Setup Azure AD (Entra ID) SSO

Created by Zach Runyan, Modified on Fri, 5 Apr, 2024 at 1:16 PM by Zach Runyan

The vellum platform is set up to work with any Entra ID tenant through a typical OAuth flow. It requires minimal setup if your organization is already using Microsoft Entra ID. Below are the steps to configure an App Registration to allow vellum user to sign in using their Entra credentials.

Navigate to your Microsoft Entra admin center > App registrations

Select + New registration from action bar

Give it a unique name for your organization (Vellum Team works great!)

Select Single tenant unser Supported account types

Under Redirect URI select 'Public client/native (mobile & desktop) and enter vellum://callback as the URI.

Select Register at the bottom of the page, this takes you to the configuration screen

Navigate to API permissions in the left sidebar and ensure Microsoft Graph -> User.Read is listed (it should be by default)

Navigate to Authentication in the left sidebar.

You should see the native application with the redirect URI already there. Click + Add a platform at the top of the page.

Select Single-page application from the menu that pops up.

For the configuration of the application use the following settings:

Redirect URIs: https://app.vellum.team/sso-callback

Front-channel logout URL: https://api2.vellum.team/api/auth/logout

Select ID tokens and Access tokens under the tokens to be issued by the authorization endpoint.

Select Configure at the bottom of the page to save the configuration.

Finally, navigate over to Overview and copy the Application (client) ID and Directory (tenant) ID and send them over to us, along with your email domain. Once we add your IDs into our system, users attempting to sign in using an email address with your organization email domain will be redirected to your SSO page for sign in.