Single Sign On (SSO) with Microsoft Entra ID

QRdex.io integrates with Microsoft Entra ID using the SAML 2.0 protocol for secure enterprise authentication. This guide will help you set up SSO for your team.

Prerequisites

Active Pro Plan subscription
Team owner permissions
Microsoft Entra ID administrator access

Follow these steps to configure SSO with Microsoft Entra ID (formerly Azure AD) for your QRdex.io team. SSO allows your team members to sign in using their Microsoft credentials.

Key Concepts

Identity Provider (IdP) - Microsoft Entra ID, which authenticates your users
Service Provider (SP) - QRdex.io, which provides the service
Just-in-Time (JIT) Provisioning - User accounts are automatically created in QRdex.io when users first sign in via SSO
SAML 2.0 - The protocol used for secure exchange of authentication data

Available Authentication Methods

IdP-Initiated SSO

Access through your Microsoft portal. Recommended for first-time users.

SP-Initiated SSO

Direct access through our SSO sign-in page.

Configuration Steps

Sign in to the Azure Portal and navigate to Microsoft Entra ID (Azure Active Directory).
Go to "Enterprise applications" and click "New application".
- Choose "Create your own application"
- Name it "QRdex.io"
- Select "Integrate any other application you don't find in the gallery (Non-gallery)"
In your new application, go to "Single sign-on" in the left sidebar and select "SAML".
Configure the following Basic SAML settings:

Identifier (Entity ID): https://qrdex.io

Reply URL (Assertion Consumer Service URL): https://qrdex.io/users/saml/auth

Sign on URL: https://qrdex.io/sso
Under "User Attributes & Claims", ensure the following claims are configured:

Display Name: user.displayname

Email: user.mail

Unique User Identifier (Name ID): user.mail
Under "SAML Certificates", copy the "App Federation Metadata Url". You'll need this for the next step.
Go to your SSO Settings page on QRdex.io:
- Select "Microsoft" as the vendor
- Paste the Federation Metadata URL you copied
- Save the settings
Back in Azure, under "Users and groups":
- Click "Add user/group"
- Assign users who should have access to QRdex.io
- Users must sign in via Microsoft SSO first to create their account
Test the configuration by going to the SSO sign-in page and entering an assigned user's email address.

Important Notes

New users will be automatically created in QRdex.io on their first SSO login (JIT provisioning)
Users must sign in via Microsoft SSO at least once to create their account
After the first login, users can choose to sign in either through SSO or directly with their email
We support both IdP-initiated flows (starting from Microsoft) and SP-initiated flows (starting from QRdex.io)
If you encounter any issues, please ensure your team subscription is active and you have the correct plan
The SAML configuration uses industry-standard security practices including signed assertions and encrypted responses

Security Note: All SAML communications are encrypted and signed to ensure secure authentication. Make sure to keep your Microsoft Entra ID configuration secure and regularly review user access.

Troubleshooting

Ensure the user is assigned to the application in Azure
Verify the metadata URL is correct and accessible
Check that the user's email in Azure matches their QRdex.io account
Make sure the Display Name claim is properly configured