SSO with Microsoft Entra ID
Note
Enterprise Feature: Single Sign-On with Microsoft Entra ID is available for Enterprise workspaces. Contact your Treblle account manager to enable SSO for your workspace.
Overview
Integrate Treblle with Microsoft Entra ID (formerly Azure Active Directory) to enable secure Single Sign-On for your team. This guide walks you through configuring SAML-based authentication between Microsoft Entra ID and Treblle.
Prerequisites
Before you begin, ensure you have:
Configuration Process
The SSO setup process involves two main steps:
- Configure an Enterprise Application in Microsoft Entra ID
- Configure SSO settings in Treblle
Part 1: Microsoft Entra ID Configuration
Step 1: Access Microsoft Entra ID Portal
- Navigate to the Azure Portal
- Go to Microsoft Entra ID (formerly Azure Active Directory)
The Microsoft Entra ID overview page will display your tenant information.
- From the left navigation menu, click Add dropdown and select Enterprise application
Step 2: Create Enterprise Application
- Click Create your own application from the app gallery
- In the dialog that appears:
- What’s the name of your app?: Enter
Treblle SSO Test(or your preferred name) - What are you looking to do with your application?: Select Integrate any other application you don’t find in the gallery (Non-gallery)
- What’s the name of your app?: Enter
- Click Create
Tip
Application Name: Choose a descriptive name that helps your team identify this application, such as “Treblle Production” or “Treblle SSO”.
Step 3: Set Up Single Sign-On
- After creating the application, you’ll be redirected to the application overview page
- From the Getting Started section, click 2. Set up single sign on
- On the Select a single sign-on method page, select SAML
Step 4: Configure Basic SAML Settings
In the Basic SAML Configuration section, click Edit and configure the following:
Required Fields
Enter the following Treblle URLs exactly as shown:
Field
Value
Identifier (Entity ID)
https://identity.treblle.com/auth/saml2
Reply URL (Assertion Consumer Service URL)
https://identity.treblle.com/login/saml/callback
Sign on URL
https://identity.treblle.com/enterprise-login
Note
Important: In the Reply URL, replace treblle with your chosen company identifier. This identifier should match what you’ll configure in Treblle later (e.g., treblle-entra-id, your-company-name).
Optional Fields
- Relay State: Leave empty (optional)
- Logout URL: Leave empty (optional)
Click Save after entering the required information.
Step 5: Review Attributes & Claims
The default attributes should work correctly. Microsoft Entra ID will map these attributes:
Claim Name
Source Attribute
givenname
user.givenname
surname
user.surname
emailaddress
user.mail
name
user.userprincipalname
Unique User Identifier
user.userprincipalname
Tip
The default attribute mappings work for most organizations. Only modify these if your organization has specific requirements.
Step 6: Download SAML Certificate and Note Configuration URLs
After saving the Basic SAML Configuration, scroll down to view the complete SAML setup page. This page shows all the information you’ll need:
In the SAML Certificates section (section 3):
- Locate Certificate (Base64)
- Click Download to save the certificate file
Caution
Security: Keep this certificate file secure. You’ll need its contents to configure Treblle in the next section.
Step 7: Copy Configuration URLs
On the same SAML configuration page, look at section 4 Set up Treblle:
Copy the following two values - you’ll need these for Treblle configuration:
Field
Purpose
Login URL
URL where users will be redirected to authenticate (maps to Assertion Consumer Service URL in Treblle)
Microsoft Entra Identifier
Your IdP Issuer URL (required for Treblle configuration)
Example values from the image above:
- Login URL:
https://login.microsoftonline.com/0a27fe0d-8c82-... - Microsoft Entra Identifier:
https://sts.windows.net/0a27fe0d-8c82-46f4-b29d...
Note
The Microsoft Entra Identifier is critical. It typically looks like: https://sts.windows.net/{tenant-id}/
Part 2: Treblle Configuration
Step 8: Access Treblle Authentication Settings
- Log in to your Treblle workspace as a workspace owner
- Navigate to Settings → Authentication
You can access this directly via:
https://platform.treblle.com/workspaces/{workspaceId}/settings/authentication/create
- Click Configure SSO to begin the setup
Step 9: Configure SSO in Treblle
Fill in the following fields with the information from Microsoft Entra ID:
Company Email Identifier
Enter a unique identifier for your organization (this is used when users sign in with SSO):
treblleExample: treblle, acme-corp, your-company-name
Tip
Choose a memorable identifier - users will need to enter this when signing in via SSO. Use lowercase letters, numbers, and hyphens only. This should match the identifier you used in the Reply URL in Step 4.
Authentication Type
Select SAML from the dropdown menu.
Assertion Consumer Service URL
This field needs the “Login URL” value from Microsoft Entra ID Step 7.
Paste the Login URL you copied from Azure. It should look like:
https://login.microsoftonline.com/0a27fe0d-8c82-46f4-b29d.../saml2Caution
Critical: Make sure to paste the Login URL from Azure into this field, NOT a Treblle URL.
Identity Provider Issuer
Paste the Microsoft Entra Identifier URL you copied from Azure. It should look like:
https://sts.windows.net/0a27fe0d-8c82-46f4-b29d-765493c80899/Identity Provider Certificate
- Open the downloaded Certificate (Base64) file in a text editor
- The certificate file will look like this:
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQeGtfDKjn05tBz9UKHNMfjjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDExMDQxMzI1
NDFaFw0yNzExMDQxMzI1NDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDaI4BAJ*********
*********************************************************************************
*********************************************************************************
vZozH+CUD/ejNBiAn1TOIOxm3XTCv2SzOqenr
iLuYibYimC784HmnYewX4eaC8pTm
oHFzyok4AcfznUykKVLHTCzNSQ3yS1uxrYCzaT82kUGwV2ezQt0kotPxf8+nntt73IdGiZdU++AT
dqaOufZCUxKdwvjDau/YmOtrQkJBNBMGrF783ef5K6Z9UEoLJ6TEMh1+JLGOjUvgHxhlhNf9dXsT
J1yRnAlJ6YLGXeKH+/KnBDqggGdZYEYZ2fVwmcoQGy7aoNPpKrG15ZRN9La8LOjnRFAbGWEgL1xK
f9lPHEU1NgAreDBgUizK
-----END CERTIFICATE------ Copy only the certificate content between the markers (excluding the BEGIN and END lines)
- The content you paste into Treblle should look like this:
MIIC8DCCAdigAwIBAgIQeGtfDKjn05tBz9UKHNMfjjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDExMDQxMzI1
NDFaFw0yNzExMDQxMzI1NDFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDaI4BAJ*********
*********************************************************************************
*********************************************************************************
vZozH+CUD/ejNBiAn1TOIOxm3XTCv2SzOqenr
iLuYibYimC784HmnYewX4eaC8pTm
oHFzyok4AcfznUykKVLHTCzNSQ3yS1uxrYCzaT82kUGwV2ezQt0kotPxf8+nntt73IdGiZdU++AT
dqaOufZCUxKdwvjDau/YmOtrQkJBNBMGrF783ef5K6Z9UEoLJ6TEMh1+JLGOjUvgHxhlhNf9dXsT
J1yRnAlJ6YLGXeKH+/KnBDqggGdZYEYZ2fVwmcoQGy7aoNPpKrG15ZRN9La8LOjnRFAbGWEgL1xK
f9lPHEU1NgAreDBgUizKNote
Important: Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Paste only the certificate content between these markers.
Complete Configuration Example
Here’s what your completed SSO configuration should look like:
The image above shows:
- Company Email Identifier:
treblle(your unique identifier) - Authentication Type: SAML (selected from dropdown)
- Assertion Consumer Service URL: The Login URL copied from Azure
- Identity Provider Issuer: The Microsoft Entra Identifier from Azure
- Identity Provider Certificate: The certificate content (without BEGIN/END markers)
Step 10: Enable SSO Login
Check the box Enable SSO Login at the bottom of the form.
This will activate SSO for your workspace once you save the configuration.
Step 11: Save Configuration
Click Save Authentication to apply your SSO settings.
Part 3: Testing SSO in Azure Portal
Step 12: Test SSO Configuration
Before rolling out to your team, test the SSO configuration in Azure:
- Go back to your Enterprise Application in Azure Portal
- Navigate to Single sign-on settings
- Scroll to section 5 Test single sign-on with Treblle SSO Test
- Click Test
A test panel will appear on the right side showing:
- Testing sign in: Instructions for testing
- Test sign in button: Click this to test as your current user
- Resolving errors: Section for troubleshooting if needed
Caution
Important: You must assign users to the Enterprise Application before they can sign in. See Step 13 below.
Step 13: Assign Users in Microsoft Entra ID
Before users can sign in, you must assign them to the application:
- In Azure Portal, go to your Enterprise Application
- Click Users and groups from the left menu
- Click + Add user/group
- Select users or groups to grant access
- Click Assign
Tip
Bulk User Management: Assign Azure AD groups to the application rather than individual users for easier management at scale.
Part 4: User Login Flow
Step 14: Sign In with SSO
Once SSO is configured, users can sign in via SSO:
- Go to https://identity.treblle.com/login or simply identity.treblle.com
- Click Sign in with SSO
- Enter your organization identifier (the Company Email Identifier from Step 9)
In the example above, the identifier is treblle. Enter the identifier you configured in Step 9.
- Click Continue
- You’ll be redirected to Microsoft login
- Select your Microsoft account or click “Use another account”
- Authenticate with your Microsoft credentials
- You’ll be redirected back to Treblle and logged in
Post-Login Redirect Behavior
If you initially accessed identity.treblle.com from platform.treblle.com:
- You’ll be automatically redirected back to the platform after successful login
If you went directly to identity.treblle.com:
- After logging in, you must manually navigate to platform.treblle.com
- The platform will redirect you back to identity to confirm your authentication token
- You’ll then be redirected back to the platform and fully authenticated
Managing SSO Configuration
Updating SSO Settings
To update your SSO configuration:
- In Treblle, navigate to Settings → Authentication
- Find your SSO configuration
- Click Edit or the configuration name
- Modify the necessary fields
- Click Save Authentication
Disabling SSO
To temporarily disable SSO:
- Go to Settings → Authentication in Treblle
- Uncheck Enable SSO Login
- Click Save Authentication
Caution
User Impact: Disabling SSO will require users to sign in with their Treblle username and password. Ensure users have their credentials before disabling SSO.
Deleting SSO Configuration
To completely remove SSO:
- Go to Settings → Authentication in Treblle
- Click Delete on your SSO configuration
- Confirm the deletion
Caution
Permanent Action: Deleting the SSO configuration cannot be undone. You’ll need to reconfigure from scratch if you want to re-enable SSO.
Troubleshooting
Common Issues
Issue: “SAML Authentication Failed” error
- Solution: Verify that the Login URL and Microsoft Entra Identifier are correctly copied from Azure
- Check that the certificate is properly formatted without BEGIN/END markers
Issue: Users can’t see the Treblle application in Azure
- Solution: Ensure users are assigned to the Enterprise Application in Azure (see Step 13)
Issue: Certificate validation error
- Solution: Make sure you’ve removed the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines - Ensure there are no extra spaces or line breaks in the certificate
Issue: Redirect loop after login
- Solution: Verify that all three SAML URLs in Azure are exactly as specified in Step 4
- Clear browser cookies and try again
