Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up OpenID Connect (OIDC) single sign-on between TrueFoundry and Microsoft Entra ID (formerly Azure Active Directory). Once finished, members of your Entra tenant can sign in to TrueFoundry through a Login with Entra ID button. For SAML 2.0 instead of OIDC, see SAML with Microsoft Entra ID.

Prerequisites

  • A TrueFoundry tenant with Admin access to Settings → Security & Access → SSO.
  • A Microsoft Entra tenant with permission to create App registrations.

Step 1 — Register an application in Entra

1

Open App registrations

Sign in to the Microsoft Entra admin center as an administrator.In the left navigation, expand Identity → Applications, select App registrations, then click New registration.
Microsoft Entra admin center App registrations page with the New registration button highlighted
2

Configure the registration

Fill in:
  • Name — a lowercase alphanumeric label, for example truefoundry-oidc.
  • Supported account types — choose Single tenant only.
  • Redirect URI — set the platform to Web and the URL to: 
    https://login.truefoundry.com/oauth2/callback
Click Register.
Entra Register an application form with Single tenant only selected and the TrueFoundry OAuth callback redirect URI configured
3

Note the Client ID and Tenant ID

On the application Overview page, copy the Application (client) ID and the Directory (tenant) ID. You’ll use them in TrueFoundry.
Entra app registration Overview page with the Application (client) ID highlighted

Step 2 — Create a client secret

1

Open Certificates & secrets

From your app registration, click Certificates & secrets in the left sidebar, then click New client secret under Client secrets.
Entra Certificates and secrets page with the New client secret button highlighted under Client secrets
2

Generate the secret

Add a description (for example TrueFoundry SSO), choose an expiry that matches your security policy, and click Add.
Entra Add a client secret panel with Description and Expires fields and the Add button highlighted
3

Copy the secret value

Copy the secret’s Value field — not the Secret ID. The value is only visible immediately after creation.
Entra Certificates and secrets page showing a newly created client secret with the Value column highlighted
Once you leave this page, the secret value can never be displayed again. If you lose it you must create a new client secret.
By default, Entra issues an ID token that doesn’t include the user’s email address. Adding the email claim lets TrueFoundry match the user to a TrueFoundry account.
1

Open Token configuration

From your app registration, click Token configuration in the left sidebar, then click Add optional claim.
Entra Token configuration page with the Add optional claim button highlighted
2

Add ID token claims

Choose ID as the token type and select the following claims:
  • email
  • family_name
  • given_name
Click Add. When prompted, enable Turn on the Microsoft Graph email, profile permission so the requested scopes have permission to return these claims.
Entra Add optional claim panel with ID selected and email, family_name and given_name claims ticked
Entra prompt asking to turn on the Microsoft Graph email, profile permission for the selected claims

Step 4 — Add the redirect URI again on the Authentication page (if needed)

If you skipped setting Redirect URI during registration:
1

Open Authentication

From the app registration, click Authentication in the left sidebar, then Add a platform → Web.
2

Add the callback URL

Set Redirect URIs to:
https://login.truefoundry.com/oauth2/callback
Click Configure.
To enable the Device Code sign-in flow (used by some CLIs that don’t have access to a browser), expand Advanced settings on the Authentication page and toggle Allow public client flows on.

Step 5 — Configure TrueFoundry

1

Open SSO settings

Go to Settings → Security & Access → SSO.Click the + icon labeled Add New SSO Config.
TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted
2

Fill in the SSO form

  • Enabled: turn this on.
  • Name: a lowercase alphanumeric label — for example, entraoidc.
  • SSO Provider: select Azure AD.
  • Authentication Configuration: choose OIDC.
  • Client ID: the Application (client) ID from Entra.
  • Client Secret: the client secret Value from Entra.
  • Discover endpoints: leave enabled.
  • Issuer URL: 
    https://login.microsoftonline.com/<tenant-id>/v2.0
    Replace <tenant-id> with the Directory (tenant) ID you copied in Step 1.
  • Scopes (optional): leave blank to use the default openid email. Add profile if you want first and last name in the token.
3

Save

Click Save. TrueFoundry validates the issuer URL and stores the credentials.

Step 6 — Assign users in Entra

For single-tenant configurations with Assignment required enabled, Entra only allows assigned users to sign in.
1

Open the enterprise application

Back in the Entra admin center, navigate to Enterprise applications and select the app registration you created.
Entra Enterprise applications page with the search filter applied to locate the registered application
Entra enterprise application Users and groups page with the Add user/group button highlighted
2

Add users and groups

Click Users and groupsAdd user/group, pick the users or security groups that should be able to sign in to TrueFoundry, and click Assign.
Entra Add Assignment page with the Users selector showing None Selected
Entra Add Assignment page with 1 user selected and the Assign button highlighted

Step 7 — Test single sign-on

  1. Open a private/incognito window and visit your TrueFoundry login page.
  2. Click Login with Entra ID.
  3. Authenticate with an assigned user.
You should land in the TrueFoundry dashboard. New users are created automatically if JIT provisioning is enabled.

Optional next steps

Troubleshooting

The Issuer URL in TrueFoundry points to the wrong tenant. Double-check the Directory (tenant) ID and re-construct the issuer as https://login.microsoftonline.com/<tenant-id>/v2.0.
Either the secret expired or only the Secret ID was copied. Generate a new client secret in Certificates & secrets, copy the Value field immediately, and update TrueFoundry.
Make sure you added the email optional claim in Token configuration and enabled the email, profile Microsoft Graph permission when prompted. Then add profile email to Scopes on the TrueFoundry SSO form.
Either disable Assignment required on the Enterprise application’s Properties page, or assign the user/group under Users and groups.