Skip to main content
All CollectionsIntegrations & Add-OnsCinode Add-Ons
Entra ID: Single Sign-On (SSO) & User Provisioning
Entra ID: Single Sign-On (SSO) & User Provisioning

Simplify login, facilitate user management

Ellen Rydberg avatar
Written by Ellen Rydberg
Updated over a month ago

With Entra ID login, users no longer need a local Cinode password. They log in using their Entra ID credentials for seamless access.

You can enable Single-Sign-On and two-factor authentication using the Entra ID login credentials. If you set up User Provisioning, you will no longer need to manually add and disconnect employees to Cinode—the user administration is done via the Entra ID.

The benefits of using Entra ID

  • Enhanced Security and Compliance: Entra ID offers advanced security features like multi-factor authentication and comprehensive auditing, improving overall security and ensuring compliance with industry regulations.

  • Streamlined User Management: Centralized identity management, automated workflows, and real-time access updates simplify user administration, making onboarding and offboarding processes smoother and more efficient.

  • Improved User Experience and Integration: Single Sign-On (SSO) and seamless integration with Microsoft services enhance the user experience by providing consistent access across multiple applications with a single set of credentials.

How to get started

Entra ID SSO is a paid add-on to your current Cinode plan. Contact Cinode support to enable the functionality. To set up the integration, you need to be an Administrator in Cinode and Entra ID.

First set up - how to do it

Start by approving the Cinode application in Entra ID. Set up SSO for one test user, then log in to Cinode via SSO to confirm the setup

Add the login type

Go to the link Administration in the sidebar and select Integrations:

On the Integrations page, select the tab Account types.

Click the button Activate new account type:

Select "Aad" as the account type in the dropdown menu and click Save.

Entra ID (Aad) will now be displayed as an added account type:

Set up SSO for a user

When AAD login type is enabled, the SSO must be set for the user. This is done by adding the unique user identifier (Object ID) from your Entra ID to each user account in Cinode. Once you have retrieved the Object ID for your user from your Entra ID

Go to the link Administration in the sidebar and select Users:

Click the options menu, indicated by the three vertical dots on a user:

Select Edit login type and select ADD :

Finally, add the unique ObjectID that you retrieved from Entra ID related to the specific user in the "Object Identifier" field:

When done, log out of Cinode and log in via SSO as the same user.

Approve the Cinode application in Entra ID. If you lack admin rights, send a request to your Entra admin to approve it.

Please note that it is possible to mix login methods; some users may log in via SSO, while others use a password. In such cases, you must add "Aad" and "Password" as account types. Additionally, you´ll need to include an Object ID for users who log in via SSO.

Configure Cinode to support provisioning with Azure AD

Preparations & Prerequisites:

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

  • A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).

  • A user account in Cinode with administrator rights.

Capabilities supported

✅ Create users in Cinode

✅ Disconnect users in Cinode when they no longer require access

✅ Keep user attributes synchronized between Entra ID and Cinode

✅ Provision Security groups to team memberships in Cinode

✅ Provision Permission level (Roles) to Cinode via Security groups

Step 1. Plan your provisioning deployment

  1. Could you determine who will be in scope for provisioning?

  2. Determine what data to map between Azure AD and Cinode.

Step 2. Configuration in Cinode to support provisioning with Entra ID

Sign in to Cinode with a user account that has Administrator rights. Navigate to Administration.

Navigate to Integrations -> Tokens

Choose “create a new SCIM token” in Cinode (image below)

Enter an appropriate name and expiry date, such as one year ahead. Note that when this date expires, the integration will no longer work, so we recommend creating a reminder.

Click Create token.

Copy the Tenant URL and the Token. You will enter these values in the Provisioning tab of your Cinode application in the Entra portal.

Step 3. In Entra ID: Add Cinode from the Enterprise application gallery

Add the Cinode app via Enterprise Applications to start managing provisioning to Cinode. You can use the same application if you have previously set up Cinode for SSO. However, it is recommended to create a separate app when initially testing the integration. Learn more about adding an application from the gallery here.

Step 4. Define who will be in scope for provisioning

The Entra ID provisioning service lets you determine who will be provisioned based on application assignment and/or user/group attributes. To scope provisioning based on assignment, you can follow these steps to assign users and groups to the application. When syncing Security groups to Cinode, they are automatically created as new teams. You can also map them to existing teams for flexibility.

Configure a scoping filter to restrict provisioning to specific users or groups based on attributes. Read more

  • When assigning users and groups to Cinode, select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only available role is Default Access, update the application manifest to add additional roles.

  • Start small by testing with a limited group of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. If the scope is set to all users and groups, you can specify an attribute-based scoping filter attribute based scoping filter.

Step 5. How to set up User Provisioning in Microsoft Entra

This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users and/or groups in Microsoft Entra.

To configure automatic user provisioning for Cinode in Azure AD:

  1. Sign in to the Entra portal. Select Enterprise Applications, then select All Applications.

    Enterprise applications blade

  2. In the applications list, select Cinode.​

    The Cinode link in the Applications list

  3. Select the Provisioning tab.

    Provisioning tab

  4. Set the Provisioning Mode to Automatic.

    Provisioning tab automatic

  5. Under the Admin Credentials section, input the SCIM 2.0 base URL and Authentication Token values retrieved earlier in Cinode.

    Click Test Connection to ensure Microsoft Entra can connect to Cinode. If the connection fails, ensure your Cinode account has Admin permissions and try again.

    Tenant URL + Token

  6. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

    Notification Email

Select Save.

Mapping attributes​

You can sync attributes from Microsoft Entra to Cinode.

Under the Mappings section, select Synchronize Azure Active Directory Users to Cinode.


​Review the user attributes synchronized from Microsoft Entra to Cinode in the Attribute-Mapping section. The attributes selected as Matching properties match the user accounts in Cinode for update operations. If you choose to change the matching target attribute, you must ensure that the Cinode API supports filtering users based on that attribute.

Select the Save button to commit any changes.

Attribute

Type

Cinode name

userName

String

username

name.givenName

String

first name

name.familyName

String

last name

externalId

String

externalId

active

Boolean

status

title

String

title (admin setting)

addresses[type eq "work"].locality

String

location

phoneNumbers[type eq "work"].value

String

phone

employeeNumber

String

employmentNumber

employmentStartDate

DateType

employmentStartDate

urn:ietf:params:scim:schemas:extension:Cinode:User:1.0:EmploymentEndDate

DateType

employmentEndDate

The "Convert accounts to AAD" attribute allows you to link existing users in Cinode to their Microsoft Entra accounts by matching their email addresses. Please note that you must update the "externId" attribute to apply this mapping successfully. This step is Always required.

The "Overwrite name of team with DisplayName of group" attribute means that when provisioning teams via security groups in Cinode, the team name can be overwritten with the DisplayName of the corresponding group in Microsoft Entra.

Add new attributes

The option Show advanced attributes allow you to add new attributes such as Phone number, Start and end date, etc.

Use the attribute names in the table to add new target attributes.

When the target attribute is added, Add a new Attribute mapping:

Provision Teams, Roles and Team Managers to Cinode via Security groups

It is possible to provision teams, roles, and team managers in Cinode using security groups. These security groups can also be dynamic, enabling flexible and automated management.

Select Synchronize Azure Active Directory Groups to Cinode under the Mappings section.

In the Attribute-Mapping section, review the group attributes that are synchronized from Azure AD to Cinode. The attributes selected as Matching properties are used to match the groups in Cinode for update operations. Select the Save button to commit any changes.

Attribute

Type

displayName

String

externalId

String

members

Reference

Please take a look at the instructions in the Scoping filter tutorial to configure scoping filters.

Map the Security groups in Cinode as teams, team managers, and roles:

You can add an employee to the right team with the proper permission level, with Entra as the master.

To map team managers to teams in Cinode, follow the same process as for teams. This requires creating a security group for each manager.

Similarly, the mapping for roles (user, manager, partner manager, recruiter, administrator) can be done using security groups for each role.

Set your default role mapping

By selecting a default mapping, you define the role assigned to each user when they are added to Cinode. Additional roles can be assigned through mapped security groups or manually to Cinode.

The most common approach is assigning the user role to all users by default, especially if role mapping via security groups is not utilized.

Step 6. Test the integration

To test the integration, try provisioning on demand for a user. If the user already exists in Cinode - the login credentials will be changed. You can see it by checking the login type.

If the objectID is imported to the user - the provisioning is working:

If you provision a new user - the user will be visible in Cinode.


In the Settings section, change the Provisioning Status to On to enable the Microsoft Entra provisioning service for Cinode.

Provisioning Status Toggled On

In the Settings section, select the desired values in Scope to define the users and/or groups you would like to provision to Cinode.

Provisioning Scope

This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service runs.

Did this answer your question?