the API permission menu item to confirm the app has User.Read permissions only. This will allow the Canary app to view the basic information about the logged in user. i.e. name, email address and a profile icon.
  4. As an admin role user click the Grant admin consent button to allow the app to use those permissions.
  5. In the Certificates & secrets section add a secret and copy the client secret value. This is what we need to configure the Canary organisation config.
  6. Under Branding & properties add the following,
    • Name = Canary
    • Logo = https://canary.kaweka.nz/src/assets/canary.png
    • Home page URL = https://canary.kaweka.nz

3. (Optional) Restrict Login to a Group of Users

In the Enterprise Applications section in Entra do the following,

  1. Open the correct application details
  2. Under Users and groups add the specific people or Entra ID/AD groups to allow them to use the app.
  3. Go to the Properties menu item and set the following,
    • Enabled for users to signin? to Yes
    • Assignment required? to Yes

4. Configure SSO in Canary Monitoring

Inside the Canary admin interface:

  1. Navigate to: Settings → Organistion → Single Sign On
  2. Select Microsoft Entra as the Identity Provider.
  3. Paste in:
    • Client ID - get this from the application registration page in Entra ID
    • Client Secret - you should store this securely
    • Entra tenant ID - get this from the application registration page in Entra ID
  4. Click the Save SSO button to save your changes

Canary Monitoring → Entra SSO Settings

6. Test Your Configuration

Before enforcing SSO for all users, perform a test:

  1. Click Test SSO in the Single Sign On admin panel.
  2. Authenticate using your Entra account.
  3. Confirm Canary successfully logs you in

If everything checks out, you can safely enable your SSO config and enforce it for all your organisation users.

7. Troubleshooting

User ID does not match that submitted

The SSO auth process requires the email attribute of the Entra user to match that used for the Canary user. Make sure the Entra email attribute is set properly for your users.

Redirect URI Mismatch

Check that your redirect URI in the Entra Application registration exactly matches the URIs in Canary.

Invalid Client ID or Secret

Make sure you copied the correct values and didn’t include whitespace.

Support

If you are still experiencing issues please contact us at support@kaweka.nz

Last updated on